1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 require 'can_be_an_owner'
8 class Group < ArvadosModel
11 include CommonApiTemplate
15 # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
16 # already know how to properly treat them.
17 attribute :properties, :jsonbHash, default: {}
19 validate :ensure_filesystem_compatible_name
20 validate :check_group_class
21 validate :check_filter_group_filters
22 validate :check_frozen_state_change_allowed
23 before_create :assign_name
24 after_create :after_ownership_change
25 after_create :update_trash
27 before_update :before_ownership_change
28 after_update :after_ownership_change
30 after_create :add_role_manage_link
32 after_update :update_trash
33 before_destroy :clear_permissions_and_trash
35 api_accessible :user, extend: :common do |t|
47 def ensure_filesystem_compatible_name
48 # project and filter groups need filesystem-compatible names, but others
50 super if group_class == 'project' || group_class == 'filter'
54 if group_class != 'project' && group_class != 'role' && group_class != 'filter'
55 errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
57 if group_class_changed? && !group_class_was.nil?
58 errors.add :group_class, "cannot be modified after record is created"
62 def check_filter_group_filters
63 if group_class == 'filter'
64 if !self.properties.key?("filters")
65 errors.add :properties, "filters property missing, it must be an array of arrays, each with 3 elements"
68 if !self.properties["filters"].is_a?(Array)
69 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
72 self.properties["filters"].each do |filter|
73 if !filter.is_a?(Array)
74 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
77 if filter.length() != 3
78 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
81 if !filter[0].include?(".") and filter[0].downcase != "uuid"
82 errors.add :properties, "filter attribute must be 'uuid' or contain a dot (e.g. groups.name)"
85 if (filter[0].downcase != "uuid" and filter[1].downcase == "is_a")
86 errors.add :properties, "when filter operator is 'is_a', attribute must be 'uuid'"
89 if ! ["=","<","<=",">",">=","!=","like","ilike","in","not in","is_a","exists","contains"].include?(filter[1].downcase)
90 errors.add :properties, "filter operator is not valid (must be =,<,<=,>,>=,!=,like,ilike,in,not in,is_a,exists,contains)"
97 def check_frozen_state_change_allowed
98 if frozen_by_uuid == ""
99 self.frozen_by_uuid = nil
101 if frozen_by_uuid_changed? || (new_record? && frozen_by_uuid)
102 if group_class != "project"
103 errors.add(:frozen_by_uuid, "cannot be modified on a non-project group")
106 if frozen_by_uuid_was && Rails.configuration.API.UnfreezeProjectRequiresAdmin && !current_user.is_admin
107 errors.add(:frozen_by_uuid, "can only be changed by an admin user, once set")
110 if frozen_by_uuid && frozen_by_uuid != current_user.uuid
111 errors.add(:frozen_by_uuid, "can only be set to the current user's UUID")
114 if !new_record? && !current_user.can?(manage: uuid)
115 raise PermissionDeniedError
117 if frozen_by_uuid_was.nil?
118 if Rails.configuration.API.FreezeProjectRequiresDescription && !attribute_present?(:description)
119 errors.add(:frozen_by_uuid, "can only be set if description is non-empty")
121 Rails.configuration.API.FreezeProjectRequiresProperties.andand.each do |key, _|
123 if !properties[key] || properties[key] == ""
124 errors.add(:frozen_by_uuid, "can only be set if properties[#{key}] value is non-empty")
132 if saved_change_to_trash_at? or saved_change_to_owner_uuid?
133 # The group was added or removed from the trash.
136 # Compute project subtree, propagating trash_at to subprojects
137 # Remove groups that don't belong from trash
138 # Add/update groups that do belong in the trash
140 temptable = "group_subtree_#{rand(2**64).to_s(10)}"
141 ActiveRecord::Base.connection.exec_query %{
142 create temporary table #{temptable} on commit drop
143 as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)
145 'Group.update_trash.select',
147 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
148 [nil, self.trash_at]]
150 ActiveRecord::Base.connection.exec_delete %{
151 delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL);
153 "Group.update_trash.delete"
155 ActiveRecord::Base.connection.exec_query %{
156 insert into trashed_groups (group_uuid, trash_at)
157 select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL
158 on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at;
160 "Group.update_trash.insert"
164 def before_ownership_change
165 if owner_uuid_changed? and !self.owner_uuid_was.nil?
166 MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
167 update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
171 def after_ownership_change
172 if saved_change_to_owner_uuid?
173 update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
177 def clear_permissions_and_trash
178 MaterializedPermission.where(target_uuid: uuid).delete_all
179 ActiveRecord::Base.connection.exec_delete %{
180 delete from trashed_groups where group_uuid=$1
181 }, "Group.clear_permissions_and_trash", [[nil, self.uuid]]
186 if self.new_record? and (self.name.nil? or self.name.empty?)
187 self.name = self.uuid
192 def ensure_owner_uuid_is_permitted
193 if group_class == "role"
194 @requested_manager_uuid = nil
196 @requested_manager_uuid = owner_uuid
197 self.owner_uuid = system_user_uuid
200 if self.owner_uuid != system_user_uuid
201 raise "Owner uuid for role must be system user"
203 raise PermissionDeniedError unless current_user.can?(manage: uuid)
210 def add_role_manage_link
211 if group_class == "role" && @requested_manager_uuid
212 act_as_system_user do
213 Link.create!(tail_uuid: @requested_manager_uuid,
214 head_uuid: self.uuid,
215 link_class: "permission",