From f5c3478ad42102dd5f14879830ba60519e07de98 Mon Sep 17 00:00:00 2001 From: mvdbeek Date: Sat, 23 May 2020 19:33:47 +0200 Subject: [PATCH] Test that job with DCE respects permissions --- lib/galaxy/tools/__init__.py | 2 +- lib/galaxy/tools/actions/__init__.py | 7 +++--- lib/galaxy_test/api/test_jobs.py | 32 +++++++++++++++++++++++----- 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/lib/galaxy/tools/__init__.py b/lib/galaxy/tools/__init__.py index 8c7cc8ba2a7c..26ee54ab3693 100755 --- a/lib/galaxy/tools/__init__.py +++ b/lib/galaxy/tools/__init__.py @@ -1597,7 +1597,7 @@ def handle_single_execution(self, trans, rerun_remap_job_id, execution_slice, hi completed_job=completed_job, collection_info=collection_info, ) - except webob.exc.HTTPFound as e: + except (webob.exc.HTTPFound, exceptions.MessageException) as e: # if it's a webob redirect exception, pass it up the stack raise e except ToolInputsNotReadyException as e: diff --git a/lib/galaxy/tools/actions/__init__.py b/lib/galaxy/tools/actions/__init__.py index 6ccd922dec31..2bd342f8c25b 100644 --- a/lib/galaxy/tools/actions/__init__.py +++ b/lib/galaxy/tools/actions/__init__.py @@ -8,6 +8,7 @@ from six import string_types from galaxy import model +from galaxy.exceptions import ItemAccessibilityException from galaxy.jobs.actions.post import ActionBox from galaxy.model import LibraryDatasetDatasetAssociation, WorkflowRequestInputParameter from galaxy.model.dataset_collections.builder import CollectionBuilder @@ -100,12 +101,12 @@ def process_dataset(data, formats=None): if collection_info and collection_info.is_mapped_over(input_name): action_tuples = collection_info.map_over_action_tuples(input_name) if not trans.app.security_agent.can_access_datasets(current_user_roles, action_tuples): - raise Exception("User does not have permission to use a dataset provided for input.") + raise ItemAccessibilityException("User does not have permission to use a dataset provided for input.") for action, role_id in action_tuples: record_permission(action, role_id) else: if not trans.app.security_agent.can_access_dataset(current_user_roles, data.dataset): - raise Exception("User does not have permission to use a dataset (%s) provided for input." % data.id) + raise ItemAccessibilityException("User does not have permission to use a dataset (%s) provided for input." % data.id) permissions = trans.app.security_agent.get_permissions(data.dataset) for action, roles in permissions.items(): for role in roles: @@ -172,7 +173,7 @@ def process_dataset(data, formats=None): action_tuples = collection.dataset_action_tuples if not trans.app.security_agent.can_access_datasets(current_user_roles, action_tuples): - raise Exception("User does not have permission to use a dataset provided for input.") + raise ItemAccessibilityException("User does not have permission to use a dataset provided for input.") for action, role_id in action_tuples: record_permission(action, role_id) diff --git a/lib/galaxy_test/api/test_jobs.py b/lib/galaxy_test/api/test_jobs.py index d25fa8010fb7..c1c20b1f2b5b 100644 --- a/lib/galaxy_test/api/test_jobs.py +++ b/lib/galaxy_test/api/test_jobs.py @@ -577,10 +577,7 @@ def test_search_with_hdca_list_pair_input(self, history_id): }) self._job_search(tool_id='multi_data_param', history_id=history_id, inputs=inputs) - # This endpoint is not great, but I think we need this for now. - @skip_without_tool("collection_paired_test") - @uses_test_history(require_new=False) - def test_job_build_for_rerun(self, history_id): + def _get_simple_rerun_params(self, history_id, private=False): list_id_a = self.__history_with_ok_collection(collection_type='list:pair', history_id=history_id) inputs = {'f1': {'batch': True, 'values': [{'src': 'hdca', 'id': list_id_a, 'map_over_type': 'paired'}]}} run_response = self._run( @@ -595,7 +592,17 @@ def test_job_build_for_rerun(self, history_id): # which is a dataset collection element (and not the list:pair hdca that was used as input to the original # job). assert rerun_params['state_inputs']['f1']['values'][0]['src'] == 'dce' - run_response = self._run( + if private: + hdca = self.dataset_populator.get_history_collection_details(history_id=history_id, content_id=list_id_a) + for element in hdca['elements'][0]['object']['elements']: + self.dataset_populator.make_private(history_id, element['object']['id']) + return rerun_params + + @skip_without_tool("collection_paired_test") + @uses_test_history(require_new=False) + def test_job_build_for_rerun(self, history_id): + rerun_params = self._get_simple_rerun_params(history_id) + self._run( history_id=history_id, tool_id="collection_paired_test", inputs=rerun_params['state_inputs'], @@ -603,6 +610,21 @@ def test_job_build_for_rerun(self, history_id): assert_ok=True, ) + @skip_without_tool("collection_paired_test") + @uses_test_history(require_new=False) + def test_dce_submission_security(self, history_id): + rerun_params = self._get_simple_rerun_params(history_id, private=True) + with self._different_user(): + other_history_id = self.dataset_populator.new_history() + response = self._run( + history_id=other_history_id, + tool_id="collection_paired_test", + inputs=rerun_params['state_inputs'], + wait_for_job=False, + assert_ok=False, + ) + assert response.status_code == 403 + @skip_without_tool("identifier_collection") @uses_test_history(require_new=False) def test_job_build_for_rerun_list_list(self, history_id):