1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 class Link < ArvadosModel
8 include CommonApiTemplate
10 # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
11 # already know how to properly treat them.
13 before_create :permission_to_attach_to_objects
14 before_update :permission_to_attach_to_objects
15 after_update :maybe_invalidate_permissions_cache
16 after_create :maybe_invalidate_permissions_cache
17 after_destroy :maybe_invalidate_permissions_cache
18 validate :name_links_are_obsolete
20 api_accessible :user, extend: :common do |t|
31 if k = ArvadosModel::resource_class_for_uuid(head_uuid)
37 if k = ArvadosModel::resource_class_for_uuid(tail_uuid)
44 def permission_to_attach_to_objects
45 # Anonymous users cannot write links
46 return false if !current_user
48 # All users can write links that don't affect permissions
49 return true if self.link_class != 'permission'
51 # Administrators can grant permissions
52 return true if current_user.is_admin
54 head_obj = ArvadosModel.find_by_uuid(head_uuid)
56 # No permission links can be pointed to past collection versions
57 return false if head_obj.is_a?(Collection) && head_obj.current_version_uuid != head_uuid
59 # All users can grant permissions on objects they own or can manage
60 return true if current_user.can?(manage: head_obj)
66 def maybe_invalidate_permissions_cache
67 if self.link_class == 'permission'
68 # Clearing the entire permissions cache can generate many
69 # unnecessary queries if many active users are not affected by
70 # this change. In such cases it would be better to search cached
71 # permissions for head_uuid and tail_uuid, and invalidate the
72 # cache for only those users. (This would require a browseable
74 User.invalidate_permissions_cache
78 def name_links_are_obsolete
79 if link_class == 'name'
80 errors.add('name', 'Name links are obsolete')
87 # A user is permitted to create, update or modify a permission link
88 # if and only if they have "manage" permission on the object
89 # indicated by the permission link's head_uuid.
91 # All other links are treated as regular ArvadosModel objects.
93 def ensure_owner_uuid_is_permitted
94 if link_class == 'permission'
95 ob = ArvadosModel.find_by_uuid(head_uuid)
96 raise PermissionDeniedError unless current_user.can?(manage: ob)
97 # All permission links should be owned by the system user.
98 self.owner_uuid = system_user_uuid