Hi,

I've noticed a ticket on the wiki for per-user tool permissions:
https://bitbucket.org/galaxy/galaxy-central/issue/269/use-galaxy-security-to-restrict-tool

If anyone is interested, the following patch implements such thing (but 
requires manual code changes whenever the access needs to be changed).
The method "tool_allowed_for_user()" can of course be extended/rewritten to 
read access permissions from file or from a database.

Comments are welcomed,
 -gordon

diff -r b23f64804904 -r d6b37783b25e lib/galaxy/util/gordon_tool_permissions.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/galaxy/util/gordon_tool_permissions.py	Thu Feb 03 12:29:41 2011 -0500
@@ -0,0 +1,41 @@
+import logging
+import threading, random, string, re, binascii, pickle, time, datetime, math, re, os, sys, tempfile
+
+log   = logging.getLogger(__name__)
+
+# Hack by gordon:
+#   returns True if the given user is allowed to view/execute the given tool
+#   very hackish and ugly, but should work.
+#   Called by ./lib/galaxy/web/controller/tool_runner.py in index()
+#
+#   Added to support outside collaborators (who aren't allowed to run certain tools)
+#   TODO: make this much more generic (and read access list from an external file)
+def tool_allowed_for_user ( trans, tool_id, tool, user, user_is_admin ):
+    # This hack requires users to register
+    if user is None:
+        log.warn ( "tool_allowed_for_user ( tool = %s, user = None ) - blocking tool usage." )
+        return False
+
+    if user_is_admin:
+        log.warn ("tool_allowed_for_user ( tool = %s, user = %s, user_is_admin ) - allowing tool for administrator" % ( tool_id, user.email ) )
+        return True
+
+    log.warn ( "checking tool_allowed_for_user ( tool = %s, user = %s )" % ( tool_id, user.email ) )
+
+    # block collaborator's access to import/export tools
+    if ( user.email.find ( "x...@other.place.edu" ) == 0  ):
+        if ( tool_id.find ( "cshl_import") != -1 ) or ( tool_id.find("cshl_export") != -1 ):
+            log.warn ( "tool_allowed_for_user ( tool = %s, user = %s ) - blocking tool usage." % ( tool_id, user.email ) )
+            return False
+
+    # Solexa watch tools: 
+    # for now, allow only Asasf and Oliver.
+    # Security hole: if someone has "tam/gordon/hodges" as the beginning of the email, he/she will also be able to run the tool ;( 
+    if ( tool_id.find ("solwatch") != -1):
+        if ( user.email.find("xxx...@cshl.edu")==0 ) or ( user.email.find("xxxxxxx...@cshl.edu")==0) or ( user.email.find("gor...@cshl.edu")==0 ) :
+            return True
+        return False
+    #
+    # By default, allow access
+    return True
+
diff -r b23f64804904 -r d6b37783b25e lib/galaxy/web/controllers/tool_runner.py
--- a/lib/galaxy/web/controllers/tool_runner.py	Thu Feb 03 09:34:39 2011 -0500
+++ b/lib/galaxy/web/controllers/tool_runner.py	Thu Feb 03 12:29:41 2011 -0500
@@ -7,6 +7,7 @@
 from galaxy.tools import DefaultToolState
 from galaxy.tools.parameters.basic import UnvalidatedValue
 from galaxy.tools.actions import upload_common
+from galaxy.util import gordon_tool_permissions
 
 import logging
 log = logging.getLogger( __name__ )
@@ -58,6 +59,18 @@
             log.error( "index called with tool id '%s' but no such tool exists", tool_id )
             trans.log_event( "Tool id '%s' does not exist" % tool_id )
             return "Tool '%s' does not exist, kwd=%s " % (tool_id, kwd)
+        #
+        # Hack By Gordon:
+        # Disable certain tools, if the user is an outside collaborator
+        #
+        if not util.gordon_tool_permissions.tool_allowed_for_user ( trans, tool_id, tool, trans.user, trans.user_is_admin() ) :
+            user_email = "unregistered user"
+            if not (trans.user is None):
+                user_email = trans.user.email
+            log.error("disabling tool %s for outside user %s" % ( tool_id, user_email ) )
+            trans.log_event("disabling tool %s for outside user %s" % ( tool_id, user_email ) )
+            return "Sorry, tool '%s' is disabled for user '%s'." % ( tool_id, user_email )
+        # End of Gordon Hack
         params = util.Params( kwd, sanitize = False ) #Sanitize parameters when substituting into command line via input wrappers
         #do param translation here, used by datasource tools
         if tool.input_translator:

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to