Upload files from filesystem paths for non admin users
Hello everybody, i'm sorry for posting again. I didn't have any answer during the christmas holiday, so i take another (and last) chance :) I'm running a fresh galaxy-dist installation (changeset 4640:8729d2e29b02) on a Centos 5.5 distribution. I'm using LDAP authentication through Apache. Here is the situation. As a galaxy admin, i've created a "new data library" called "TP" through the admin interface. I've another user, called "foobar" which belongs to a group called "TP Admin" which is associated to the role "TP Admin". I've edited the permissions of the "TP" library to only associate "TP Admin" role to "add library item". No other entry is associated with any role. The "foobar" user logs into galaxy and go to "Shared Data/Data libraries". He chooses "TP" and click on "Add datasets". The problem is that the option "Upload files from filesystem paths" appears in the scrolling "upload option" list even if "foobar" is not a galaxy admin. This means that he can virtually access any file on the filesystem. The comments in the "universe_wsgi.ini" mention "Please note the security implication that this will give Galaxy Admins access to anything your Galaxy user has access to." which seems ok for Galaxy admins, but it looks like this is also the case for any galaxy user. Any advice on this behaviour? Maybe i misunderstood something. Regards, Jean-Baptiste Denis
Hello Jean-Baptiste, Running the latest revision in the distribution, (4895:ad933d160a7c), I have followed your steps precisely and do not see the behavior you state. Making sure that the user foobar is not an admin user, the only upload options I see are 'Upload files', 'Upload a directory of files' and 'Import datasets from your current history'. I'm not sure what changes may have occurred between your rev and the latest available regarding this behavior, but could you update and see if the behavior changes? Let us know if you still see problems. Thanks, Greg Von Kuster On Feb 3, 2011, at 12:12 PM, Jean-Baptiste Denis wrote:
Hello everybody,
i'm sorry for posting again. I didn't have any answer during the christmas holiday, so i take another (and last) chance :)
I'm running a fresh galaxy-dist installation (changeset 4640:8729d2e29b02) on a Centos 5.5 distribution. I'm using LDAP authentication through Apache.
Here is the situation. As a galaxy admin, i've created a "new data library" called "TP" through the admin interface.
I've another user, called "foobar" which belongs to a group called "TP Admin" which is associated to the role "TP Admin".
I've edited the permissions of the "TP" library to only associate "TP Admin" role to "add library item". No other entry is associated with any role.
The "foobar" user logs into galaxy and go to "Shared Data/Data libraries". He chooses "TP" and click on "Add datasets". The problem is that the option "Upload files from filesystem paths" appears in the scrolling "upload option" list even if "foobar" is not a galaxy admin. This means that he can virtually access any file on the filesystem.
The comments in the "universe_wsgi.ini" mention "Please note the security implication that this will give Galaxy Admins access to anything your Galaxy user has access to." which seems ok for Galaxy admins, but it looks like this is also the case for any galaxy user.
Any advice on this behaviour? Maybe i misunderstood something.
Regards,
Jean-Baptiste Denis
_______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
Greg Von Kuster Galaxy Development Team greg@bx.psu.edu
On 02/03/2011 07:35 PM, Greg Von Kuster wrote:
Hello Jean-Baptiste,
Running the latest revision in the distribution, (4895:ad933d160a7c), I have followed your steps precisely and do not see the behavior you state.
Hello, thank you for having trying to reproduce my problem. I've updated my Galaxy installation, and the problem is gone. Sorry for the delay of my answer, but i just had the time to test it this morning. Regards, Jean-Baptiste
participants (2)
-
Greg Von Kuster -
Jean-Baptiste Denis