1 class User < OrvosModel
4 include CommonApiTemplate
6 has_many :api_client_authorizations
7 before_update :prevent_privilege_escalation
9 api_accessible :superuser, :extend => :common do |t|
19 ALL_PERMISSIONS = {read: true, write: true, manage: true}
22 "#{first_name} #{last_name}"
25 def groups_i_can(verb)
26 self.group_permissions.select { |uuid, mask| mask[verb] }.keys
30 actions.each do |action, target|
32 if target.respond_to? :uuid
33 target_uuid = target.uuid
35 next if target_uuid == self.uuid
36 next if (group_permissions[target_uuid] and
37 group_permissions[target_uuid][action])
38 if target.respond_to? :owner
39 next if target.owner == self.uuid
40 next if (group_permissions[target.owner] and
41 group_permissions[target.owner][action])
48 def self.invalidate_permissions_cache
49 Rails.cache.delete_matched(/^groups_for_user_/)
54 def permission_to_create
55 Thread.current[:user] == self or
56 (Thread.current[:user] and Thread.current[:user].is_admin)
59 def prevent_privilege_escalation
60 if self.is_admin_changed? and !current_user.is_admin
61 if current_user.uuid == self.uuid
62 if self.is_admin != self.is_admin_was
63 logger.warn "User #{self.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin}"
64 self.is_admin = self.is_admin_was
72 Rails.cache.fetch "groups_for_user_#{self.uuid}" do
74 todo = {self.uuid => true}
77 lookup_uuids = todo.keys
78 lookup_uuids.each do |uuid| done[uuid] = true end
80 Link.where('tail_uuid in (?) and link_class = ? and head_kind = ?',
83 'orvos#group').each do |link|
84 unless done.has_key? link.head_uuid
85 todo[link.head_uuid] = true
90 link_permissions = {read:true}
92 link_permissions = {read:true,write:true}
94 link_permissions = ALL_PERMISSIONS
96 permissions_from[link.tail_uuid] ||= {}
97 permissions_from[link.tail_uuid][link.head_uuid] ||= {}
98 link_permissions.each do |k,v|
99 permissions_from[link.tail_uuid][link.head_uuid][k] ||= v
103 search_permissions(self.uuid, permissions_from)
107 def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
108 nextpaths = graph[start]
109 return merged if !nextpaths
110 return merged if upstream_path.has_key? start
111 upstream_path[start] = true
112 upstream_mask ||= ALL_PERMISSIONS
113 nextpaths.each do |head, mask|
116 merged[head][k] ||= v if upstream_mask[k]
118 search_permissions(head, graph, merged, upstream_mask.select { |k,v| v && merged[head][k] }, upstream_path)
120 upstream_path.delete start