uniqueness: true,
allow_nil: true)
validate :must_unsetup_to_deactivate
+ validate :identity_url_nil_if_empty
before_update :prevent_privilege_escalation
before_update :prevent_inactive_admin
before_update :verify_repositories_empty, :if => Proc.new {
t.add :is_invited
t.add :prefs
t.add :writable_by
+ t.add :can_write
+ t.add :can_manage
end
ALL_PERMISSIONS = {read: true, write: true, manage: true}
VAL_FOR_PERM =
{:read => 1,
:write => 2,
- :unfreeze => 2,
+ :unfreeze => 3,
:manage => 3}
end
next if target_uuid == self.uuid
+ if action == :write && target && !target.new_record? &&
+ target.respond_to?(:frozen_by_uuid) &&
+ target.frozen_by_uuid_was
+ # Just an optimization to skip the PERMISSION_VIEW and
+ # FrozenGroup queries below
+ return false
+ end
+
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
return false
end
elsif action == :unfreeze
- # "unfreeze" permission means "could write if target weren't
- # frozen", which is relevant when a user is un-freezing a
- # project. If the permission query above allows :write, and
- # the parent isn't also frozen, then un-freeze is allowed.
+ # "unfreeze" permission means "can write, but only if
+ # explicitly un-freezing at the same time" (see
+ # ArvadosModel#ensure_owner_uuid_is_permitted). If the
+ # permission query above passed the permission level of
+ # :unfreeze (which is the same as :manage), and the parent
+ # isn't also frozen, then un-freeze is allowed.
if FrozenGroup.where(uuid: target_owner_uuid).any?
return false
end
protected
+ def self.attributes_required_columns
+ super.merge(
+ 'can_write' => ['owner_uuid', 'uuid'],
+ 'can_manage' => ['owner_uuid', 'uuid'],
+ )
+ end
+
def change_all_uuid_refs(old_uuid:, new_uuid:)
ActiveRecord::Base.descendants.reject(&:abstract_class?).each do |klass|
klass.columns.each do |col|
repo.save!
end
end
+
+ def identity_url_nil_if_empty
+ if identity_url == ""
+ self.identity_url = nil
+ end
+ end
end