diff --git a/lib/galaxy/webapps/galaxy/services/workflows.py b/lib/galaxy/webapps/galaxy/services/workflows.py index 52e35d96c8fe..15f99996fb49 100644 --- a/lib/galaxy/webapps/galaxy/services/workflows.py +++ b/lib/galaxy/webapps/galaxy/services/workflows.py @@ -124,6 +124,9 @@ def invoke_workflow( workflow_id, payload: InvokeWorkflowPayload, ) -> Union[WorkflowInvocationResponse, List[WorkflowInvocationResponse]]: + if trans.anonymous: + raise exceptions.AuthenticationRequired("You need to be logged in to run workflows.") + trans.check_user_activation() # Get workflow + accessibility check. by_stored_id = not payload.instance stored_workflow = self._workflows_manager.get_stored_accessible_workflow(trans, workflow_id, by_stored_id) diff --git a/lib/galaxy_test/api/test_workflows.py b/lib/galaxy_test/api/test_workflows.py index 36549c820015..852f9bc806a2 100644 --- a/lib/galaxy_test/api/test_workflows.py +++ b/lib/galaxy_test/api/test_workflows.py @@ -5444,6 +5444,14 @@ def test_cannot_run_against_other_users_history(self): run_workflow_response = self._post(f"workflows/{workflow_id}/invocations", data=workflow_request, json=True) self._assert_status_code_is(run_workflow_response, 403) + def test_cannot_run_workflow_as_anon(self): + workflow = self.workflow_populator.load_workflow(name="test_for_run_anon_user") + workflow_request, _, workflow_id = self._setup_workflow_run(workflow) + with self._different_user(anon=True): + run_workflow_response = self._post(f"workflows/{workflow_id}/invocations", data=workflow_request, json=True) + self._assert_status_code_is(run_workflow_response, 403) + self._assert_error_code_is(run_workflow_response, error_codes.error_codes_by_name["USER_NO_API_KEY"]) + def test_cannot_run_bootstrap_admin_workflow(self): workflow = self.workflow_populator.load_workflow(name="test_bootstrap_admin_cannot_run") workflow_request, *_ = self._setup_workflow_run(workflow)