def security_check(trans, item, check_ownership=False, check_accessible=False): """ Security checks for an item: checks if (a) user owns item or (b) item is accessible to user. This is a generic method for dealing with objects uniformly from the older controller mixin code - however whenever possible the managers for a particular model should be used to perform security checks. """ # all items are accessible to an admin if trans.user_is_admin: return item # Verify ownership: there is a current user and that user is the same as the item's if check_ownership: if not trans.user: raise exceptions.ItemOwnershipException("Must be logged in to manage Galaxy items", type='error') if item.user != trans.user: raise exceptions.ItemOwnershipException("%s is not owned by the current user" % item.__class__.__name__, type='error') # Verify accessible: # if it's part of a lib - can they access via security # if it's something else (sharable) have they been added to the item's users_shared_with_dot_users if check_accessible: if type(item) in (trans.app.model.LibraryFolder, trans.app.model.LibraryDatasetDatasetAssociation, trans.app.model.LibraryDataset): if not trans.app.security_agent.can_access_library_item(trans.get_current_user_roles(), item, trans.user): raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error') else: if (item.user != trans.user) and (not item.importable) and (trans.user not in item.users_shared_with_dot_users): raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error') return item
def check_security(self, trans, has_workflow, check_ownership=True, check_accessible=True): """ check accessibility or ownership of workflows, storedworkflows, and workflowinvocations. Throw an exception or returns True if user has needed level of access. """ if not check_ownership and not check_accessible: return True # If given an invocation verify ownership of invocation if isinstance(has_workflow, model.WorkflowInvocation): # We use the the owner of the history that is associated to the invocation as a proxy # for the owner of the invocation. if trans.user != has_workflow.history.user and not trans.user_is_admin(): raise exceptions.ItemOwnershipException() else: return True # stored workflow contains security stuff - follow that workflow to # that unless given a stored workflow. if isinstance(has_workflow, model.Workflow): stored_workflow = has_workflow.top_level_stored_workflow else: stored_workflow = has_workflow if stored_workflow.user != trans.user and not trans.user_is_admin(): if check_ownership: raise exceptions.ItemOwnershipException() # else check_accessible... if trans.sa_session.query(model.StoredWorkflowUserShareAssociation).filter_by(user=trans.user, stored_workflow=stored_workflow).count() == 0: raise exceptions.ItemAccessibilityException() return True
def check_security(self, trans, has_workflow, check_ownership=True, check_accessible=True): """ check accessibility or ownership of workflows, storedworkflows, and workflowinvocations. Throw an exception or returns True if user has needed level of access. """ if not check_ownership or check_accessible: return True # If given an invocation follow to workflow... if isinstance(has_workflow, model.WorkflowInvocation): has_workflow = has_workflow.workflow # stored workflow contains security stuff - follow that workflow to # that unless given a stored workflow. if hasattr(has_workflow, "stored_workflow"): stored_workflow = has_workflow.stored_workflow else: stored_workflow = has_workflow if stored_workflow.user != trans.user and not trans.user_is_admin(): if check_ownership: raise exceptions.ItemOwnershipException() # else check_accessible... if trans.sa_session.query( model.StoredWorkflowUserShareAssociation).filter_by( user=trans.user, stored_workflow=stored_workflow).count() == 0: raise exceptions.ItemAccessibilityException() return True
def workflow_usage_contents(self, trans, workflow_id, usage_id, **kwd): """ GET /api/workflows/{workflow_id}/usage/{usage_id} Get detailed description of workflow usage :param workflow_id: the workflow id (required) :type workflow_id: str :param usage_id: the usage id (required) :type usage_id: str :raises: exceptions.MessageException, exceptions.ObjectNotFound """ try: stored_workflow = trans.sa_session.query( self.app.model.StoredWorkflow).get( trans.security.decode_id(workflow_id)) except Exception: raise exceptions.ObjectNotFound() # check to see if user has permissions to selected workflow if stored_workflow.user != trans.user and not trans.user_is_admin(): if trans.sa_session.query( trans.app.model.StoredWorkflowUserShareAssociation ).filter_by(user=trans.user, stored_workflow=stored_workflow).count() == 0: raise exceptions.ItemOwnershipException() results = trans.sa_session.query( self.app.model.WorkflowInvocation).filter_by( workflow_id=stored_workflow.latest_workflow_id) results = results.filter_by(id=trans.security.decode_id(usage_id)) out = results.first() if out is not None: return self.encode_all_ids(trans, out.to_dict('element'), True) return None
def workflow_usage(self, trans, workflow_id, **kwd): """ GET /api/workflows/{workflow_id}/usage Get the list of the workflow usage :param workflow_id: the workflow id (required) :type workflow_id: str :raises: exceptions.MessageException, exceptions.ObjectNotFound """ try: stored_workflow = trans.sa_session.query( self.app.model.StoredWorkflow).get( trans.security.decode_id(workflow_id)) except Exception: raise exceptions.ObjectNotFound() # check to see if user has permissions to selected workflow if stored_workflow.user != trans.user and not trans.user_is_admin(): if trans.sa_session.query( trans.app.model.StoredWorkflowUserShareAssociation ).filter_by(user=trans.user, stored_workflow=stored_workflow).count() == 0: raise exceptions.ItemOwnershipException() results = trans.sa_session.query( self.app.model.WorkflowInvocation).filter_by( workflow_id=stored_workflow.latest_workflow_id) out = [] for r in results: out.append(self.encode_all_ids(trans, r.to_dict(), True)) return out
def error_unless_owner(self, item, user, **kwargs): """ Raise an error if the item is NOT owned by user, otherwise return the item. :raises exceptions.ItemAccessibilityException: """ if self.is_owner(item, user, **kwargs): return item raise exceptions.ItemOwnershipException(f"{self.model_class.__name__} is not owned by user")
def error_unless_owner(self, trans, item, user): """ Raise an error if the item is NOT owned by user, otherwise return the item. :raises exceptions.ItemAccessibilityException: """ if self.is_owner(trans, item, user): return item raise exceptions.ItemOwnershipException("%s is not owned by user" % (self.model_class.__name__))
def check_ownership( self, trans, history ): """ Raises error if the current user is not the owner of the history. """ if trans.user and trans.user_is_admin(): return history if not trans.user and not self.is_current( trans, history ): raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy histories", type='error' ) if self.is_owner( trans, history ): return history raise exceptions.ItemOwnershipException( "History is not owned by the current user", type='error' )
def check_ownership( self, trans, folder ): """ Check whether the user is owner of the folder. :returns: the original folder :rtype: LibraryFolder """ if not trans.user: raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy items", type='error' ) if folder.user != trans.user: raise exceptions.ItemOwnershipException( "Folder is not owned by the current user", type='error' ) else: return folder
def _get_page(self, trans, id): # Fetches page object and verifies security. try: page = trans.sa_session.query(trans.app.model.Page).get(trans.security.decode_id(id)) except Exception: page = None if not page: raise exceptions.ObjectNotFound() if page.user != trans.user and not trans.user_is_admin(): raise exceptions.ItemOwnershipException() return page
def check_ownership(self, trans, hda): """ Use history to see if current user owns HDA. """ if not trans.user: #if hda.history == trans.history: # return hda raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy datasets", type='error') if trans.user_is_admin(): return hda # check for ownership of the containing history and accessibility of the underlying dataset if (self.histories_mgr.is_owner(trans, hda.history) and self.can_access_dataset(trans, hda)): return hda raise exceptions.ItemOwnershipException( "HistoryDatasetAssociation is not owned by the current user", type='error')
def _verify_page_ownership(self, trans, page): if not self.security_check(trans, page, True, True): raise exceptions.ItemOwnershipException()