services/api/app/models/group.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'can_be_an_owner'
   6 require 'trashable'
   7
   8 class Group < ArvadosModel
   9   include HasUuid
  10   include KindAndEtag
  11   include CommonApiTemplate
  12   include CanBeAnOwner
  13   include Trashable
  14
  15   # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
  16   # already know how to properly treat them.
  17   attribute :properties, :jsonbHash, default: {}
  18
  19   before_validation :fill_group_defaults
  20   validate :ensure_filesystem_compatible_name
  21   validate :check_group_class
  22   before_create :assign_name
  23   after_create :after_ownership_change
  24   after_create :update_trash
  25
  26   before_update :before_ownership_change
  27   after_update :after_ownership_change
  28
  29   after_create :add_role_manage_link
  30
  31   after_update :update_trash
  32   before_destroy :clear_permissions_and_trash
  33
  34   api_accessible :user, extend: :common do |t|
  35     t.add :name
  36     t.add :group_class
  37     t.add :description
  38     t.add :writable_by
  39     t.add :delete_at
  40     t.add :trash_at
  41     t.add :is_trashed
  42     t.add :properties
  43   end
  44
  45   def ensure_filesystem_compatible_name
  46     # project and filter groups need filesystem-compatible names, but others
  47     # don't.
  48     super if group_class == 'project' || group_class == 'filter'
  49   end
  50
  51   def check_group_class
  52     if group_class != 'project' && group_class != 'role' && group_class != 'filter'
  53       errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
  54     end
  55     if group_class_changed? && !group_class_was.nil?
  56       errors.add :group_class, "cannot be modified after record is created"
  57     end
  58   end
  59
  60   def update_trash
  61     if saved_change_to_trash_at? or saved_change_to_owner_uuid?
  62       # The group was added or removed from the trash.
  63       #
  64       # Strategy:
  65       #   Compute project subtree, propagating trash_at to subprojects
  66       #   Remove groups that don't belong from trash
  67       #   Add/update groups that do belong in the trash
  68
  69       temptable = "group_subtree_#{rand(2**64).to_s(10)}"
  70       ActiveRecord::Base.connection.exec_query %{
  71 create temporary table #{temptable} on commit drop
  72 as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)
  73 },
  74                                                'Group.update_trash.select',
  75                                                [[nil, self.uuid],
  76                                                 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
  77                                                 [nil, self.trash_at]]
  78
  79       ActiveRecord::Base.connection.exec_delete %{
  80 delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL);
  81 },
  82                                             "Group.update_trash.delete"
  83
  84       ActiveRecord::Base.connection.exec_query %{
  85 insert into trashed_groups (group_uuid, trash_at)
  86   select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL
  87 on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at;
  88 },
  89                                             "Group.update_trash.insert"
  90     end
  91   end
  92
  93   def before_ownership_change
  94     if owner_uuid_changed? and !self.owner_uuid_was.nil?
  95       MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
  96       update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
  97     end
  98   end
  99
 100   def after_ownership_change
 101     if saved_change_to_owner_uuid?
 102       update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
 103     end
 104   end
 105
 106   def clear_permissions_and_trash
 107     MaterializedPermission.where(target_uuid: uuid).delete_all
 108     ActiveRecord::Base.connection.exec_delete %{
 109 delete from trashed_groups where group_uuid=$1
 110 }, "Group.clear_permissions_and_trash", [[nil, self.uuid]]
 111
 112   end
 113
 114   def assign_name
 115     if self.new_record? and (self.name.nil? or self.name.empty?)
 116       self.name = self.uuid
 117     end
 118     true
 119   end
 120
 121   def ensure_owner_uuid_is_permitted
 122     if group_class == "role"
 123       @requested_manager_uuid = nil
 124       if new_record?
 125         @requested_manager_uuid = owner_uuid
 126         self.owner_uuid = system_user_uuid
 127         return true
 128       end
 129       if self.owner_uuid != system_user_uuid
 130         raise "Owner uuid for role must be system user"
 131       end
 132       raise PermissionDeniedError unless current_user.can?(manage: uuid)
 133       true
 134     else
 135       super
 136     end
 137   end
 138
 139   def add_role_manage_link
 140     if group_class == "role" && @requested_manager_uuid
 141       act_as_system_user do
 142        Link.create!(tail_uuid: @requested_manager_uuid,
 143                     head_uuid: self.uuid,
 144                     link_class: "permission",
 145                     name: "can_manage")
 146       end
 147     end
 148   end
 149 end