Test that job with DCE respects permissions

galaxyproject · May 24, 2020 · f5c3478 · f5c3478
1 parent 749f791
commit f5c3478
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 9 deletions.
diff --git a/lib/galaxy/tools/__init__.py b/lib/galaxy/tools/__init__.py
@@ -1597,7 +1597,7 @@ def handle_single_execution(self, trans, rerun_remap_job_id, execution_slice, hi
                 completed_job=completed_job,
                 collection_info=collection_info,
             )
-        except webob.exc.HTTPFound as e:
+        except (webob.exc.HTTPFound, exceptions.MessageException) as e:
             # if it's a webob redirect exception, pass it up the stack
             raise e
         except ToolInputsNotReadyException as e:

diff --git a/lib/galaxy/tools/actions/__init__.py b/lib/galaxy/tools/actions/__init__.py
@@ -8,6 +8,7 @@
 from six import string_types
 
 from galaxy import model
+from galaxy.exceptions import ItemAccessibilityException
 from galaxy.jobs.actions.post import ActionBox
 from galaxy.model import LibraryDatasetDatasetAssociation, WorkflowRequestInputParameter
 from galaxy.model.dataset_collections.builder import CollectionBuilder
@@ -100,12 +101,12 @@ def process_dataset(data, formats=None):
                 if collection_info and collection_info.is_mapped_over(input_name):
                     action_tuples = collection_info.map_over_action_tuples(input_name)
                     if not trans.app.security_agent.can_access_datasets(current_user_roles, action_tuples):
-                        raise Exception("User does not have permission to use a dataset provided for input.")
+                        raise ItemAccessibilityException("User does not have permission to use a dataset provided for input.")
                     for action, role_id in action_tuples:
                         record_permission(action, role_id)
                 else:
                     if not trans.app.security_agent.can_access_dataset(current_user_roles, data.dataset):
-                        raise Exception("User does not have permission to use a dataset (%s) provided for input." % data.id)
+                        raise ItemAccessibilityException("User does not have permission to use a dataset (%s) provided for input." % data.id)
                     permissions = trans.app.security_agent.get_permissions(data.dataset)
                     for action, roles in permissions.items():
                         for role in roles:
@@ -172,7 +173,7 @@ def process_dataset(data, formats=None):
 
                 action_tuples = collection.dataset_action_tuples
                 if not trans.app.security_agent.can_access_datasets(current_user_roles, action_tuples):
-                    raise Exception("User does not have permission to use a dataset provided for input.")
+                    raise ItemAccessibilityException("User does not have permission to use a dataset provided for input.")
                 for action, role_id in action_tuples:
                     record_permission(action, role_id)
 

diff --git a/lib/galaxy_test/api/test_jobs.py b/lib/galaxy_test/api/test_jobs.py
@@ -577,10 +577,7 @@ def test_search_with_hdca_list_pair_input(self, history_id):
         })
         self._job_search(tool_id='multi_data_param', history_id=history_id, inputs=inputs)
 
-    # This endpoint is not great, but I think we need this for now.
-    @skip_without_tool("collection_paired_test")
-    @uses_test_history(require_new=False)
-    def test_job_build_for_rerun(self, history_id):
+    def _get_simple_rerun_params(self, history_id, private=False):
         list_id_a = self.__history_with_ok_collection(collection_type='list:pair', history_id=history_id)
         inputs = {'f1': {'batch': True, 'values': [{'src': 'hdca', 'id': list_id_a, 'map_over_type': 'paired'}]}}
         run_response = self._run(
@@ -595,14 +592,39 @@ def test_job_build_for_rerun(self, history_id):
         # which is a dataset collection element (and not the list:pair hdca that was used as input to the original
         # job).
         assert rerun_params['state_inputs']['f1']['values'][0]['src'] == 'dce'
-        run_response = self._run(
+        if private:
+            hdca = self.dataset_populator.get_history_collection_details(history_id=history_id, content_id=list_id_a)
+            for element in hdca['elements'][0]['object']['elements']:
+                self.dataset_populator.make_private(history_id, element['object']['id'])
+        return rerun_params
+
+    @skip_without_tool("collection_paired_test")
+    @uses_test_history(require_new=False)
+    def test_job_build_for_rerun(self, history_id):
+        rerun_params = self._get_simple_rerun_params(history_id)
+        self._run(
             history_id=history_id,
             tool_id="collection_paired_test",
             inputs=rerun_params['state_inputs'],
             wait_for_job=True,
             assert_ok=True,
         )
 
+    @skip_without_tool("collection_paired_test")
+    @uses_test_history(require_new=False)
+    def test_dce_submission_security(self, history_id):
+        rerun_params = self._get_simple_rerun_params(history_id, private=True)
+        with self._different_user():
+            other_history_id = self.dataset_populator.new_history()
+            response = self._run(
+                history_id=other_history_id,
+                tool_id="collection_paired_test",
+                inputs=rerun_params['state_inputs'],
+                wait_for_job=False,
+                assert_ok=False,
+            )
+            assert response.status_code == 403
+
     @skip_without_tool("identifier_collection")
     @uses_test_history(require_new=False)
     def test_job_build_for_rerun_list_list(self, history_id):