Added rescue AccessForbiddenException to collections controller and view to

disable the "sharing link" feature when the client is untrusted. refs #2766

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index f1fd092c22ce975c0e20c68bb0c3730ae8fcf236..f88fab375386f1d29cd18459e5f9d100fd720083 100644 (file)
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -125,7 +125,11 @@ class CollectionsController < ApplicationController
   end
 
   def search_scopes
-    ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+    begin
+      ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+    rescue ArvadosApiClient::AccessForbiddenException
+      nil
+    end
   end
 
   def show

diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index a7ae8ba3aac5c230a48dc79f92072ae5d645ef0e..7574cf665be17d058c737b43d9dc2e65d4f10b94 100644 (file)
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -6,6 +6,8 @@ class ArvadosApiClient
   end
   class InvalidApiResponseException < StandardError
   end
+  class AccessForbiddenException < StandardError
+  end
 
   @@profiling_enabled = Rails.configuration.profiling_enabled
   @@discovery = nil
@@ -99,7 +101,11 @@ class ArvadosApiClient
     if msg.status_code != 200
       errors = resp[:errors]
       errors = errors.join("\n\n") if errors.is_a? Array
-      raise "#{errors} [API: #{msg.status_code}]"
+      if msg.status_code == 403
+        raise AccessForbiddenException.new "#{errors} [API: #{msg.status_code}]"
+      else
+        raise "#{errors} [API: #{msg.status_code}]"
+      end
     end
     if resp[:_profile]
       Rails.logger.info "API client: " \

diff --git a/apps/workbench/app/views/collections/_sharing_button.html.erb b/apps/workbench/app/views/collections/_sharing_button.html.erb
index b2ed43ab31a4546be19841c052921880828a210d..fc81e705e4b4096d4f18d34e96cd07e5a3f2a4ca 100644 (file)
--- a/apps/workbench/app/views/collections/_sharing_button.html.erb
+++ b/apps/workbench/app/views/collections/_sharing_button.html.erb
@@ -1,17 +1,21 @@
-<% if @search_sharing.any? %>
-  <div>Shared at:
-    <span class="pull-right">
-  <%= link_to "Unshare", unshare_collection_url, {
-        class: 'btn-xs btn-info',
-        remote: true,
-        method: 'post'
-      } %></span>
-  <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
-</div>
-<% else %>
-  <%= link_to "Create sharing link", share_collection_url, {
-        class: 'btn-xs btn-info',
-        remote: true,
-        method: 'post'
-      } %>
+<%# a nil @search_sharing means we got an AccessForbiddenException and should
+disable this feature entirely. %>
+<% if @search_sharing != nil %>
+  <% if @search_sharing.any? %>
+    <div>Shared at:
+      <span class="pull-right">
+        <%= link_to "Unshare", unshare_collection_url, {
+              class: 'btn-xs btn-info',
+              remote: true,
+              method: 'post'
+            } %></span>
+      <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
+    </div>
+  <% else %>
+    <%= link_to "Create sharing link", share_collection_url, {
+          class: 'btn-xs btn-info',
+          remote: true,
+          method: 'post'
+        } %>
+  <% end %>
 <% end %>