services/api/app/models/user.rb

   1 class User < ArvadosModel
   2   include AssignUuid
   3   include KindAndEtag
   4   include CommonApiTemplate
   5   serialize :prefs, Hash
   6   has_many :api_client_authorizations
   7   before_update :prevent_privilege_escalation
   8
   9   api_accessible :superuser, :extend => :common do |t|
  10     t.add :email
  11     t.add :full_name
  12     t.add :first_name
  13     t.add :last_name
  14     t.add :identity_url
  15     t.add :is_admin
  16     t.add :prefs
  17   end
  18
  19   ALL_PERMISSIONS = {read: true, write: true, manage: true}
  20
  21   def full_name
  22     "#{first_name} #{last_name}"
  23   end
  24
  25   def groups_i_can(verb)
  26     self.group_permissions.select { |uuid, mask| mask[verb] }.keys
  27   end
  28
  29   def can?(actions)
  30     actions.each do |action, target|
  31       target_uuid = target
  32       if target.respond_to? :uuid
  33         target_uuid = target.uuid
  34       end
  35       next if target_uuid == self.uuid
  36       next if (group_permissions[target_uuid] and
  37                group_permissions[target_uuid][action])
  38       if target.respond_to? :owner
  39         next if target.owner == self.uuid
  40         next if (group_permissions[target.owner] and
  41                  group_permissions[target.owner][action])
  42       end
  43       return false
  44     end
  45     true
  46   end
  47
  48   def self.invalidate_permissions_cache
  49     Rails.cache.delete_matched(/^groups_for_user_/)
  50   end
  51
  52   protected
  53
  54   def permission_to_create
  55     Thread.current[:user] == self or
  56       (Thread.current[:user] and Thread.current[:user].is_admin)
  57   end
  58
  59   def prevent_privilege_escalation
  60     if self.is_admin_changed? and !current_user.is_admin
  61       if current_user.uuid == self.uuid
  62         if self.is_admin != self.is_admin_was
  63           logger.warn "User #{self.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin}"
  64           self.is_admin = self.is_admin_was
  65         end
  66       end
  67     end
  68     true
  69   end
  70
  71   def group_permissions
  72     Rails.cache.fetch "groups_for_user_#{self.uuid}" do
  73       permissions_from = {}
  74       todo = {self.uuid => true}
  75       done = {}
  76       while !todo.empty?
  77         lookup_uuids = todo.keys
  78         lookup_uuids.each do |uuid| done[uuid] = true end
  79         todo = {}
  80         Link.where('tail_uuid in (?) and link_class = ? and head_kind = ?',
  81                    lookup_uuids,
  82                    'permission',
  83                    'arvados#group').each do |link|
  84           unless done.has_key? link.head_uuid
  85             todo[link.head_uuid] = true
  86           end
  87           link_permissions = {}
  88           case link.name
  89           when 'can_read'
  90             link_permissions = {read:true}
  91           when 'can_write'
  92             link_permissions = {read:true,write:true}
  93           when 'can_manage'
  94             link_permissions = ALL_PERMISSIONS
  95           end
  96           permissions_from[link.tail_uuid] ||= {}
  97           permissions_from[link.tail_uuid][link.head_uuid] ||= {}
  98           link_permissions.each do |k,v|
  99             permissions_from[link.tail_uuid][link.head_uuid][k] ||= v
 100           end
 101         end
 102       end
 103       search_permissions(self.uuid, permissions_from)
 104     end
 105   end
 106
 107   def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
 108     nextpaths = graph[start]
 109     return merged if !nextpaths
 110     return merged if upstream_path.has_key? start
 111     upstream_path[start] = true
 112     upstream_mask ||= ALL_PERMISSIONS
 113     nextpaths.each do |head, mask|
 114       merged[head] ||= {}
 115       mask.each do |k,v|
 116         merged[head][k] ||= v if upstream_mask[k]
 117       end
 118       search_permissions(head, graph, merged, upstream_mask.select { |k,v| v && merged[head][k] }, upstream_path)
 119     end
 120     upstream_path.delete start
 121     merged
 122   end
 123 end