app/models/user.rb

   1 class User < OrvosModel
   2   include AssignUuid
   3   include KindAndEtag
   4   include CommonApiTemplate
   5   serialize :prefs, Hash
   6   has_many :api_client_authorizations
   7   before_update :prevent_privilege_escalation
   8
   9   api_accessible :superuser, :extend => :common do |t|
  10     t.add :email
  11     t.add :full_name
  12     t.add :first_name
  13     t.add :last_name
  14     t.add :identity_url
  15     t.add :is_admin
  16     t.add :prefs
  17   end
  18
  19   ALL_PERMISSIONS = {read: true, write: true, manage: true}
  20
  21   def full_name
  22     "#{first_name} #{last_name}"
  23   end
  24
  25   def groups_i_can(verb)
  26     self.group_permissions.select { |uuid, mask| mask[verb] }.keys
  27   end
  28
  29   def self.invalidate_permissions_cache
  30     Rails.cache.delete_matched(/^groups_for_user_/)
  31   end
  32
  33   protected
  34
  35   def permission_to_create
  36     Thread.current[:user] == self or
  37       (Thread.current[:user] and Thread.current[:user].is_admin)
  38   end
  39
  40   def prevent_privilege_escalation
  41     if self.is_admin_changed? and !current_user.is_admin
  42       if current_user.uuid == self.uuid
  43         if self.is_admin != self.is_admin_was
  44           logger.warn "User #{self.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin}"
  45           self.is_admin = self.is_admin_was
  46         end
  47       end
  48     end
  49     true
  50   end
  51
  52   def group_permissions
  53     Rails.cache.fetch "groups_for_user_#{current_user.uuid}" do
  54       permissions_from = {}
  55       todo = {self.uuid => true}
  56       done = {}
  57       while !todo.empty?
  58         lookup_uuids = todo.keys
  59         lookup_uuids.each do |uuid| done[uuid] = true end
  60         todo = {}
  61         Link.where('tail_uuid in (?) and link_class = ? and head_kind = ?',
  62                    lookup_uuids,
  63                    'permission',
  64                    'orvos#group').each do |link|
  65           unless done.has_key? link.head_uuid
  66             todo[link.head_uuid] = true
  67           end
  68           link_permissions = {}
  69           case link.name
  70           when 'can_read'
  71             link_permissions = {read:true}
  72           when 'can_write'
  73             link_permissions = {read:true,write:true}
  74           when 'can_manage'
  75             link_permissions = ALL_PERMISSIONS
  76           end
  77           permissions_from[link.tail_uuid] ||= {}
  78           permissions_from[link.tail_uuid][link.head_uuid] ||= {}
  79           link_permissions.each do |k,v|
  80             permissions_from[link.tail_uuid][link.head_uuid][k] ||= v
  81           end
  82         end
  83       end
  84       search_permissions(self.uuid, permissions_from)
  85     end
  86   end
  87
  88   def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
  89     nextpaths = graph[start]
  90     return merged if !nextpaths
  91     return merged if upstream_path.has_key? start
  92     upstream_path[start] = true
  93     upstream_mask ||= ALL_PERMISSIONS
  94     nextpaths.each do |head, mask|
  95       merged[head] ||= {}
  96       mask.each do |k,v|
  97         merged[head][k] ||= v if upstream_mask[k]
  98       end
  99       search_permissions(head, graph, merged, upstream_mask.select { |k,v| v && merged[head][k] }, upstream_path)
 100     end
 101     upstream_path.delete start
 102     merged
 103   end
 104 end