1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 require 'can_be_an_owner'
8 class Group < ArvadosModel
11 include CommonApiTemplate
15 # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
16 # already know how to properly treat them.
17 attribute :properties, :jsonbHash, default: {}
19 before_validation :fill_group_defaults
20 validate :ensure_filesystem_compatible_name
21 validate :check_group_class
22 before_create :assign_name
23 after_create :after_ownership_change
24 after_create :update_trash
26 before_update :before_ownership_change
27 after_update :after_ownership_change
29 after_create :add_role_manage_link
31 after_update :update_trash
32 before_destroy :clear_permissions_and_trash
34 api_accessible :user, extend: :common do |t|
45 def ensure_filesystem_compatible_name
46 # project and filter groups need filesystem-compatible names, but others
48 super if group_class == 'project' || group_class == 'filter'
52 if group_class != 'project' && group_class != 'role' && group_class != 'filter'
53 errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
55 if group_class_changed? && !group_class_was.nil?
56 errors.add :group_class, "cannot be modified after record is created"
61 if saved_change_to_trash_at? or saved_change_to_owner_uuid?
62 # The group was added or removed from the trash.
65 # Compute project subtree, propagating trash_at to subprojects
66 # Remove groups that don't belong from trash
67 # Add/update groups that do belong in the trash
69 temptable = "group_subtree_#{rand(2**64).to_s(10)}"
70 ActiveRecord::Base.connection.exec_query %{
71 create temporary table #{temptable} on commit drop
72 as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)
74 'Group.update_trash.select',
76 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
79 ActiveRecord::Base.connection.exec_delete %{
80 delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL);
82 "Group.update_trash.delete"
84 ActiveRecord::Base.connection.exec_query %{
85 insert into trashed_groups (group_uuid, trash_at)
86 select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL
87 on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at;
89 "Group.update_trash.insert"
93 def before_ownership_change
94 if owner_uuid_changed? and !self.owner_uuid_was.nil?
95 MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
96 update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
100 def after_ownership_change
101 if saved_change_to_owner_uuid?
102 update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
106 def clear_permissions_and_trash
107 MaterializedPermission.where(target_uuid: uuid).delete_all
108 ActiveRecord::Base.connection.exec_delete %{
109 delete from trashed_groups where group_uuid=$1
110 }, "Group.clear_permissions_and_trash", [[nil, self.uuid]]
115 if self.new_record? and (self.name.nil? or self.name.empty?)
116 self.name = self.uuid
121 def ensure_owner_uuid_is_permitted
122 if group_class == "role"
123 @requested_manager_uuid = nil
125 @requested_manager_uuid = owner_uuid
126 self.owner_uuid = system_user_uuid
129 if self.owner_uuid != system_user_uuid
130 raise "Owner uuid for role must be system user"
132 raise PermissionDeniedError unless current_user.can?(manage: uuid)
139 def add_role_manage_link
140 if group_class == "role" && @requested_manager_uuid
141 act_as_system_user do
142 Link.create!(tail_uuid: @requested_manager_uuid,
143 head_uuid: self.uuid,
144 link_class: "permission",