1 class Link < ArvadosModel
4 include CommonApiTemplate
5 serialize :properties, Hash
6 before_create :permission_to_attach_to_objects
7 before_update :permission_to_attach_to_objects
8 after_update :maybe_invalidate_permissions_cache
9 after_create :maybe_invalidate_permissions_cache
10 after_destroy :maybe_invalidate_permissions_cache
12 api_accessible :user, extend: :common do |t|
23 @properties ||= Hash.new
28 if k = ArvadosModel::resource_class_for_uuid(head_uuid)
34 if k = ArvadosModel::resource_class_for_uuid(tail_uuid)
41 def permission_to_attach_to_objects
42 # Anonymous users cannot write links
43 return false if !current_user
45 # All users can write links that don't affect permissions
46 return true if self.link_class != 'permission'
48 # Administrators can grant permissions
49 return true if current_user.is_admin
51 # All users can grant permissions on objects they own
52 head_obj = self.class.
53 kind_class(self.head_uuid).
54 where('uuid=?',head_uuid).
57 return true if head_obj.owner_uuid == current_user.uuid
60 # Users with "can_grant" permission on an object can grant
61 # permissions on that object
62 has_grant_permission = self.class.
63 where('link_class=? AND name=? AND tail_uuid=? AND head_uuid=?',
64 'permission', 'can_grant', current_user.uuid, self.head_uuid).
66 return true if has_grant_permission
72 def maybe_invalidate_permissions_cache
73 if self.link_class == 'permission'
74 # Clearing the entire permissions cache can generate many
75 # unnecessary queries if many active users are not affected by
76 # this change. In such cases it would be better to search cached
77 # permissions for head_uuid and tail_uuid, and invalidate the
78 # cache for only those users. (This would require a browseable
80 User.invalidate_permissions_cache