diff --git a/api/api.py b/api/api.py
index 97334aa9a8d1c9897dd31aac951325fe1d2896b2..f29265a4bd6f9f607826637e80d839699775141a 100644
--- a/api/api.py
+++ b/api/api.py
@@ -192,6 +192,8 @@ endpoints = [
route('/<cid:{gid}>/<list_name:tags>', TagsListHandler, m=['POST']),
route('/<cid:{gid}>/<list_name:tags>/<value:{tag}>', TagsListHandler, m=['GET', 'PUT', 'DELETE']),
+
+ route( '/<cid:{gid}>/analyses', AnalysesHandler, h='get_all', m=['GET']),
]),
diff --git a/api/handlers/refererhandler.py b/api/handlers/refererhandler.py
index 335656b12d2cf5fd33ca8871af08a9a1af665971..dfbee617858c7715440aeeee0a4fb60026a88235 100644
--- a/api/handlers/refererhandler.py
+++ b/api/handlers/refererhandler.py
@@ -156,6 +156,11 @@ class AnalysesHandler(RefererHandler):
if cont_name not in parent_names:
self.abort(400, "Analysis list not supported for {}".format(cont_name))
+ # Check that user has permission to container
+ container = storages[cont_name].get_container(cid)
+ permchecker = self.get_permchecker(container)
+ permchecker(noop)('GET')
+
parent_tree = {
cont_name: [cid]
}
@@ -168,11 +173,13 @@ class AnalysesHandler(RefererHandler):
# For each parent id, find all of its children and add them to the list of child ids in the parent tree
for parent_id in parent_tree[parent_name]:
- parent_tree[child_name] = parent_tree[child_name] + [cont["_id"] for cont in storage.get_children(parent_id, projection={'_id':1})]
+ parent_tree[child_name] = parent_tree[child_name] + [cont["_id"] for cont in storage.get_children(parent_id, projection={'_id':1}, uid=self.uid)]
parent_name = child_name
# We only need a list of all the ids, no need for the tree anymore
parents = [pid for parent in parent_tree.keys() for pid in parent_tree[parent]]
+
+ # We set User to None because we check for permission when finding the parents
analyses = containerstorage.AnalysisStorage().get_all_el({'parent.id':{'$in':parents}},None,{'info': 0, 'files.info': 0})
return analyses
diff --git a/tests/integration_tests/python/test_containers.py b/tests/integration_tests/python/test_containers.py
index ace04860be0a2a68ac8db3389ba2805a0e685736..1e28b0325b595388cbf302aa31d19be6037e90b3 100644
--- a/tests/integration_tests/python/test_containers.py
+++ b/tests/integration_tests/python/test_containers.py
@@ -174,7 +174,7 @@ def test_project_template(data_builder, file_form, as_admin):
assert 'project_has_template' not in r.json()
-def test_get_all_containers(data_builder, as_public):
+def test_get_all_containers(data_builder, as_admin, as_user, as_public, file_form):
project_1 = data_builder.create_project()
project_2 = data_builder.create_project()
session = data_builder.create_session(project=project_1)
@@ -209,6 +209,25 @@ def test_get_all_containers(data_builder, as_public):
})
assert r.ok
+ # Test get_all analyses
+ project_3 = data_builder.create_project(public=False)
+ session_2 = data_builder.create_session(project=project_3)
+
+ analysis_1 = as_admin.post('/sessions/' + session_2 + '/analyses', files=file_form(
+ 'analysis.csv', meta={'label': 'no-job', 'inputs': [{'name': 'analysis.csv'}]})).json()["_id"]
+ session_3 = data_builder.create_session(project=project_3)
+ acquisition = data_builder.create_acquisition(session=session_3)
+ analysis_2 = as_admin.post('/acquisitions/' + acquisition + '/analyses', files=file_form(
+ 'analysis.csv', meta={'label': 'no-job', 'inputs': [{'name': 'analysis.csv'}]})).json()["_id"]
+
+ r = as_admin.get('/projects/' + project_3 + '/analyses')
+ assert r.ok
+ assert len(r.json()) == 2
+
+ r = as_user.get('/projects/' + project_3 + '/analyses')
+ assert r.status_code == 403
+
+
def test_get_all_for_user(as_admin, as_public):
r = as_admin.get('/users/self')