Hello everybody,

I'm running a fresh galaxy-dist installation (changeset 4640:8729d2e29b02)
on a Centos 5.5 distribution. I'm using LDAP authentication through
Apache.

Here is the situation. As a galaxy admin, i've created a "new data
library" called "TP" through the admin interface.

I've another user, called "foobar" which belongs to a group called "TP
Admin" which is associated to the role "TP Admin".

I've edited the permissions of the "TP" library to only associate "TP
Admin" role to "add library item". No other entry is associated with any
role.

The "foobar" user logs into galaxy and go to "Shared Data/Data
libraries". He chooses "TP" and click on "Add datasets". The problem is
that the option "Upload files from filesystem paths" appears in the
scrolling "upload option" list even if "foobar" is not a galaxy admin.
This means that he can virtually access any file on the filesystem.

The comments in the "universe_wsgi.ini" mention "Please note the security
implication that this will give Galaxy Admins access to anything your
Galaxy user has access to." which seems ok for Galaxy admins, but it
looks like this is also the case for any galaxy user.

Any advice on this behaviour? Maybe i misunderstood something.

Regards,

Jean-Baptiste Denis
_______________________________________________
galaxy-dev mailing list
galaxy-dev@lists.bx.psu.edu
http://lists.bx.psu.edu/listinfo/galaxy-dev

Reply via email to