- # Clearing the entire permissions cache can generate many
- # unnecessary queries if many active users are not affected by
- # this change. In such cases it would be better to search cached
- # permissions for head_uuid and tail_uuid, and invalidate the
- # cache for only those users. (This would require a browseable
- # cache.)
- User.invalidate_permissions_cache
+ update_permissions tail_uuid, head_uuid, PERM_LEVEL[name], self.uuid
+ current_user.forget_cached_group_perms
+ end
+ end
+
+ def clear_permissions
+ if self.link_class == 'permission'
+ update_permissions tail_uuid, head_uuid, REVOKE_PERM, self.uuid
+ current_user.forget_cached_group_perms
+ end
+ end
+
+ def check_permissions
+ if self.link_class == 'permission'
+ check_permissions_against_full_refresh
+ end
+ end
+
+ def name_links_are_obsolete
+ if link_class == 'name'
+ errors.add('name', 'Name links are obsolete')
+ false
+ else
+ true
+ end
+ end
+
+ # A user is permitted to create, update or modify a permission link
+ # if and only if they have "manage" permission on the object
+ # indicated by the permission link's head_uuid.
+ #
+ # All other links are treated as regular ArvadosModel objects.
+ #
+ def ensure_owner_uuid_is_permitted
+ if link_class == 'permission'
+ ob = ArvadosModel.find_by_uuid(head_uuid)
+ raise PermissionDeniedError unless current_user.can?(manage: ob)
+ # All permission links should be owned by the system user.
+ self.owner_uuid = system_user_uuid
+ return true
+ else
+ super