19145: Make frozen projects non-writable by admins.

[arvados.git] / services / api / app / models / link.rb

diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb
index 7f4433dd703861bf7f6e5a231d6021b95cd3f883..83043a56d19026d32a8c3fa65dc839908f74ee86 100644 (file)
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -48,6 +48,7 @@ class Link < ArvadosModel
        !attr_value.nil? &&
        self.link_class == 'permission' &&
        attr_value[0..4] != Rails.configuration.ClusterID &&
+       ApiClientAuthorization.remote_host(uuid_prefix: attr_value[0..4]) &&
        ArvadosModel::resource_class_for_uuid(attr_value) == User
       # Permission link tail is a remote user (the user permissions
       # are being granted to), so bypass the standard check that a
@@ -135,12 +136,14 @@ class Link < ArvadosModel
   def call_update_permissions
     if self.link_class == 'permission'
       update_permissions tail_uuid, head_uuid, PERM_LEVEL[name], self.uuid
+      current_user.forget_cached_group_perms
     end
   end
 
   def clear_permissions
     if self.link_class == 'permission'
       update_permissions tail_uuid, head_uuid, REVOKE_PERM, self.uuid
+      current_user.forget_cached_group_perms
     end
   end