Merge remote-tracking branch 'origin/master' into job-docker-images

[arvados.git] / services / api / app / models / user.rb
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb

index e4881edf4ee929edde6697528ceb6ac39ab9d7c1..677685d67abdb60270b113ffeb46d6bb5edea81c 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -1,14 +1,18 @@
+require 'can_be_an_owner'
+
  class User < ArvadosModel
-  include AssignUuid
+  include HasUuid
    include KindAndEtag
    include CommonApiTemplate
+  include CanBeAnOwner
+
    serialize :prefs, Hash
    has_many :api_client_authorizations
    before_update :prevent_privilege_escalation
    before_update :prevent_inactive_admin
    before_create :check_auto_admin
    after_create :add_system_group_permission_link
-  after_create AdminNotifier
+  after_create :send_admin_notifications
  
    has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
  
@@ -27,7 +31,7 @@ class User < ArvadosModel
    ALL_PERMISSIONS = {read: true, write: true, manage: true}
  
    def full_name
-    "#{first_name} #{last_name}"
+    "#{first_name} #{last_name}".strip
    end
  
    def is_invited
@@ -37,7 +41,11 @@ class User < ArvadosModel
    end
  
    def groups_i_can(verb)
-    self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+    my_groups = self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+    if verb == :read
+      my_groups << anonymous_group_uuid
+    end
+    my_groups
    end
  
    def can?(actions)
@@ -80,10 +88,11 @@ class User < ArvadosModel
          Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
            newgroups << [group.owner_uuid, group.uuid, 'can_manage']
          end
-        Link.where('tail_uuid in (?) and link_class = ? and head_kind in (?)',
+        Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
                     lookup_uuids,
                     'permission',
-                   ['arvados#group', 'arvados#user']).each do |link|
+                   Group.uuid_like_pattern,
+                   User.uuid_like_pattern).each do |link|
            newgroups << [link.tail_uuid, link.head_uuid, link.name]
          end
          newgroups.each do |tail_uuid, head_uuid, perm_name|
@@ -128,7 +137,6 @@ class User < ArvadosModel
    def unsetup
      # delete oid_login_perms for this user
      oid_login_perms = Link.where(tail_uuid: self.email,
-                                 head_kind: 'arvados#user',
                                   link_class: 'permission',
                                   name: 'can_login')
      oid_login_perms.each do |perm|
@@ -137,7 +145,6 @@ class User < ArvadosModel
  
      # delete repo_perms for this user
      repo_perms = Link.where(tail_uuid: self.uuid,
-                            head_kind: 'arvados#repository',
                              link_class: 'permission',
                              name: 'can_write')
      repo_perms.each do |perm|
@@ -146,7 +153,6 @@ class User < ArvadosModel
  
      # delete vm_login_perms for this user
      vm_login_perms = Link.where(tail_uuid: self.uuid,
-                                head_kind: 'arvados#virtualMachine',
                                  link_class: 'permission',
                                  name: 'can_login')
      vm_login_perms.each do |perm|
@@ -159,7 +165,6 @@ class User < ArvadosModel
      end.first
      group_perms = Link.where(tail_uuid: self.uuid,
                               head_uuid: group[:uuid],
-                             head_kind: 'arvados#group',
                               link_class: 'permission',
                               name: 'can_read')
      group_perms.each do |perm|
@@ -168,7 +173,6 @@ class User < ArvadosModel
  
      # delete any signatures by this user
      signed_uuids = Link.where(link_class: 'signature',
-                              tail_kind: 'arvados#user',
                                tail_uuid: self.uuid)
      signed_uuids.each do |sign|
        Link.delete sign
@@ -181,6 +185,10 @@ class User < ArvadosModel
  
    protected
  
+  def ensure_ownership_path_leads_to_user
+    true
+  end
+
    def permission_to_update
      # users must be able to update themselves (even if they are
      # inactive) in order to create sessions
@@ -249,21 +257,18 @@ class User < ArvadosModel
    end
  
    def create_oid_login_perm (openid_prefix)
-    login_perm_props = {identity_url_prefix: openid_prefix}
+    login_perm_props = { "identity_url_prefix" => openid_prefix}
  
      # Check oid_login_perm
      oid_login_perms = Link.where(tail_uuid: self.email,
-                                   head_kind: 'arvados#user',
                                     link_class: 'permission',
-                                   name: 'can_login')
+                                   name: 'can_login').where("head_uuid = ?", self.uuid)
  
      if !oid_login_perms.any?
        # create openid login permission
        oid_login_perm = Link.create(link_class: 'permission',
                                     name: 'can_login',
-                                   tail_kind: 'email',
                                     tail_uuid: self.email,
-                                   head_kind: 'arvados#user',
                                     head_uuid: self.uuid,
                                     properties: login_perm_props
                                    )
@@ -290,7 +295,6 @@ class User < ArvadosModel
  
        # Look for existing repository access for this repo
        repo_perms = Link.where(tail_uuid: self.uuid,
-                              head_kind: 'arvados#repository',
                                head_uuid: repo[:uuid],
                                link_class: 'permission',
                                name: 'can_write')
@@ -305,9 +309,7 @@ class User < ArvadosModel
      repo ||= Repository.create(name: repo_name)
      logger.info { "repo uuid: " + repo[:uuid] }
  
-    repo_perm = Link.create(tail_kind: 'arvados#user',
-                            tail_uuid: self.uuid,
-                            head_kind: 'arvados#repository',
+    repo_perm = Link.create(tail_uuid: self.uuid,
                              head_uuid: repo[:uuid],
                              link_class: 'permission',
                              name: 'can_write')
@@ -335,29 +337,26 @@ class User < ArvadosModel
  
        login_perms = Link.where(tail_uuid: self.uuid,
                                head_uuid: vm[:uuid],
-                              head_kind: 'arvados#virtualMachine',
                                link_class: 'permission',
                                name: 'can_login')
  
        perm_exists = false
        login_perms.each do |perm|
-        if perm.properties[:username] == repo_name
-          perm_exists = true
+        if perm.properties['username'] == repo_name
+          perm_exists = perm
            break
          end
        end
  
-      if !perm_exists
-        login_perm = Link.create(tail_kind: 'arvados#user',
-                                 tail_uuid: self.uuid,
-                                 head_kind: 'arvados#virtualMachine',
+      if perm_exists
+        login_perm = perm_exists
+      else
+        login_perm = Link.create(tail_uuid: self.uuid,
                                   head_uuid: vm[:uuid],
                                   link_class: 'permission',
                                   name: 'can_login',
-                                 properties: {username: repo_name})
+                                 properties: {'username' => repo_name})
          logger.info { "login permission: " + login_perm[:uuid] }
-      else
-        login_perm = login_perms.first
        end
  
        return login_perm
@@ -379,14 +378,11 @@ class User < ArvadosModel
  
        group_perms = Link.where(tail_uuid: self.uuid,
                                head_uuid: group[:uuid],
-                              head_kind: 'arvados#group',
                                link_class: 'permission',
                                name: 'can_read')
  
        if !group_perms.any?
-        group_perm = Link.create(tail_kind: 'arvados#user',
-                                 tail_uuid: self.uuid,
-                                 head_kind: 'arvados#group',
+        group_perm = Link.create(tail_uuid: self.uuid,
                                   head_uuid: group[:uuid],
                                   link_class: 'permission',
                                   name: 'can_read')
@@ -403,11 +399,19 @@ class User < ArvadosModel
    # all of this user's stuff.
    #
    def add_system_group_permission_link
-    Link.create(link_class: 'permission',
-                name: 'can_manage',
-                tail_kind: 'arvados#group',
-                tail_uuid: system_group_uuid,
-                head_kind: 'arvados#user',
-                head_uuid: self.uuid)
+    act_as_system_user do
+      Link.create(link_class: 'permission',
+                  name: 'can_manage',
+                  tail_uuid: system_group_uuid,
+                  head_uuid: self.uuid)
+    end
+  end
+
+  # Send admin notifications
+  def send_admin_notifications
+    AdminNotifier.new_user(self).deliver
+    if not self.is_active then
+      AdminNotifier.new_inactive_user(self).deliver
+    end
    end
  end