[ARVADOS] updated: 317064a4ddead0d64d6e312a21d2bb34504aa104
git at public.curoverse.com
git at public.curoverse.com
Thu May 29 10:19:36 EDT 2014
Summary of changes:
.../app/controllers/collections_controller.rb | 6 +++-
apps/workbench/app/models/arvados_api_client.rb | 8 ++++-
.../app/views/collections/_sharing_button.html.erb | 36 ++++++++++++----------
3 files changed, 32 insertions(+), 18 deletions(-)
via 317064a4ddead0d64d6e312a21d2bb34504aa104 (commit)
from 82b46502f25b6992c93bfe7689acc095aa447e5b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 317064a4ddead0d64d6e312a21d2bb34504aa104
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu May 29 10:18:53 2014 -0400
Added rescue AccessForbiddenException to collections controller and view to
disable the "sharing link" feature when the client is untrusted. refs #2766
diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index f1fd092..f88fab3 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -125,7 +125,11 @@ class CollectionsController < ApplicationController
end
def search_scopes
- ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+ begin
+ ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+ rescue ArvadosApiClient::AccessForbiddenException
+ nil
+ end
end
def show
diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index a7ae8ba..7574cf6 100644
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -6,6 +6,8 @@ class ArvadosApiClient
end
class InvalidApiResponseException < StandardError
end
+ class AccessForbiddenException < StandardError
+ end
@@profiling_enabled = Rails.configuration.profiling_enabled
@@discovery = nil
@@ -99,7 +101,11 @@ class ArvadosApiClient
if msg.status_code != 200
errors = resp[:errors]
errors = errors.join("\n\n") if errors.is_a? Array
- raise "#{errors} [API: #{msg.status_code}]"
+ if msg.status_code == 403
+ raise AccessForbiddenException.new "#{errors} [API: #{msg.status_code}]"
+ else
+ raise "#{errors} [API: #{msg.status_code}]"
+ end
end
if resp[:_profile]
Rails.logger.info "API client: " \
diff --git a/apps/workbench/app/views/collections/_sharing_button.html.erb b/apps/workbench/app/views/collections/_sharing_button.html.erb
index b2ed43a..fc81e70 100644
--- a/apps/workbench/app/views/collections/_sharing_button.html.erb
+++ b/apps/workbench/app/views/collections/_sharing_button.html.erb
@@ -1,17 +1,21 @@
-<% if @search_sharing.any? %>
- <div>Shared at:
- <span class="pull-right">
- <%= link_to "Unshare", unshare_collection_url, {
- class: 'btn-xs btn-info',
- remote: true,
- method: 'post'
- } %></span>
- <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
-</div>
-<% else %>
- <%= link_to "Create sharing link", share_collection_url, {
- class: 'btn-xs btn-info',
- remote: true,
- method: 'post'
- } %>
+<%# a nil @search_sharing means we got an AccessForbiddenException and should
+disable this feature entirely. %>
+<% if @search_sharing != nil %>
+ <% if @search_sharing.any? %>
+ <div>Shared at:
+ <span class="pull-right">
+ <%= link_to "Unshare", unshare_collection_url, {
+ class: 'btn-xs btn-info',
+ remote: true,
+ method: 'post'
+ } %></span>
+ <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
+ </div>
+ <% else %>
+ <%= link_to "Create sharing link", share_collection_url, {
+ class: 'btn-xs btn-info',
+ remote: true,
+ method: 'post'
+ } %>
+ <% end %>
<% end %>
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list