Merge pull request #20949 from guerler/relax_admin_requirements_for_tool_data

Limit admin requirement of selected tool data api endpoints

Author: guerler

client/src/api/schema/schema.ts

@@ -4584,7 +4584,7 @@ export interface paths {
             cookie?: never;
         };
         /**
-         * Get details of a given data table
+         * Get details of a data table. For non-administrators, base directories in the path column are stripped, leaving only the basename.
          * @description Get details of a given tool data table.
          */
         get: operations["show_api_tool_data__table_name__get"];
@@ -4609,7 +4609,7 @@ export interface paths {
         };
         /**
          * Get information about a particular field in a tool data table
-         * @description Reloads a data table and return its details.
+         * @description Displays information about a data table field.
          */
         get: operations["show_field_api_tool_data__table_name__fields__field_name__get"];
         put?: never;
@@ -4628,7 +4628,7 @@ export interface paths {
             cookie?: never;
         };
         /**
-         * Get information about a particular field in a tool data table
+         * Get files associated with a particular field in a tool data table
          * @description Download a file associated with the data table field.
          */
         get: operations["download_field_file_api_tool_data__table_name__fields__field_name__files__file_name__get"];
@@ -38069,7 +38069,7 @@ export interface operations {
         };
         requestBody?: never;
         responses: {
-            /** @description A description of the given data table and its content */
+            /** @description A description of the given data table and its content. */
             200: {
                 headers: {
                     [name: string]: unknown;
@@ -38211,7 +38211,7 @@ export interface operations {
         };
         requestBody?: never;
         responses: {
-            /** @description Information about a data table field */
+            /** @description Request file associated with tool data table entry */
             200: {
                 headers: {
                     [name: string]: unknown;

lib/galaxy/managers/tool_data.py

@@ -1,3 +1,4 @@
+from os.path import basename
 from pathlib import Path
 from typing import (
     cast,
@@ -7,6 +8,7 @@
 from galaxy import exceptions
 from galaxy.files import ConfiguredFileSources
 from galaxy.files.uris import stream_url_to_file
+from galaxy.managers.context import ProvidesUserContext
 from galaxy.model import DatasetInstance
 from galaxy.structured_app import (
     MinimalManagerApp,
@@ -27,6 +29,9 @@
     ToolDataTable,
 )
 
+# Tables that are accessible without admin rights
+PUBLIC_TABLES = ["fasta_indexes", "twobit"]
+
 
 class ToolDataManager:
     """
@@ -44,14 +49,21 @@ def index(self) -> ToolDataEntryList:
         """Return all tool data tables."""
         return self._app.tool_data_tables.index()
 
-    def show(self, table_name: str) -> ToolDataDetails:
+    def show(self, trans: ProvidesUserContext, table_name: str) -> ToolDataDetails:
         """Get details of a given data table"""
         data_table = self._data_table(table_name)
         element_view = data_table.to_dict(view="element")
+        if not trans.user_is_admin:
+            path_index = element_view["columns"].index("path") if "path" in element_view["columns"] else None
+            if path_index is not None:
+                element_view["fields"] = [
+                    [basename(field[path_index]) if i == path_index else field[i] for i in range(len(field))]
+                    for field in element_view["fields"]
+                ]
         return ToolDataDetails.model_construct(**element_view)
 
     def show_field(self, table_name: str, field_name: str) -> ToolDataField:
-        """Get information about a partiular field in a tool data table"""
+        """Get information about a particular field in a tool data table"""
         field = self._data_table_field(table_name, field_name)
         return ToolDataField.model_construct(**field.to_dict())
 
@@ -61,9 +73,13 @@ def reload(self, table_name: str) -> ToolDataDetails:
         data_table.reload_from_files()
         return self._reload_data_table(table_name)
 
-    def get_field_file_path(self, table_name: str, field_name: str, file_name: str) -> Path:
+    def get_field_file_path(self, trans, table_name: str, field_name: str, file_name: str) -> Path:
         """Get the absolute path to a given file name in the table field"""
         field_value = self._data_table_field(table_name, field_name)
+        if table_name not in PUBLIC_TABLES and not trans.user_is_admin:
+            raise exceptions.AdminRequiredException(
+                f"Only administrators can download files from data table {table_name}."
+            )
         base_dir = Path(field_value.get_base_dir())
         full_path = base_dir / file_name
         if str(full_path) not in field_value.get_files():
@@ -101,9 +117,13 @@ def _data_table_field(self, table_name: str, field_name: str) -> TabularToolData
             raise exceptions.ObjectNotFound(f"No such field {field_name} in data table {table_name}.")
         return out
 
-    def _reload_data_table(self, name: str) -> ToolDataDetails:
-        self._app.queue_worker.send_control_task("reload_tool_data_tables", noop_self=True, kwargs={"table_name": name})
-        return self.show(name)
+    def _reload_data_table(self, table_name: str) -> ToolDataDetails:
+        self._app.queue_worker.send_control_task(
+            "reload_tool_data_tables", noop_self=True, kwargs={"table_name": table_name}
+        )
+        data_table = self._data_table(table_name)
+        element_view = data_table.to_dict(view="element")
+        return ToolDataDetails.model_construct(**element_view)
 
 
 class ToolDataImportManager:

lib/galaxy/webapps/galaxy/api/tool_data.py

@@ -10,6 +10,7 @@
 )
 
 from galaxy.celery.tasks import import_data_bundle
+from galaxy.managers.context import ProvidesUserContext
 from galaxy.managers.tool_data import ToolDataManager
 from galaxy.schema.schema import (
     AsyncTaskResultSummary,
@@ -25,6 +26,7 @@
 from galaxy.webapps.galaxy.services.base import async_task_summary
 from . import (
     depends,
+    DependsOnTrans,
     Router,
 )
 
@@ -43,6 +45,12 @@
     description="The name of the tool data table field",
 )
 
+ToolDataTableFieldFileName = Path(
+    ...,
+    title="File name",
+    description="The name of a file associated with this data table field",
+)
+
 
 class ImportToolDataBundle(BaseModel):
     source: ImportToolDataBundleSource = Field(..., discriminator="src")
@@ -77,13 +85,15 @@ def create(
 
     @router.get(
         "/api/tool_data/{table_name}",
-        summary="Get details of a given data table",
-        response_description="A description of the given data table and its content",
-        require_admin=True,
+        summary="Get details of a data table. For non-administrators, base directories in the path column are stripped, leaving only the basename.",
+        response_description="A description of the given data table and its content.",
+        public=True,
     )
-    async def show(self, table_name: str = ToolDataTableName) -> ToolDataDetails:
+    async def show(
+        self, trans: ProvidesUserContext = DependsOnTrans, table_name: str = ToolDataTableName
+    ) -> ToolDataDetails:
         """Get details of a given tool data table."""
-        return self.tool_data_manager.show(table_name)
+        return self.tool_data_manager.show(trans, table_name)
 
     @router.get(
         "/api/tool_data/{table_name}/reload",
@@ -106,28 +116,25 @@ async def show_field(
         table_name: str = ToolDataTableName,
         field_name: str = ToolDataTableFieldName,
     ) -> ToolDataField:
-        """Reloads a data table and return its details."""
+        """Displays information about a data table field."""
         return self.tool_data_manager.show_field(table_name, field_name)
 
     @router.get(
         "/api/tool_data/{table_name}/fields/{field_name}/files/{file_name}",
-        summary="Get information about a particular field in a tool data table",
-        response_description="Information about a data table field",
+        summary="Get files associated with a particular field in a tool data table",
+        response_description="Request file associated with tool data table entry",
         response_class=GalaxyFileResponse,
-        require_admin=True,
+        public=True,
     )
     def download_field_file(
         self,
+        trans: ProvidesUserContext = DependsOnTrans,
         table_name: str = ToolDataTableName,
         field_name: str = ToolDataTableFieldName,
-        file_name: str = Path(
-            ...,  # Mark this field as required
-            title="File name",
-            description="The name of a file associated with this data table field",
-        ),
+        file_name: str = ToolDataTableFieldFileName,
     ):
         """Download a file associated with the data table field."""
-        path = self.tool_data_manager.get_field_file_path(table_name, field_name, file_name)
+        path = self.tool_data_manager.get_field_file_path(trans, table_name, field_name, file_name)
         return GalaxyFileResponse(str(path))
 
     @router.delete(

lib/galaxy_test/api/test_tool_data.py

@@ -19,21 +19,29 @@ def test_admin_only(self):
     def test_list(self):
         index_response = self._get("tool_data", admin=True)
         self._assert_status_code_is(index_response, 200)
-        print(index_response.content)
         index = index_response.json()
         assert "testalpha" in [operator.itemgetter("name")(_) for _ in index]
 
     def test_show(self):
         show_response = self._get("tool_data/testalpha", admin=True)
         self._assert_status_code_is(show_response, 200)
-        print(show_response.content)
         data_table = show_response.json()
         assert data_table["columns"] == ["value", "name", "path"]
         first_entry = data_table["fields"][0]
         assert first_entry[0] == "data1"
         assert first_entry[1] == "data1name"
         assert first_entry[2].endswith("test/functional/tool-data/data1/entry.txt")
 
+    def test_show_anon(self):
+        show_response = self._get("tool_data/testalpha")
+        self._assert_status_code_is(show_response, 200)
+        data_table = show_response.json()
+        assert data_table["columns"] == ["value", "name", "path"]
+        first_entry = data_table["fields"][0]
+        assert first_entry[0] == "data1"
+        assert first_entry[1] == "data1name"
+        assert first_entry[2] == "entry.txt"
+
     def test_show_field(self):
         show_field_response = self._get("tool_data/testalpha/fields/data1", admin=True)
         self._assert_status_code_is(show_field_response, 200)
@@ -48,10 +56,21 @@ def test_download_field_file(self):
         content = show_field_response.text
         assert content == "This is data 1.", content
 
+    def test_download_field_file_anon_raises_404(self):
+        show_field_response = self._get("tool_data/twobit/fields/data1/files/entry.txt")
+        self._assert_status_code_is(show_field_response, 404)
+        err_msg = show_field_response.json()["err_msg"]
+        assert err_msg == "No such field data1 in data table twobit."
+
+    def test_download_field_file_anon_raises_403(self):
+        show_field_response = self._get("tool_data/testalpha/fields/data1/files/entry.txt")
+        self._assert_status_code_is(show_field_response, 403)
+        err_msg = show_field_response.json()["err_msg"]
+        assert err_msg == "Only administrators can download files from data table testalpha."
+
     def test_reload(self):
         show_response = self._get("tool_data/test_fasta_indexes/reload", admin=True)
         self._assert_status_code_is(show_response, 200)
-        print(show_response.content)
         data_table = show_response.json()
         assert data_table["columns"] == ["value", "dbkey", "name", "path"]