AIRAVATA-2223 Only load project when owned by user
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/9b300d66 Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/9b300d66 Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/9b300d66 Branch: refs/heads/dreg-gateway Commit: 9b300d66c9e0f3bc27c1cf5cb7e04a1365c3c21c Parents: dc971cb Author: Marcus Christie <machr...@iu.edu> Authored: Thu Jan 26 16:03:15 2017 -0500 Committer: Marcus Christie <machr...@iu.edu> Committed: Thu Jan 26 16:03:15 2017 -0500 ---------------------------------------------------------------------- app/controllers/ExperimentController.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/9b300d66/app/controllers/ExperimentController.php ---------------------------------------------------------------------- diff --git a/app/controllers/ExperimentController.php b/app/controllers/ExperimentController.php index 29004d1..bd214bf 100755 --- a/app/controllers/ExperimentController.php +++ b/app/controllers/ExperimentController.php @@ -144,7 +144,11 @@ class ExperimentController extends BaseController if (SharingUtilities::userCanRead(Session::get("username"), $experiment->projectId, ResourceType::PROJECT)) { $project = ProjectUtilities::get_project($experiment->projectId); } - } else { + } elseif ($experiment->userName == Session::get("username")){ + // When sharing is disabled the backend checks the auth token claims map + // to make sure the authenticating user is the same as the project + // owner. So the project can only be loaded when the user is the + // project owner, which can be inferred from the experiment's owner. $project = ProjectUtilities::get_project($experiment->projectId); } $expVal = ExperimentUtilities::get_experiment_values($experiment);