Fix authentication and authorization for data sets, analysis and work…

…flows.

refinery/core/api.py

@@ -25,7 +25,7 @@
 from core.models import Project, NodeSet, NodeRelationship, NodePair, \
     Workflow, WorkflowInputRelationships, Analysis, DataSet, \
     ExternalToolStatus, ResourceStatistics, GroupManagement, ExtendedGroup, \
-    UserAuthentication, Invitation, EmailInvite
+    UserAuthentication, Invitation, EmailInvite, UserProfile
 from core.tasks import check_tool_status
 from data_set_manager.api import StudyResource, AssayResource
 from data_set_manager.models import Node, Study
@@ -112,13 +112,13 @@ def list_to_queryset(self, res_list):
     # Apply filters.
     def do_filtering(self, res_list, get_req_dict):
         mod_list = res_list
-        
+
         for k in get_req_dict:
             # Skip if res does not have the attribute. Done to help avoid
             # whatever internal filtering can be performed on other things,
             # like limiting the return amount.
             mod_list = [x for x in mod_list
-                        if not hasattr(x, k) or 
+                        if not hasattr(x, k) or
                         str(getattr(x, k)) == get_req_dict[k]]
 
         return mod_list
@@ -139,7 +139,7 @@ def build_res_list(self, user, res_list, request, **kwargs):
 
         # Filter for query flags.
         res_list = self.do_filtering(res_list, request.GET)
- 
+
         return res_list
 
     def build_bundle_list(self, request, res_list, **kwargs):
@@ -316,7 +316,6 @@ class Meta:
         # authentication = SessionAuthentication()
         # authorization = GuardianAuthorization()
         filtering = {'uuid': ALL}
-        # fields = ['uuid']
 
     def prepend_urls(self):
         prepend_urls_list = SharableResourceAPIInterface.prepend_urls(self) + [
@@ -339,8 +338,19 @@ def obj_get_list(self, bundle, **kwargs):
                                                          bundle,
                                                          **kwargs)
 
-    def get_object_list(self, request):
-        return SharableResourceAPIInterface.get_object_list(self, request)
+    # def get_object_list(self, request):
+    #     return SharableResourceAPIInterface.get_object_list(self, request)
+
+    def get_object_list(self, request, **kwargs):
+        data_sets = get_objects_for_user(
+            request.user,
+            "core.read_dataset"
+        )
+        for data_set in data_sets:
+            data_set.is_owner = request.user.pk == data_set.get_owner().pk
+            data_set.public = data_set.is_public
+
+        return data_sets
 
     def obj_create(self, bundle, **kwargs):
         return SharableResourceAPIInterface.obj_create(self, bundle, **kwargs)
@@ -448,8 +458,14 @@ def obj_get_list(self, bundle, **kwargs):
                                                          bundle,
                                                          **kwargs)
 
-    def get_object_list(self, request):
-        return SharableResourceAPIInterface.get_object_list(self, request)
+    # def get_object_list(self, request):
+    #     return SharableResourceAPIInterface.get_object_list(self, request)
+
+    def get_object_list(self, request, **kwargs):
+        return get_objects_for_user(
+            request.user,
+            "core.read_workflow"
+        ).filter(is_active=True)
 
     def obj_create(self, bundle, **kwargs):
         return SharableResourceAPIInterface.obj_create(self, bundle, **kwargs)
@@ -509,7 +525,7 @@ class Meta:
         resource_name = Analysis._meta.module_name
         detail_uri_name = 'uuid'    # for using UUIDs instead of pk in URIs
         # required for public data set access by anonymous users
-        authentication = Authentication()
+        authentication = SessionAuthentication()
         authorization = Authorization()
         allowed_methods = ["get"]
         fields = [
@@ -523,6 +539,13 @@ class Meta:
         }
         ordering = ['name', 'creation_date']
 
+    def get_object_list(self, request, **kwargs):
+        return UserProfile.objects.get(
+            user=User.objects.get(
+                username=request.user
+            )
+        ).catch_all_project.analyses.all().order_by("-time_start")
+
 
 class NodeResource(ModelResource):
     parents = fields.ToManyField('core.api.NodeResource', 'parents')
@@ -1193,7 +1216,7 @@ def user_authorized(self, user, group):
     def has_expired(self, token):
         if token.expires is None:
             return True
- 
+
         return (datetime.datetime.now() - token.expires).total_seconds() >= 0
 
     def prepend_urls(self):
@@ -1208,9 +1231,10 @@ def prepend_urls(self):
                 self.wrap_view('update_db'),
                 name='api_invitation_update_db'),
             url(r'^invitation/send/(?P<group_id>%s)/(?P<email>%s)/$'
-                    % (self.group_id_regex, self.email_regex),
+                % (self.group_id_regex, self.email_regex),
                 self.wrap_view('email_token'),
                 name='api_invitation_email_token'),
+
         ]
 
     def get_token(self, request, **kwargs):
@@ -1219,7 +1243,7 @@ def get_token(self, request, **kwargs):
         if request.method == 'GET':
             user = request.user
             group = self.get_group(int(kwargs['group_id']))
-            
+
             if not self.user_authorized(user, group):
                 return HttpUnauthorized()
 
@@ -1267,6 +1291,7 @@ def update_db(self, request, **kwargs):
 
         return HttpNoContent()
 
+
     def email_token(self, request, **kwargs):
         group = self.get_group(int(kwargs['group_id']))
 
@@ -1291,4 +1316,3 @@ def email_token(self, request, **kwargs):
         email = EmailMessage(subject, body, to=[address])
         email.send()
         return HttpAccepted()
-