Merge pull request galaxyproject#17444 from ahmedhamidawan/published_…

…collection_accessible

Only check ownership for HDCAs in non-public histories

lib/galaxy/webapps/galaxy/services/dataset_collections.py

@@ -248,7 +248,7 @@ def contents(
                 "Parameter instance_type not being 'history' is not yet implemented."
             )
         hdca: HistoryDatasetCollectionAssociation = self.collection_manager.get_dataset_collection_instance(
-            trans, "history", hdca_id, check_ownership=True
+            trans, "history", hdca_id
         )
 
         # check to make sure the dsc is part of the validated hdca

lib/galaxy_test/api/test_dataset_collections.py

@@ -418,6 +418,18 @@ def test_collection_contents_security(self, history_id):
             contents_response = self._get(contents_url)
             self._assert_status_code_is(contents_response, 403)
 
+    @requires_new_user
+    def test_published_collection_contents_accessible(self, history_id):
+        # request contents on an hdca that is in a published history
+        hdca, contents_url = self._create_collection_contents_pair(history_id)
+        with self._different_user():
+            contents_response = self._get(contents_url)
+            self._assert_status_code_is(contents_response, 403)
+        self.dataset_populator.make_public(history_id)
+        with self._different_user():
+            contents_response = self._get(contents_url)
+            self._assert_status_code_is(contents_response, 200)
+
     def test_collection_contents_invalid_collection(self, history_id):
         # request an invalid collection from a valid hdca, should get 404
         hdca, contents_url = self._create_collection_contents_pair(history_id)