1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::GroupsController < ApplicationController
8 include TrashableController
10 skip_before_action :find_object_by_uuid, only: :shared
11 skip_before_action :render_404_if_no_object, only: :shared
13 def self._index_requires_parameters
17 type: 'boolean', required: false, default: false, description: "Include items whose is_trashed attribute is true.",
22 def self._show_requires_parameters
26 type: 'boolean', required: false, default: false, description: "Show group/project even if its is_trashed attribute is true.",
31 def self._contents_requires_parameters
32 params = _index_requires_parameters.
35 type: 'string', required: false, default: nil,
38 type: 'boolean', required: false, default: false, description: 'Include contents from child groups recursively.',
41 type: 'string', required: false, description: 'Include objects referred to by listed field in "included" (only owner_uuid).',
43 include_old_versions: {
44 type: 'boolean', required: false, default: false, description: 'Include past collection versions.',
47 params.delete(:select)
51 def self._create_requires_parameters
59 description: 'defer permissions update',
65 def self._update_requires_parameters
73 description: 'defer permissions update',
81 @object = model_class.new(resource_attrs.merge({async_permissions_update: true}))
91 attrs_to_update = resource_attrs.reject { |k, v|
92 [:kind, :etag, :href].index k
93 }.merge({async_permissions_update: true})
94 @object.update_attributes!(attrs_to_update)
102 def render_404_if_no_object
103 if params[:action] == 'contents'
111 elsif (@object = User.where(uuid: params[:uuid]).first)
112 # "Home" pseudo-project
123 load_searchable_objects
125 :kind => "arvados#objectList",
130 :items_available => @items_available,
131 :items => @objects.as_api_response(nil)
134 list[:included] = @extra_included.as_api_response(nil, {select: @select})
140 # The purpose of this endpoint is to return the toplevel set of
141 # groups which are *not* reachable through a direct ownership
142 # chain of projects starting from the current user account. In
143 # other words, groups which to which access was granted via a
144 # permission link or chain of links.
146 # This also returns (in the "included" field) the objects that own
147 # those projects (users or non-project groups).
150 # The intended use of this endpoint is to support clients which
151 # wish to browse those projects which are visible to the user but
152 # are not part of the "home" project.
154 load_limit_offset_order_params
157 @objects = exclude_home Group.readable_by(*@read_users), Group
159 apply_where_limit_order_params
161 if params["include"] == "owner_uuid"
162 owners = @objects.map(&:owner_uuid).to_set
164 [Group, User].each do |klass|
165 @extra_included += klass.readable_by(*@read_users).where(uuid: owners.to_a).to_a
172 def self._shared_requires_parameters
173 rp = self._index_requires_parameters
174 rp[:include] = { type: 'string', required: false }
180 def load_searchable_objects
184 # Reload the orders param, this time without prefixing unqualified
185 # columns ("name" => "groups.name"). Here, unqualified orders
186 # apply to each table being searched, not "groups".
187 load_limit_offset_order_params(fill_table_names: false)
189 # Trick apply_where_limit_order_params into applying suitable
190 # per-table values. *_all are the real ones we'll apply to the
194 # save the orders from the current request as determined by load_param,
195 # but otherwise discard them because we're going to be getting objects
197 request_orders = @orders.clone
200 request_filters = @filters
203 Job, PipelineInstance, PipelineTemplate, ContainerRequest, Workflow,
205 Human, Specimen, Trait]
207 table_names = Hash[klasses.collect { |k| [k, k.table_name] }]
209 disabled_methods = Rails.configuration.API.DisabledAPIs
210 avail_klasses = table_names.select{|k, t| !disabled_methods[t+'.index']}
211 klasses = avail_klasses.keys
213 request_filters.each do |col, op, val|
214 if col.index('.') && !table_names.values.include?(col.split('.', 2)[0])
215 raise ArgumentError.new("Invalid attribute '#{col}' in filter")
220 request_filters.each do |col,op,val|
222 (val.is_a?(Array) ? val : [val]).each do |type|
223 type = type.split('#')[-1]
224 type[0] = type[0].capitalize
225 wanted_klasses << type
230 # filter groups need to be limited to those classes mentioned in the filters
231 # @object can also be a User object (virtual home project)
232 if @object and @object.is_a?(Group) and @object.group_class == "filter"
233 if request_filters.length() == 0
234 raise ArgumentError.new("Filter group needs to have filters defined")
236 request_filters.each do |col, op, val|
238 col = col.split('.')[0]
239 col = col.capitalize.sub(/s$/,'')
240 wanted_klasses << col
247 # filter groups should not have an owner_uuid filter applied
248 if ! @object.is_a?(Group) or (@object.is_a?(Group) and @object.group_class != "filter")
249 if params['recursive']
250 filter_by_owner[:owner_uuid] = [@object.uuid] + @object.descendant_project_uuids
252 filter_by_owner[:owner_uuid] = @object.uuid
256 if params['exclude_home_project']
257 raise ArgumentError.new "Cannot use 'exclude_home_project' with a parent object"
261 included_by_uuid = {}
263 seen_last_class = false
264 klasses.each do |klass|
265 @offset = 0 if seen_last_class # reset offset for the new next type being processed
267 # if current klass is same as params['last_object_class'], mark that fact
268 seen_last_class = true if((params['count'].andand.==('none')) and
269 (params['last_object_class'].nil? or
270 params['last_object_class'].empty? or
271 params['last_object_class'] == klass.to_s))
273 # if klasses are specified, skip all other klass types
274 next if wanted_klasses.any? and !wanted_klasses.include?(klass.to_s)
276 # don't reprocess klass types that were already seen
277 next if params['count'] == 'none' and !seen_last_class
279 # don't process rest of object types if we already have needed number of objects
280 break if params['count'] == 'none' and all_objects.size >= limit_all
282 # If the currently requested orders specifically match the
283 # table_name for the current klass, apply that order.
284 # Otherwise, order by recency.
286 request_orders.andand.find { |r| r =~ /^#{klass.table_name}\./i || r !~ /\./ } ||
287 klass.default_orders.join(", ")
290 where_conds = filter_by_owner
291 if klass == Collection
292 @select = klass.selectable_attributes - ["manifest_text", "unsigned_manifest_text"]
294 where_conds = where_conds.merge(group_class: "project")
297 @filters = request_filters.map do |col, op, val|
300 elsif (col = col.split('.', 2))[0] == klass.table_name
307 @objects = klass.readable_by(*@read_users, {
308 :include_trash => params[:include_trash],
309 :include_old_versions => params[:include_old_versions]
310 }).order(request_order).where(where_conds)
312 if params['exclude_home_project']
313 @objects = exclude_home @objects, klass
316 klass_limit = limit_all - all_objects.count
318 apply_where_limit_order_params klass
319 klass_object_list = object_list(model_class: klass)
320 klass_items_available = klass_object_list[:items_available] || 0
321 @items_available += klass_items_available
322 @offset = [@offset - klass_items_available, 0].max
323 all_objects += klass_object_list[:items]
325 if klass_object_list[:limit] < klass_limit
326 # object_list() had to reduce @limit to comply with
327 # max_index_database_read. From now on, we'll do all queries
328 # with limit=0 and just accumulate items_available.
329 limit_all = all_objects.count
332 if params["include"] == "owner_uuid"
333 owners = klass_object_list[:items].map {|i| i[:owner_uuid]}.to_set
334 [Group, User].each do |ownerklass|
335 ownerklass.readable_by(*@read_users).where(uuid: owners.to_a).each do |ow|
336 included_by_uuid[ow.uuid] = ow
343 @extra_included = included_by_uuid.values
346 @objects = all_objects
353 def exclude_home objectlist, klass
354 # select records that are readable by current user AND
355 # the owner_uuid is a user (but not the current user) OR
356 # the owner_uuid is not readable by the current user
357 # the owner_uuid is a group but group_class is not a project
359 read_parent_check = if current_user.is_admin
362 "NOT EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} WHERE "+
363 "user_uuid=(:user_uuid) AND target_uuid=#{klass.table_name}.owner_uuid AND perm_level >= 1) OR "
366 objectlist.where("#{klass.table_name}.owner_uuid IN (SELECT users.uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+
368 "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=#{klass.table_name}.owner_uuid and gp.group_class != 'project')",
369 user_uuid: current_user.uuid)