projects
/
arvados.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
12032: Use permission_view in subquery to filter objects readable by user.
[arvados.git]
/
services
/
api
/
app
/
models
/
user.rb
diff --git
a/services/api/app/models/user.rb
b/services/api/app/models/user.rb
index f9308b1c1e9c8f65b17a9c589bc1191d2cab9484..c8c9bfb6ac1a26b8200f8feebf6f1749f2856636 100644
(file)
--- a/
services/api/app/models/user.rb
+++ b/
services/api/app/models/user.rb
@@
-1,3
+1,7
@@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
require 'can_be_an_owner'
class User < ArvadosModel
require 'can_be_an_owner'
class User < ArvadosModel
@@
-6,6
+10,11
@@
class User < ArvadosModel
include CommonApiTemplate
include CanBeAnOwner
include CommonApiTemplate
include CanBeAnOwner
+ # To avoid upgrade bugs, when changing the permission cache value
+ # format, change PERM_CACHE_PREFIX too:
+ PERM_CACHE_PREFIX = "perm_v20170725_"
+ PERM_CACHE_TTL = 172800
+
serialize :prefs, Hash
has_many :api_client_authorizations
validates(:username,
serialize :prefs, Hash
has_many :api_client_authorizations
validates(:username,
@@
-20,6
+29,7
@@
class User < ArvadosModel
before_update :verify_repositories_empty, :if => Proc.new { |user|
user.username.nil? and user.username_changed?
}
before_update :verify_repositories_empty, :if => Proc.new { |user|
user.username.nil? and user.username_changed?
}
+ before_update :setup_on_activate
before_create :check_auto_admin
before_create :set_initial_username, :if => Proc.new { |user|
user.username.nil? and user.email
before_create :check_auto_admin
before_create :set_initial_username, :if => Proc.new { |user|
user.username.nil? and user.email
@@
-136,7
+146,7
@@
class User < ArvadosModel
timestamp = DbCurrentTime::db_current_time.to_i if timestamp.nil?
connection.execute "NOTIFY invalidate_permissions_cache, '#{timestamp}'"
else
timestamp = DbCurrentTime::db_current_time.to_i if timestamp.nil?
connection.execute "NOTIFY invalidate_permissions_cache, '#{timestamp}'"
else
- Rails.cache.delete_matched(/^
groups_for_user_
/)
+ Rails.cache.delete_matched(/^
#{PERM_CACHE_PREFIX}
/)
end
end
end
end
@@
-145,14
+155,14
@@
class User < ArvadosModel
install_view('permission')
all_perms = {}
ActiveRecord::Base.connection.
install_view('permission')
all_perms = {}
ActiveRecord::Base.connection.
- exec_query('SELECT user_uuid, target_owner_uuid, max(perm_level)
+ exec_query('SELECT user_uuid, target_owner_uuid, max(perm_level)
, max(trashed)
FROM permission_view
WHERE target_owner_uuid IS NOT NULL
GROUP BY user_uuid, target_owner_uuid',
# "name" arg is a query label that appears in logs:
"all_group_permissions",
FROM permission_view
WHERE target_owner_uuid IS NOT NULL
GROUP BY user_uuid, target_owner_uuid',
# "name" arg is a query label that appears in logs:
"all_group_permissions",
- ).rows.each do |user_uuid, group_uuid, max_p_val|
- all_perms[user_uuid] ||= {}
+ ).rows.each do |user_uuid, group_uuid, max_p_val
, trashed
|
+ all_perms[user_uuid] ||= {
user_uuid => {:read => true, :write => true, :manage => true}
}
all_perms[user_uuid][group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
end
all_perms
all_perms[user_uuid][group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
end
all_perms
@@
-164,9
+174,9
@@
class User < ArvadosModel
def calculate_group_permissions
self.class.install_view('permission')
def calculate_group_permissions
self.class.install_view('permission')
- group_perms = {}
+ group_perms = {
self.uuid => {:read => true, :write => true, :manage => true}
}
ActiveRecord::Base.connection.
ActiveRecord::Base.connection.
- exec_query('SELECT target_owner_uuid, max(perm_level)
+ exec_query('SELECT target_owner_uuid, max(perm_level)
, max(trashed)
FROM permission_view
WHERE user_uuid = $1
AND target_owner_uuid IS NOT NULL
FROM permission_view
WHERE user_uuid = $1
AND target_owner_uuid IS NOT NULL
@@
-175,10
+185,10
@@
class User < ArvadosModel
"group_permissions for #{uuid}",
# "binds" arg is an array of [col_id, value] for '$1' vars:
[[nil, uuid]],
"group_permissions for #{uuid}",
# "binds" arg is an array of [col_id, value] for '$1' vars:
[[nil, uuid]],
-
).rows.each do |group_uuid, max_p_val
|
+
).rows.each do |group_uuid, max_p_val, trashed
|
group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
end
group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
end
- Rails.cache.write "
groups_for_user_#{self.uuid}", group_perms
+ Rails.cache.write "
#{PERM_CACHE_PREFIX}#{self.uuid}", group_perms, expires_in: PERM_CACHE_TTL
group_perms
end
group_perms
end
@@
-186,12
+196,12
@@
class User < ArvadosModel
# and perm_hash[:write] are true if this user can read and write
# objects owned by group_uuid.
def group_permissions
# and perm_hash[:write] are true if this user can read and write
# objects owned by group_uuid.
def group_permissions
- r = Rails.cache.read "
groups_for_user_
#{self.uuid}"
+ r = Rails.cache.read "
#{PERM_CACHE_PREFIX}
#{self.uuid}"
if r.nil?
if Rails.configuration.async_permissions_update
while r.nil?
sleep(0.1)
if r.nil?
if Rails.configuration.async_permissions_update
while r.nil?
sleep(0.1)
- r = Rails.cache.read "
groups_for_user_
#{self.uuid}"
+ r = Rails.cache.read "
#{PERM_CACHE_PREFIX}
#{self.uuid}"
end
else
r = calculate_group_permissions
end
else
r = calculate_group_permissions
@@
-200,15
+210,11
@@
class User < ArvadosModel
r
end
r
end
- def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil)
- return user.setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
- end
-
# create links
# create links
- def setup
_repo_vm_links(repo_name, vm_uuid, openid_prefix
)
+ def setup
(openid_prefix:, repo_name: nil, vm_uuid: nil
)
oid_login_perm = create_oid_login_perm openid_prefix
repo_perm = create_user_repo_link repo_name
oid_login_perm = create_oid_login_perm openid_prefix
repo_perm = create_user_repo_link repo_name
- vm_login_perm = create_vm_login_permission_link
vm_uuid, username
+ vm_login_perm = create_vm_login_permission_link
(vm_uuid, username) if vm_uuid
group_perm = create_user_group_link
return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact
group_perm = create_user_group_link
return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact
@@
-382,13
+388,12
@@
class User < ArvadosModel
merged
end
merged
end
- def create_oid_login_perm (openid_prefix)
- login_perm_props = { "identity_url_prefix" => openid_prefix}
-
+ def create_oid_login_perm(openid_prefix)
# Check oid_login_perm
oid_login_perms = Link.where(tail_uuid: self.email,
# Check oid_login_perm
oid_login_perms = Link.where(tail_uuid: self.email,
- link_class: 'permission',
- name: 'can_login').where("head_uuid = ?", self.uuid)
+ head_uuid: self.uuid,
+ link_class: 'permission',
+ name: 'can_login')
if !oid_login_perms.any?
# create openid login permission
if !oid_login_perms.any?
# create openid login permission
@@
-396,8
+401,9
@@
class User < ArvadosModel
name: 'can_login',
tail_uuid: self.email,
head_uuid: self.uuid,
name: 'can_login',
tail_uuid: self.email,
head_uuid: self.uuid,
- properties: login_perm_props
- )
+ properties: {
+ "identity_url_prefix" => openid_prefix,
+ })
logger.info { "openid login permission: " + oid_login_perm[:uuid] }
else
oid_login_perm = oid_login_perms.first
logger.info { "openid login permission: " + oid_login_perm[:uuid] }
else
oid_login_perm = oid_login_perms.first
@@
-425,15
+431,12
@@
class User < ArvadosModel
# create login permission for the given vm_uuid, if it does not already exist
def create_vm_login_permission_link(vm_uuid, repo_name)
# vm uuid is optional
# create login permission for the given vm_uuid, if it does not already exist
def create_vm_login_permission_link(vm_uuid, repo_name)
# vm uuid is optional
- if vm_uuid
- vm = VirtualMachine.where(uuid: vm_uuid).first
+ return if !vm_uuid
- if not vm
- logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
- raise "No vm found for #{vm_uuid}"
- end
- else
- return
+ vm = VirtualMachine.where(uuid: vm_uuid).first
+ if !vm
+ logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
+ raise "No vm found for #{vm_uuid}"
end
logger.info { "vm uuid: " + vm[:uuid] }
end
logger.info { "vm uuid: " + vm[:uuid] }
@@
-486,9
+489,17
@@
class User < ArvadosModel
end
end
end
end
+ # Automatically setup if is_active flag turns on
+ def setup_on_activate
+ return if [system_user_uuid, anonymous_user_uuid].include?(self.uuid)
+ if is_active && (new_record? || is_active_changed?)
+ setup(openid_prefix: Rails.configuration.default_openid_prefix)
+ end
+ end
+
# Automatically setup new user during creation
def auto_setup_new_user
# Automatically setup new user during creation
def auto_setup_new_user
- setup
_repo_vm_links(nil, nil,
Rails.configuration.default_openid_prefix)
+ setup
(openid_prefix:
Rails.configuration.default_openid_prefix)
if username
create_vm_login_permission_link(Rails.configuration.auto_setup_new_users_with_vm_uuid,
username)
if username
create_vm_login_permission_link(Rails.configuration.auto_setup_new_users_with_vm_uuid,
username)