Merge branch 'master' into 4233-graph-job-stats

[arvados.git] / services / api / app / models / user.rb

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 5530eb6523f6791e1c28161208fda5fad8eba442..b939d07bf056c00e93383499a47e1bfedadad2c7 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -29,6 +29,7 @@ class User < ArvadosModel
     t.add :is_admin
     t.add :is_invited
     t.add :prefs
+    t.add :writable_by
   end
 
   ALL_PERMISSIONS = {read: true, write: true, manage: true}
@@ -70,6 +71,30 @@ class User < ArvadosModel
         next if (group_permissions[target.owner_uuid] and
                  group_permissions[target.owner_uuid][action])
       end
+      sufficient_perms = case action
+                         when :manage
+                           ['can_manage']
+                         when :write
+                           ['can_manage', 'can_write']
+                         when :read
+                           ['can_manage', 'can_write', 'can_read']
+                         else
+                           # (Skip this kind of permission opportunity
+                           # if action is an unknown permission type)
+                         end
+      if sufficient_perms
+        # Check permission links with head_uuid pointing directly at
+        # the target object. If target is a Group, this is redundant
+        # and will fail except [a] if permission caching is broken or
+        # [b] during a race condition, where a permission link has
+        # *just* been added.
+        if Link.where(link_class: 'permission',
+                      name: sufficient_perms,
+                      tail_uuid: groups_i_can(action) + [self.uuid],
+                      head_uuid: target_uuid).any?
+          next
+        end
+      end
       return false
     end
     true
@@ -104,12 +129,13 @@ class User < ArvadosModel
         Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
           newgroups << [group.owner_uuid, group.uuid, 'can_manage']
         end
-        # add any permission links from the current lookup_uuids to a
-        # User or Group.
-        Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
-                   lookup_uuids,
+        # add any permission links from the current lookup_uuids to a Group.
+        Link.where('link_class = ? and tail_uuid in (?) and ' \
+                   '(head_uuid like ? or (name = ? and head_uuid like ?))',
                    'permission',
+                   lookup_uuids,
                    Group.uuid_like_pattern,
+                   'can_manage',
                    User.uuid_like_pattern).each do |link|
           newgroups << [link.tail_uuid, link.head_uuid, link.name]
         end
@@ -208,11 +234,13 @@ class User < ArvadosModel
   end
 
   def check_auto_admin
-    if User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and Rails.configuration.auto_admin_user
-      if self.email == Rails.configuration.auto_admin_user
-        self.is_admin = true
-        self.is_active = true
-      end
+    return if self.uuid.end_with?('anonymouspublic')
+    if (User.where("email = ?",self.email).where(:is_admin => true).count == 0 and
+        Rails.configuration.auto_admin_user and self.email == Rails.configuration.auto_admin_user) or
+       (User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and 
+        Rails.configuration.auto_admin_first_user)
+      self.is_admin = true
+      self.is_active = true
     end
   end
 
@@ -425,6 +453,8 @@ class User < ArvadosModel
   def auto_setup_new_user
     return true if !Rails.configuration.auto_setup_new_users
     return true if !self.email
+    return true if self.uuid == system_user_uuid
+    return true if self.uuid == anonymous_user_uuid
 
     if Rails.configuration.auto_setup_new_users_with_vm_uuid ||
        Rails.configuration.auto_setup_new_users_with_repository
@@ -433,42 +463,32 @@ class User < ArvadosModel
 
       blacklisted_usernames = Rails.configuration.auto_setup_name_blacklist
       if blacklisted_usernames.include?(username)
-        return true;
+        return true
       elsif !(/^[a-zA-Z][-._a-zA-Z0-9]{0,30}[a-zA-Z0-9]$/.match(username))
         return true
       else
-        username = derive_unique_username username
+        return true if !(username = derive_unique_username username)
       end
     end
 
     # setup user
-    if !Rails.configuration.auto_setup_new_users_with_vm_uuid &&
-       !Rails.configuration.auto_setup_new_users_with_repository
-      oid_login_perm = create_oid_login_perm Rails.configuration.default_openid_prefix
-      group_perm = create_user_group_link
-    else
-      setup_repo_vm_links(username,
-                          Rails.configuration.auto_setup_new_users_with_vm_uuid,
-                          Rails.configuration.default_openid_prefix)
-    end
+    setup_repo_vm_links(username,
+                        Rails.configuration.auto_setup_new_users_with_vm_uuid,
+                        Rails.configuration.default_openid_prefix)
   end
 
   # Find a username that starts with the given string and does not collide
   # with any existing repository name or VM login name
   def derive_unique_username username
-    vm_uuid = Rails.configuration.auto_setup_new_users_with_vm_uuid
     while true
       if Repository.where(name: username).empty?
-        login_collisions = Link.where(head_uuid: vm_uuid,
-                                      link_class: 'permission',
+        login_collisions = Link.where(link_class: 'permission',
                                       name: 'can_login').select do |perm|
           perm.properties['username'] == username
         end
-        if login_collisions.empty?
-          return username
-        end
+        return username if login_collisions.empty?
       end
-      username = username + SecureRandom.random_number(100).to_s
+      username = username + SecureRandom.random_number(10).to_s
     end
   end