def security_check(trans, item, check_ownership=False, check_accessible=False):
"""
Security checks for an item: checks if (a) user owns item or (b) item
is accessible to user. This is a generic method for dealing with objects
uniformly from the older controller mixin code - however whenever possible
the managers for a particular model should be used to perform security
checks.
"""
# all items are accessible to an admin
if trans.user_is_admin:
return item
# Verify ownership: there is a current user and that user is the same as the item's
if check_ownership:
if not trans.user:
raise exceptions.ItemOwnershipException("Must be logged in to manage Galaxy items", type='error')
if item.user != trans.user:
raise exceptions.ItemOwnershipException("%s is not owned by the current user" % item.__class__.__name__, type='error')
# Verify accessible:
# if it's part of a lib - can they access via security
# if it's something else (sharable) have they been added to the item's users_shared_with_dot_users
if check_accessible:
if type(item) in (trans.app.model.LibraryFolder, trans.app.model.LibraryDatasetDatasetAssociation, trans.app.model.LibraryDataset):
if not trans.app.security_agent.can_access_library_item(trans.get_current_user_roles(), item, trans.user):
raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error')
else:
if (item.user != trans.user) and (not item.importable) and (trans.user not in item.users_shared_with_dot_users):
raise exceptions.ItemAccessibilityException("%s is not accessible to the current user" % item.__class__.__name__, type='error')
return item
def check_security(self, trans, has_workflow, check_ownership=True, check_accessible=True):
""" check accessibility or ownership of workflows, storedworkflows, and
workflowinvocations. Throw an exception or returns True if user has
needed level of access.
"""
if not check_ownership and not check_accessible:
return True
# If given an invocation verify ownership of invocation
if isinstance(has_workflow, model.WorkflowInvocation):
# We use the the owner of the history that is associated to the invocation as a proxy
# for the owner of the invocation.
if trans.user != has_workflow.history.user and not trans.user_is_admin():
raise exceptions.ItemOwnershipException()
else:
return True
# stored workflow contains security stuff - follow that workflow to
# that unless given a stored workflow.
if isinstance(has_workflow, model.Workflow):
stored_workflow = has_workflow.top_level_stored_workflow
else:
stored_workflow = has_workflow
if stored_workflow.user != trans.user and not trans.user_is_admin():
if check_ownership:
raise exceptions.ItemOwnershipException()
# else check_accessible...
if trans.sa_session.query(model.StoredWorkflowUserShareAssociation).filter_by(user=trans.user, stored_workflow=stored_workflow).count() == 0:
raise exceptions.ItemAccessibilityException()
return True
def check_security(self,
trans,
has_workflow,
check_ownership=True,
check_accessible=True):
""" check accessibility or ownership of workflows, storedworkflows, and
workflowinvocations. Throw an exception or returns True if user has
needed level of access.
"""
if not check_ownership or check_accessible:
return True
# If given an invocation follow to workflow...
if isinstance(has_workflow, model.WorkflowInvocation):
has_workflow = has_workflow.workflow
# stored workflow contains security stuff - follow that workflow to
# that unless given a stored workflow.
if hasattr(has_workflow, "stored_workflow"):
stored_workflow = has_workflow.stored_workflow
else:
stored_workflow = has_workflow
if stored_workflow.user != trans.user and not trans.user_is_admin():
if check_ownership:
raise exceptions.ItemOwnershipException()
# else check_accessible...
if trans.sa_session.query(
model.StoredWorkflowUserShareAssociation).filter_by(
user=trans.user,
stored_workflow=stored_workflow).count() == 0:
raise exceptions.ItemAccessibilityException()
return True
def workflow_usage_contents(self, trans, workflow_id, usage_id, **kwd):
"""
GET /api/workflows/{workflow_id}/usage/{usage_id}
Get detailed description of workflow usage
:param workflow_id: the workflow id (required)
:type workflow_id: str
:param usage_id: the usage id (required)
:type usage_id: str
:raises: exceptions.MessageException, exceptions.ObjectNotFound
"""
try:
stored_workflow = trans.sa_session.query(
self.app.model.StoredWorkflow).get(
trans.security.decode_id(workflow_id))
except Exception:
raise exceptions.ObjectNotFound()
# check to see if user has permissions to selected workflow
if stored_workflow.user != trans.user and not trans.user_is_admin():
if trans.sa_session.query(
trans.app.model.StoredWorkflowUserShareAssociation
).filter_by(user=trans.user,
stored_workflow=stored_workflow).count() == 0:
raise exceptions.ItemOwnershipException()
results = trans.sa_session.query(
self.app.model.WorkflowInvocation).filter_by(
workflow_id=stored_workflow.latest_workflow_id)
results = results.filter_by(id=trans.security.decode_id(usage_id))
out = results.first()
if out is not None:
return self.encode_all_ids(trans, out.to_dict('element'), True)
return None
def workflow_usage(self, trans, workflow_id, **kwd):
"""
GET /api/workflows/{workflow_id}/usage
Get the list of the workflow usage
:param workflow_id: the workflow id (required)
:type workflow_id: str
:raises: exceptions.MessageException, exceptions.ObjectNotFound
"""
try:
stored_workflow = trans.sa_session.query(
self.app.model.StoredWorkflow).get(
trans.security.decode_id(workflow_id))
except Exception:
raise exceptions.ObjectNotFound()
# check to see if user has permissions to selected workflow
if stored_workflow.user != trans.user and not trans.user_is_admin():
if trans.sa_session.query(
trans.app.model.StoredWorkflowUserShareAssociation
).filter_by(user=trans.user,
stored_workflow=stored_workflow).count() == 0:
raise exceptions.ItemOwnershipException()
results = trans.sa_session.query(
self.app.model.WorkflowInvocation).filter_by(
workflow_id=stored_workflow.latest_workflow_id)
out = []
for r in results:
out.append(self.encode_all_ids(trans, r.to_dict(), True))
return out
def error_unless_owner(self, item, user, **kwargs):
"""
Raise an error if the item is NOT owned by user, otherwise return the item.
:raises exceptions.ItemAccessibilityException:
"""
if self.is_owner(item, user, **kwargs):
return item
raise exceptions.ItemOwnershipException(f"{self.model_class.__name__} is not owned by user")
def error_unless_owner(self, trans, item, user):
"""
Raise an error if the item is NOT owned by user, otherwise return the item.
:raises exceptions.ItemAccessibilityException:
"""
if self.is_owner(trans, item, user):
return item
raise exceptions.ItemOwnershipException("%s is not owned by user" %
(self.model_class.__name__))
def check_ownership( self, trans, history ):
"""
Raises error if the current user is not the owner of the history.
"""
if trans.user and trans.user_is_admin():
return history
if not trans.user and not self.is_current( trans, history ):
raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy histories", type='error' )
if self.is_owner( trans, history ):
return history
raise exceptions.ItemOwnershipException( "History is not owned by the current user", type='error' )
def check_ownership( self, trans, folder ):
"""
Check whether the user is owner of the folder.
:returns: the original folder
:rtype: LibraryFolder
"""
if not trans.user:
raise exceptions.AuthenticationRequired( "Must be logged in to manage Galaxy items", type='error' )
if folder.user != trans.user:
raise exceptions.ItemOwnershipException( "Folder is not owned by the current user", type='error' )
else:
return folder
def _get_page(self, trans, id): # Fetches page object and verifies security.
try:
page = trans.sa_session.query(trans.app.model.Page).get(trans.security.decode_id(id))
except Exception:
page = None
if not page:
raise exceptions.ObjectNotFound()
if page.user != trans.user and not trans.user_is_admin():
raise exceptions.ItemOwnershipException()
return page
def check_ownership(self, trans, hda):
"""
Use history to see if current user owns HDA.
"""
if not trans.user:
#if hda.history == trans.history:
# return hda
raise exceptions.AuthenticationRequired(
"Must be logged in to manage Galaxy datasets", type='error')
if trans.user_is_admin():
return hda
# check for ownership of the containing history and accessibility of the underlying dataset
if (self.histories_mgr.is_owner(trans, hda.history)
and self.can_access_dataset(trans, hda)):
return hda
raise exceptions.ItemOwnershipException(
"HistoryDatasetAssociation is not owned by the current user",
type='error')
def _verify_page_ownership(self, trans, page):
if not self.security_check(trans, page, True, True):
raise exceptions.ItemOwnershipException()
