1 class Link < ArvadosModel
4 include CommonApiTemplate
5 serialize :properties, Hash
6 before_create :permission_to_attach_to_objects
7 before_update :permission_to_attach_to_objects
8 after_update :maybe_invalidate_permissions_cache
9 after_create :maybe_invalidate_permissions_cache
10 after_destroy :maybe_invalidate_permissions_cache
11 attr_accessor :head_kind, :tail_kind
13 api_accessible :user, extend: :common do |t|
24 @properties ||= Hash.new
29 if k = ArvadosModel::resource_class_for_uuid(head_uuid)
35 if k = ArvadosModel::resource_class_for_uuid(tail_uuid)
42 def permission_to_attach_to_objects
43 # Anonymous users cannot write links
44 return false if !current_user
46 # All users can write links that don't affect permissions
47 return true if self.link_class != 'permission'
49 # Administrators can grant permissions
50 return true if current_user.is_admin
52 # All users can grant permissions on objects they own
53 head_obj = self.class.
54 kind_class(self.head_uuid).
55 where('uuid=?',head_uuid).
58 return true if head_obj.owner_uuid == current_user.uuid
61 # Users with "can_grant" permission on an object can grant
62 # permissions on that object
63 has_grant_permission = self.class.
64 where('link_class=? AND name=? AND tail_uuid=? AND head_uuid=?',
65 'permission', 'can_grant', current_user.uuid, self.head_uuid).
67 return true if has_grant_permission
73 def maybe_invalidate_permissions_cache
74 if self.link_class == 'permission'
75 # Clearing the entire permissions cache can generate many
76 # unnecessary queries if many active users are not affected by
77 # this change. In such cases it would be better to search cached
78 # permissions for head_uuid and tail_uuid, and invalidate the
79 # cache for only those users. (This would require a browseable
81 User.invalidate_permissions_cache