class Arvados::V1::CollectionsController < ApplicationController
def create
- # It's not an error for a client to re-register a manifest that we
- # already know about.
- @object = model_class.new resource_attrs
- begin
- @object.save!
- rescue ActiveRecord::RecordNotUnique
- logger.debug resource_attrs.inspect
- if resource_attrs[:manifest_text] and resource_attrs[:uuid]
- @existing_object = model_class.
- where('uuid=? and manifest_text=?',
- resource_attrs[:uuid],
- resource_attrs[:manifest_text]).
- first
- @object = @existing_object || @object
+ # Collections are owned by system_user. Creating a collection has
+ # two effects: The collection is added if it doesn't already
+ # exist, and a "permission" Link is added (if one doesn't already
+ # exist) giving the current user (or specified owner_uuid)
+ # permission to read it.
+ owner_uuid = resource_attrs.delete(:owner_uuid) || current_user.uuid
+ owner_kind = if owner_uuid.match(/-(\w+)-/)[1] == User.uuid_prefix
+ 'arvados#user'
+ else
+ 'arvados#group'
+ end
+ unless current_user.can? write: owner_uuid
+ raise ArvadosModel::PermissionDeniedError
+ end
+ act_as_system_user do
+ @object = model_class.new resource_attrs.reject { |k,v| k == :owner_uuid }
+ begin
+ @object.save!
+ rescue ActiveRecord::RecordNotUnique
+ logger.debug resource_attrs.inspect
+ if resource_attrs[:manifest_text] and resource_attrs[:uuid]
+ @existing_object = model_class.
+ where('uuid=? and manifest_text=?',
+ resource_attrs[:uuid],
+ resource_attrs[:manifest_text]).
+ first
+ @object = @existing_object || @object
+ end
+ end
+
+ if @object
+ link_attrs = {
+ owner_uuid: owner_uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_kind: 'arvados#collection',
+ head_uuid: @object.uuid,
+ tail_kind: owner_kind,
+ tail_uuid: owner_uuid
+ }
+ ActiveRecord::Base.transaction do
+ if Link.where(link_attrs).empty?
+ Link.create! link_attrs
+ end
+ end
end
end
show
projects / arvados.git / blobdiff