projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
18691: Fix wrong column name in clear_permissions.
[arvados.git] / services / api / app / models / group.rb
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: AGPL-3.0
4
5 require 'can_be_an_owner'
6 require 'trashable'
7
8 class Group < ArvadosModel
9   include HasUuid
10   include KindAndEtag
11   include CommonApiTemplate
12   include CanBeAnOwner
13   include Trashable
14
15   # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
16   # already know how to properly treat them.
17   attribute :properties, :jsonbHash, default: {}
18
19   validate :ensure_filesystem_compatible_name
20   validate :check_group_class
21   validate :check_filter_group_filters
22   validate :check_frozen_state_change_allowed
23   before_create :assign_name
24   after_create :after_ownership_change
25   after_create :update_trash
26   after_create :update_frozen
27
28   before_update :before_ownership_change
29   after_update :after_ownership_change
30
31   after_create :add_role_manage_link
32
33   after_update :update_trash
34   after_update :update_frozen
35   before_destroy :clear_permissions_trash_frozen
36
37   api_accessible :user, extend: :common do |t|
38     t.add :name
39     t.add :group_class
40     t.add :description
41     t.add :writable_by
42     t.add :delete_at
43     t.add :trash_at
44     t.add :is_trashed
45     t.add :properties
46     t.add :frozen_by_uuid
47   end
48
49   def ensure_filesystem_compatible_name
50     # project and filter groups need filesystem-compatible names, but others
51     # don't.
52     super if group_class == 'project' || group_class == 'filter'
53   end
54
55   def check_group_class
56     if group_class != 'project' && group_class != 'role' && group_class != 'filter'
57       errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
58     end
59     if group_class_changed? && !group_class_was.nil?
60       errors.add :group_class, "cannot be modified after record is created"
61     end
62   end
63
64   def check_filter_group_filters
65     if group_class == 'filter'
66       if !self.properties.key?("filters")
67         errors.add :properties, "filters property missing, it must be an array of arrays, each with 3 elements"
68         return
69       end
70       if !self.properties["filters"].is_a?(Array)
71         errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
72         return
73       end
74       self.properties["filters"].each do |filter|
75         if !filter.is_a?(Array)
76           errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
77           return
78         end
79         if filter.length() != 3
80           errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
81           return
82         end
83         if !filter[0].include?(".") and filter[0].downcase != "uuid"
84           errors.add :properties, "filter attribute must be 'uuid' or contain a dot (e.g. groups.name)"
85           return
86         end
87         if (filter[0].downcase != "uuid" and filter[1].downcase == "is_a")
88           errors.add :properties, "when filter operator is 'is_a', attribute must be 'uuid'"
89           return
90         end
91         if ! ["=","<","<=",">",">=","!=","like","ilike","in","not in","is_a","exists","contains"].include?(filter[1].downcase)
92           errors.add :properties, "filter operator is not valid (must be =,<,<=,>,>=,!=,like,ilike,in,not in,is_a,exists,contains)"
93           return
94         end
95       end
96     end
97   end
98
99   def check_frozen_state_change_allowed
100     if frozen_by_uuid == ""
101       self.frozen_by_uuid = nil
102     end
103     if frozen_by_uuid_changed? || (new_record? && frozen_by_uuid)
104       if group_class != "project"
105         errors.add(:frozen_by_uuid, "cannot be modified on a non-project group")
106         return
107       end
108       if frozen_by_uuid_was && Rails.configuration.API.UnfreezeProjectRequiresAdmin && !current_user.is_admin
109         errors.add(:frozen_by_uuid, "can only be changed by an admin user, once set")
110         return
111       end
112       if frozen_by_uuid && frozen_by_uuid != current_user.uuid
113         errors.add(:frozen_by_uuid, "can only be set to the current user's UUID")
114         return
115       end
116       if !new_record? && !current_user.can?(manage: uuid)
117         raise PermissionDeniedError
118       end
119       if frozen_by_uuid_was.nil?
120         if Rails.configuration.API.FreezeProjectRequiresDescription && !attribute_present?(:description)
121           errors.add(:frozen_by_uuid, "can only be set if description is non-empty")
122         end
123         Rails.configuration.API.FreezeProjectRequiresProperties.andand.each do |key, _|
124           key = key.to_s
125           if !properties[key] || properties[key] == ""
126             errors.add(:frozen_by_uuid, "can only be set if properties[#{key}] value is non-empty")
127           end
128         end
129       end
130     end
131   end
132
133   def update_trash
134     if saved_change_to_trash_at? or saved_change_to_owner_uuid?
135       # The group was added or removed from the trash.
136       #
137       # Strategy:
138       #   Compute project subtree, propagating trash_at to subprojects
139       #   Remove groups that don't belong from trash
140       #   Add/update groups that do belong in the trash
141
142       temptable = "group_subtree_#{rand(2**64).to_s(10)}"
143       ActiveRecord::Base.connection.exec_query %{
144 create temporary table #{temptable} on commit drop
145 as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)
146 },
147                                                'Group.update_trash.select',
148                                                [[nil, self.uuid],
149                                                 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
150                                                 [nil, self.trash_at]]
151
152       ActiveRecord::Base.connection.exec_delete %{
153 delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL);
154 },
155                                             "Group.update_trash.delete"
156
157       ActiveRecord::Base.connection.exec_query %{
158 insert into trashed_groups (group_uuid, trash_at)
159   select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL
160 on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at;
161 },
162                                             "Group.update_trash.insert"
163     end
164   end
165
166   def update_frozen
167     return unless saved_change_to_frozen_by_uuid? || saved_change_to_owner_uuid?
168     temptable = "group_subtree_#{rand(2**64).to_s(10)}"
169     ActiveRecord::Base.connection.exec_query(
170       "create temporary table #{temptable} on commit drop as select * from project_subtree_with_is_frozen($1,$2)",
171       "Group.update_frozen.select",
172       [[nil, self.uuid],
173        [nil, !self.frozen_by_uuid.nil?]])
174     ActiveRecord::Base.connection.exec_delete(
175       "delete from frozen_groups where uuid in (select uuid from #{temptable} where not is_frozen)",
176       "Group.update_frozen.delete")
177     ActiveRecord::Base.connection.exec_query(
178       "insert into frozen_groups (uuid) select uuid from #{temptable} where is_frozen on conflict do nothing",
179       "Group.update_frozen.insert")
180   end
181
182   def before_ownership_change
183     if owner_uuid_changed? and !self.owner_uuid_was.nil?
184       MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
185       update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
186     end
187   end
188
189   def after_ownership_change
190     if saved_change_to_owner_uuid?
191       update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
192     end
193   end
194
195   def clear_permissions_trash_frozen
196     MaterializedPermission.where(target_uuid: uuid).delete_all
197     ActiveRecord::Base.connection.exec_delete(
198       "delete from trashed_groups where group_uuid=$1",
199       "Group.clear_permissions_trash_frozen",
200       [[nil, self.uuid]])
201     ActiveRecord::Base.connection.exec_delete(
202       "delete from frozen_groups where uuid=$1",
203       "Group.clear_permissions_trash_frozen",
204       [[nil, self.uuid]])
205   end
206
207   def assign_name
208     if self.new_record? and (self.name.nil? or self.name.empty?)
209       self.name = self.uuid
210     end
211     true
212   end
213
214   def ensure_owner_uuid_is_permitted
215     if group_class == "role"
216       @requested_manager_uuid = nil
217       if new_record?
218         @requested_manager_uuid = owner_uuid
219         self.owner_uuid = system_user_uuid
220         return true
221       end
222       if self.owner_uuid != system_user_uuid
223         raise "Owner uuid for role must be system user"
224       end
225       raise PermissionDeniedError unless current_user.can?(manage: uuid)
226       true
227     else
228       super
229     end
230   end
231
232   def add_role_manage_link
233     if group_class == "role" && @requested_manager_uuid
234       act_as_system_user do
235        Link.create!(tail_uuid: @requested_manager_uuid,
236                     head_uuid: self.uuid,
237                     link_class: "permission",
238                     name: "can_manage")
239       end
240     end
241   end
242
243   def permission_to_update
244     if !super
245       return false
246     elsif frozen_by_uuid && frozen_by_uuid_in_database
247       errors.add :uuid, "#{uuid} is frozen and cannot be modified"
248       return false
249     else
250       return true
251     end
252   end
253 end