src/hg/hubApi/getData.c 6fee91c9d0a6a9a3d9e3588e44ae92596a9aa9fb

6fee91c9d0a6a9a3d9e3588e44ae92596a9aa9fb
hiram
  Mon May 13 14:37:27 2019 -0700
recognizing the trackDb setting tableBrowser to avoid revealing protected data refs #18869

diff --git src/hg/hubApi/getData.c src/hg/hubApi/getData.c
index 34dac3b..80c4b48 100644
--- src/hg/hubApi/getData.c
+++ src/hg/hubApi/getData.c
@@ -628,30 +628,33 @@
 struct trackDb *thisTrack = hTrackDbForTrackAndAncestors(db, track);
 if (NULL == thisTrack)
     apiErrAbort(err400, err400Msg, "can not find track=%s name for endpoint '/getData/track", track);
 
 /* might be a big* track with no table */
 char *bigDataUrl = trackDbSetting(thisTrack, "bigDataUrl");
 boolean tableTrack = TRUE;
 
 /* might have a specific table defined instead of the track name */
 char *tableName = trackDbSetting(thisTrack, "table");
 if (isNotEmpty(tableName))
     {
     freeMem(sqlTable);
     sqlTable = cloneString(tableName);
     }
+boolean protectedData = FALSE;
+if (trackDbSetting(thisTrack, "tableBrowser"))
+    protectedData = TRUE;
 
 /* database existence has already been checked before now, might
  * have disappeared in the mean time
  */
 struct sqlConnection *conn = hAllocConnMaybe(db);
 if (NULL == conn)
     apiErrAbort(err400, err400Msg, "can not find genome 'genome=%s' for endpoint '/getData/track", db);
 
 struct hTableInfo *hti = hFindTableInfoWithConn(conn, NULL, sqlTable);
 
 char *splitSqlTable = NULL;
 
 if (hti && hti->isSplit)
     {
     if (isNotEmpty(chrom))
@@ -664,30 +667,32 @@
 	{
 	char *defaultChrom = hDefaultChrom(db);
 	char fullTableName[256];
 	safef(fullTableName, sizeof(fullTableName), "%s_%s", defaultChrom, hti->rootName);
 	splitSqlTable = cloneString(fullTableName);
 	}
     }
 
 if (! hTableOrSplitExists(db, sqlTable))
     {
     if (! bigDataUrl)
 	apiErrAbort(err400, err400Msg, "can not find specified 'track=%s' for endpoint: /getData/track?genome=%s;track=%s", track, db, track);
     else
 	tableTrack = FALSE;
     }
+if (protectedData)
+	apiErrAbort(err403, err403Msg, "this data request: 'db=%s;track=%s' is protected data", db, track);
 
 struct jsonWrite *jw = apiStartOutput();
 jsonWriteString(jw, "genome", db);
 if (tableTrack)
     {
     char *dataTime = NULL;
     if (hti && hti->isSplit)
 	dataTime = sqlTableUpdate(conn, splitSqlTable);
     else
 	dataTime = sqlTableUpdate(conn, sqlTable);
     time_t dataTimeStamp = sqlDateToUnixTime(dataTime);
     replaceChar(dataTime, ' ', 'T');	/*	ISO 8601	*/
     jsonWriteString(jw, "dataTime", dataTime);
     jsonWriteNumber(jw, "dataTimeStamp", (long long)dataTimeStamp);
     if (differentStringNullOk(sqlTable,track))