Beispiel #1
0
def security_check(trans, item, check_ownership=False, check_accessible=False):
    """
    Security checks for an item: checks if (a) user owns item or (b) item
    is accessible to user. This is a generic method for dealing with objects
    uniformly from the older controller mixin code - however whenever possible
    the managers for a particular model should be used to perform security
    checks.
    """

    # all items are accessible to an admin
    if trans.user_is_admin:
        return item

    # Verify ownership: there is a current user and that user is the same as the item's
    if check_ownership:
        if not trans.user:
            raise exceptions.ItemOwnershipException("Must be logged in to manage Galaxy items", type='error')
        if item.user != trans.user:
            raise exceptions.ItemOwnershipException("%s is not owned by the current user" % item.__class__.__name__, type='error')

    # Verify accessible:
    #   if it's part of a lib - can they access via security
    #   if it's something else (sharable) have they been added to the item's users_shared_with_dot_users
    if check_accessible:
        if type(item) in (trans.app.model.LibraryFolder, trans.app.model.LibraryDatasetDatasetAssociation, trans.app.model.LibraryDataset):
            if not trans.app.security_agent.can_access_library_item(trans.get_current_user_roles(), item, trans.user):
                raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error')
        else:
            if (item.user != trans.user) and (not item.importable) and (trans.user not in item.users_shared_with_dot_users):
                raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error')
    return item
Beispiel #2
0
    def check_security(self, trans, has_workflow, check_ownership=True, check_accessible=True):
        """ check accessibility or ownership of workflows, storedworkflows, and
        workflowinvocations. Throw an exception or returns True if user has
        needed level of access.
        """
        if not check_ownership and not check_accessible:
            return True

        # If given an invocation verify ownership of invocation
        if isinstance(has_workflow, model.WorkflowInvocation):
            # We use the the owner of the history that is associated to the invocation as a proxy
            # for the owner of the invocation.
            if trans.user != has_workflow.history.user and not trans.user_is_admin():
                raise exceptions.ItemOwnershipException()
            else:
                return True

        # stored workflow contains security stuff - follow that workflow to
        # that unless given a stored workflow.
        if isinstance(has_workflow, model.Workflow):
            stored_workflow = has_workflow.top_level_stored_workflow
        else:
            stored_workflow = has_workflow

        if stored_workflow.user != trans.user and not trans.user_is_admin():
            if check_ownership:
                raise exceptions.ItemOwnershipException()
            # else check_accessible...
            if trans.sa_session.query(model.StoredWorkflowUserShareAssociation).filter_by(user=trans.user, stored_workflow=stored_workflow).count() == 0:
                raise exceptions.ItemAccessibilityException()

        return True
Beispiel #3
0
    def check_security(self,
                       trans,
                       has_workflow,
                       check_ownership=True,
                       check_accessible=True):
        """ check accessibility or ownership of workflows, storedworkflows, and
        workflowinvocations. Throw an exception or returns True if user has
        needed level of access.
        """
        if not check_ownership or check_accessible:
            return True

        # If given an invocation follow to workflow...
        if isinstance(has_workflow, model.WorkflowInvocation):
            has_workflow = has_workflow.workflow

        # stored workflow contains security stuff - follow that workflow to
        # that unless given a stored workflow.
        if hasattr(has_workflow, "stored_workflow"):
            stored_workflow = has_workflow.stored_workflow
        else:
            stored_workflow = has_workflow

        if stored_workflow.user != trans.user and not trans.user_is_admin():
            if check_ownership:
                raise exceptions.ItemOwnershipException()
            # else check_accessible...
            if trans.sa_session.query(
                    model.StoredWorkflowUserShareAssociation).filter_by(
                        user=trans.user,
                        stored_workflow=stored_workflow).count() == 0:
                raise exceptions.ItemAccessibilityException()

        return True
    def workflow_usage_contents(self, trans, workflow_id, usage_id, **kwd):
        """
        GET /api/workflows/{workflow_id}/usage/{usage_id}
        Get detailed description of workflow usage

        :param  workflow_id:      the workflow id (required)
        :type   workflow_id:      str

        :param  usage_id:      the usage id (required)
        :type   usage_id:      str

        :raises: exceptions.MessageException, exceptions.ObjectNotFound
        """

        try:
            stored_workflow = trans.sa_session.query(
                self.app.model.StoredWorkflow).get(
                    trans.security.decode_id(workflow_id))
        except Exception:
            raise exceptions.ObjectNotFound()
        # check to see if user has permissions to selected workflow
        if stored_workflow.user != trans.user and not trans.user_is_admin():
            if trans.sa_session.query(
                    trans.app.model.StoredWorkflowUserShareAssociation
            ).filter_by(user=trans.user,
                        stored_workflow=stored_workflow).count() == 0:
                raise exceptions.ItemOwnershipException()
        results = trans.sa_session.query(
            self.app.model.WorkflowInvocation).filter_by(
                workflow_id=stored_workflow.latest_workflow_id)
        results = results.filter_by(id=trans.security.decode_id(usage_id))
        out = results.first()
        if out is not None:
            return self.encode_all_ids(trans, out.to_dict('element'), True)
        return None
    def workflow_usage(self, trans, workflow_id, **kwd):
        """
        GET /api/workflows/{workflow_id}/usage
        Get the list of the workflow usage

        :param  workflow_id:      the workflow id (required)
        :type   workflow_id:      str

        :raises: exceptions.MessageException, exceptions.ObjectNotFound
        """
        try:
            stored_workflow = trans.sa_session.query(
                self.app.model.StoredWorkflow).get(
                    trans.security.decode_id(workflow_id))
        except Exception:
            raise exceptions.ObjectNotFound()
        # check to see if user has permissions to selected workflow
        if stored_workflow.user != trans.user and not trans.user_is_admin():
            if trans.sa_session.query(
                    trans.app.model.StoredWorkflowUserShareAssociation
            ).filter_by(user=trans.user,
                        stored_workflow=stored_workflow).count() == 0:
                raise exceptions.ItemOwnershipException()
        results = trans.sa_session.query(
            self.app.model.WorkflowInvocation).filter_by(
                workflow_id=stored_workflow.latest_workflow_id)
        out = []
        for r in results:
            out.append(self.encode_all_ids(trans, r.to_dict(), True))
        return out
Beispiel #6
0
    def error_unless_owner(self, item, user, **kwargs):
        """
        Raise an error if the item is NOT owned by user, otherwise return the item.

        :raises exceptions.ItemAccessibilityException:
        """
        if self.is_owner(item, user, **kwargs):
            return item
        raise exceptions.ItemOwnershipException(f"{self.model_class.__name__} is not owned by user")
Beispiel #7
0
    def error_unless_owner(self, trans, item, user):
        """
        Raise an error if the item is NOT owned by user, otherwise return the item.

        :raises exceptions.ItemAccessibilityException:
        """
        if self.is_owner(trans, item, user):
            return item
        raise exceptions.ItemOwnershipException("%s is not owned by user" %
                                                (self.model_class.__name__))
 def check_ownership( self, trans, history ):
     """
     Raises error if the current user is not the owner of the history.
     """
     if trans.user and trans.user_is_admin():
         return history
     if not trans.user and not self.is_current( trans, history ):
         raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy histories", type='error' )
     if self.is_owner( trans, history ):
         return history
     raise exceptions.ItemOwnershipException( "History is not owned by the current user", type='error' )
Beispiel #9
0
    def check_ownership( self, trans, folder ):
        """
        Check whether the user is owner of the folder.

        :returns:   the original folder
        :rtype:     LibraryFolder
        """
        if not trans.user:
            raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy items", type='error' )
        if folder.user != trans.user:
            raise exceptions.ItemOwnershipException( "Folder is not owned by the current user", type='error' )
        else:
            return folder
Beispiel #10
0
    def _get_page(self, trans, id):  # Fetches page object and verifies security.
        try:
            page = trans.sa_session.query(trans.app.model.Page).get(trans.security.decode_id(id))
        except Exception:
            page = None

        if not page:
            raise exceptions.ObjectNotFound()

        if page.user != trans.user and not trans.user_is_admin():
            raise exceptions.ItemOwnershipException()

        return page
Beispiel #11
0
 def check_ownership(self, trans, hda):
     """
     Use history to see if current user owns HDA.
     """
     if not trans.user:
         #if hda.history == trans.history:
         #    return hda
         raise exceptions.AuthenticationRequired(
             "Must be logged in to manage Galaxy datasets", type='error')
     if trans.user_is_admin():
         return hda
     # check for ownership of the containing history and accessibility of the underlying dataset
     if (self.histories_mgr.is_owner(trans, hda.history)
             and self.can_access_dataset(trans, hda)):
         return hda
     raise exceptions.ItemOwnershipException(
         "HistoryDatasetAssociation is not owned by the current user",
         type='error')
Beispiel #12
0
 def _verify_page_ownership(self, trans, page):
     if not self.security_check(trans, page, True, True):
         raise exceptions.ItemOwnershipException()