projects
/
arvados.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch '18794-config-health'
[arvados.git]
/
services
/
api
/
app
/
controllers
/
arvados
/
v1
/
links_controller.rb
diff --git
a/services/api/app/controllers/arvados/v1/links_controller.rb
b/services/api/app/controllers/arvados/v1/links_controller.rb
index 14e010640e6b665fa0409005fa419ce6b3f808b4..7716a3d5cffd9f6ac44d3bb691d06c98ddf7acf2 100644
(file)
--- a/
services/api/app/controllers/arvados/v1/links_controller.rb
+++ b/
services/api/app/controllers/arvados/v1/links_controller.rb
@@
-57,12
+57,17
@@
class Arvados::V1::LinksController < ApplicationController
# by UUID, then check whether (a) its tail_uuid is the current
# user or (b) its head_uuid is an object the current_user
# can_manage.
# by UUID, then check whether (a) its tail_uuid is the current
# user or (b) its head_uuid is an object the current_user
# can_manage.
- @object = Link.unscoped.where(uuid: params[:uuid]).first
- if @object.link_class != 'permission'
+ link = Link.unscoped.where(uuid: params[:uuid]).first
+ if link && link.link_class != 'permission'
+ # Not a permission link. Re-fetch using generic
+ # permission-filtering query.
super
super
- elsif @object &&
- current_user.uuid != @object.tail_uuid &&
- !current_user.can?(manage: @object.head_uuid)
+ elsif link && (current_user.uuid == link.tail_uuid ||
+ current_user.can?(manage: link.head_uuid))
+ # Permission granted.
+ @object = link
+ else
+ # Permission denied, i.e., link is invisible => 404.
@object = nil
end
end
@object = nil
end
end
@@
-120,6
+125,8
@@
class Arvados::V1::LinksController < ApplicationController
if k[1] == '=' && current_user.can?(manage: k[2])
@objects = Link.unscoped
elsif k[1] == 'in'
if k[1] == '=' && current_user.can?(manage: k[2])
@objects = Link.unscoped
elsif k[1] == 'in'
+ # Modify the filter operand element (k[2]) in place,
+ # removing any non-permitted UUIDs.
k[2].select! do |head_uuid|
current_user.can?(manage: head_uuid)
end
k[2].select! do |head_uuid|
current_user.can?(manage: head_uuid)
end