return true if current_user.is_admin
# All users can grant permissions on objects they own or can manage
- head_obj = ArvadosModel.lookup_by_uuid(head_uuid)
+ head_obj = ArvadosModel.find_by_uuid(head_uuid)
return true if current_user.can?(manage: head_obj)
# Default = deny.
#
def ensure_owner_uuid_is_permitted
if link_class == 'permission'
- ob = ArvadosModel.lookup_by_uuid(head_uuid)
+ ob = ArvadosModel.find_by_uuid(head_uuid)
raise PermissionDeniedError unless current_user.can?(manage: ob)
# All permission links should be owned by the system user.
self.owner_uuid = system_user_uuid
super
end
end
+
+ # A user can give all other users permissions on projects.
+ def skip_uuid_read_permission_check
+ skipped_attrs = super
+ if link_class == "permission" and
+ (ArvadosModel.resource_class_for_uuid(head_uuid) == Group) and
+ (ArvadosModel.resource_class_for_uuid(tail_uuid) == User)
+ skipped_attrs << "tail_uuid"
+ end
+ skipped_attrs
+ end
end
projects / arvados.git / blobdiff