From: Peter Amstutz <peter.amstutz@curoverse.com>
Date: Thu, 29 May 2014 14:18:53 +0000 (-0400)
Subject: Added rescue AccessForbiddenException to collections controller and view to
X-Git-Tag: 1.1.0~2595
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/317064a4ddead0d64d6e312a21d2bb34504aa104

Added rescue AccessForbiddenException to collections controller and view to
disable the "sharing link" feature when the client is untrusted. refs #2766
---

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index f1fd092c22..f88fab3753 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -125,7 +125,11 @@ class CollectionsController < ApplicationController
   end
 
   def search_scopes
-    ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+    begin
+      ApiClientAuthorization.filter([['scopes', '=', sharing_scopes]]).results
+    rescue ArvadosApiClient::AccessForbiddenException
+      nil
+    end
   end
 
   def show
diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index a7ae8ba3aa..7574cf665b 100644
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -6,6 +6,8 @@ class ArvadosApiClient
   end
   class InvalidApiResponseException < StandardError
   end
+  class AccessForbiddenException < StandardError
+  end
 
   @@profiling_enabled = Rails.configuration.profiling_enabled
   @@discovery = nil
@@ -99,7 +101,11 @@ class ArvadosApiClient
     if msg.status_code != 200
       errors = resp[:errors]
       errors = errors.join("\n\n") if errors.is_a? Array
-      raise "#{errors} [API: #{msg.status_code}]"
+      if msg.status_code == 403
+        raise AccessForbiddenException.new "#{errors} [API: #{msg.status_code}]"
+      else
+        raise "#{errors} [API: #{msg.status_code}]"
+      end
     end
     if resp[:_profile]
       Rails.logger.info "API client: " \
diff --git a/apps/workbench/app/views/collections/_sharing_button.html.erb b/apps/workbench/app/views/collections/_sharing_button.html.erb
index b2ed43ab31..fc81e705e4 100644
--- a/apps/workbench/app/views/collections/_sharing_button.html.erb
+++ b/apps/workbench/app/views/collections/_sharing_button.html.erb
@@ -1,17 +1,21 @@
-<% if @search_sharing.any? %>
-  <div>Shared at:
-    <span class="pull-right">
-  <%= link_to "Unshare", unshare_collection_url, {
-        class: 'btn-xs btn-info',
-        remote: true,
-        method: 'post'
-      } %></span>
-  <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
-</div>
-<% else %>
-  <%= link_to "Create sharing link", share_collection_url, {
-        class: 'btn-xs btn-info',
-        remote: true,
-        method: 'post'
-      } %>
+<%# a nil @search_sharing means we got an AccessForbiddenException and should
+disable this feature entirely. %>
+<% if @search_sharing != nil %>
+  <% if @search_sharing.any? %>
+    <div>Shared at:
+      <span class="pull-right">
+        <%= link_to "Unshare", unshare_collection_url, {
+              class: 'btn-xs btn-info',
+              remote: true,
+              method: 'post'
+            } %></span>
+      <div class="smaller-text" style="word-break: break-all"><%= link_to download_link, download_link %></div>
+    </div>
+  <% else %>
+    <%= link_to "Create sharing link", share_collection_url, {
+          class: 'btn-xs btn-info',
+          remote: true,
+          method: 'post'
+        } %>
+  <% end %>
 <% end %>