cdb81647deb6096ff29d18a21b4f9e83f45b4ac9
chmalee
  Tue Mar 7 14:38:53 2023 -0800
Fix bug where hubApi was allowing ranged requests for tracks with 'tableBrowser off' setting in trackDb. Fix cartTrackDbIsAccessDenied function to recognize correctly when 'tableBrowser off' setting is present on the same host as the CGI is running. Add tests to hubApi system to check more 'tableBrowser' settings and check getting data from more than one track at once

diff --git src/hg/hubApi/getData.c src/hg/hubApi/getData.c
index f0ed181..76a421b 100644
--- src/hg/hubApi/getData.c
+++ src/hg/hubApi/getData.c
@@ -586,40 +586,44 @@
 if (isEmpty(trackArg))
     apiErrAbort(err400, err400Msg, "missing URL variable track=<trackName> name for endpoint '/getData/track");
 
 /* database existence has already been checked before now, might
  * have disappeared in the mean time (well, not really . . .)
  */
 struct sqlConnection *conn = hAllocConnMaybe(db);
 if (NULL == conn)
     apiErrAbort(err400, err400Msg, "can not find genome 'genome=%s' for endpoint '/getData/track", db);
 
 struct jsonWrite *jw = apiStartOutput();
 jsonWriteString(jw, "genome", db);
 
 // load the tracks
 struct trackDb *tdbList = NULL;
-cartTrackDbInitForApi(NULL, db, &tdbList, NULL, FALSE);
+cartTrackDbInitForApi(NULL, db, &tdbList, NULL, TRUE);
 
 // allow optional comma sep list of tracks
 char *tracks[100];
 int numTracks = chopByChar(trackArg, ',', tracks, sizeof(tracks));
 int i = 0;
 for (i = 0; i < numTracks; i++)
     {
     char *track = cloneString(tracks[i]);
     char *sqlTable = cloneString(track);
+
+    if (cartTrackDbIsAccessDenied(db, sqlTable) ||
+            (cartTrackDbIsNoGenome(db, sqlTable) && !(chrom && start && end)))
+        apiErrAbort(err403, err403Msg, "this data request: 'db=%s;track=%s' is protected data, see also: https://genome.ucsc.edu/FAQ/FAQdownloads.html#download40", db, track);
     struct trackDb *thisTrack = tdbForTrack(db, track, &tdbList);
 
     if (NULL == thisTrack)
         {
         if (! sqlTableExists(conn, track))
             apiErrAbort(err400, err400Msg, "can not find track=%s name for endpoint '/getData/track", track);
         }
     if (thisTrack && ! isSupportedType(thisTrack->type))
         apiErrAbort(err415, err415Msg, "track type '%s' for track=%s not supported at this time", thisTrack->type, track);
     if (trackHasNoData(thisTrack))
         apiErrAbort(err400, err400Msg, "container track '%s' does not contain data, use the children of this container", track);
 
     /* might be a big* track with no table */
     char *bigDataUrl = NULL;
     boolean tableTrack = TRUE;
@@ -630,33 +634,30 @@
 
         /* might have a specific table defined instead of the track name */
         char *tableName = trackDbSetting(thisTrack, "table");
         if (isNotEmpty(tableName))
             {
             freeMem(sqlTable);
             sqlTable = cloneString(tableName);
             }
         }
     else
         {
         freeMem(sqlTable);
         sqlTable = cloneString(track);
         }
 
-    if (protectedTrack(db, thisTrack, sqlTable) && !(chrom && start && end))
-            apiErrAbort(err403, err403Msg, "this data request: 'db=%s;track=%s' is protected data, see also: https://genome.ucsc.edu/FAQ/FAQdownloads.html#download40", db, track);
-
     struct hTableInfo *hti = hFindTableInfoWithConn(conn, NULL, sqlTable);
 
     char *splitSqlTable = NULL;
 
     if (hti && hti->isSplit)
         {
         if (isNotEmpty(chrom))
             {
             char fullTableName[256];
             safef(fullTableName, sizeof(fullTableName), "%s_%s", chrom, hti->rootName);
             splitSqlTable = cloneString(fullTableName);
             }
         else
             {
             char *defaultChrom = hDefaultChrom(db);