projects
/
arvados.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch '19146-can-write-manage'
[arvados.git]
/
services
/
api
/
app
/
models
/
user.rb
diff --git
a/services/api/app/models/user.rb
b/services/api/app/models/user.rb
index 444946613545dd300d23bce717c1d9d72f4066af..52d36ac57735f0c16d4b0ed6271a50681e08e05b 100644
(file)
--- a/
services/api/app/models/user.rb
+++ b/
services/api/app/models/user.rb
@@
-112,7
+112,6
@@
class User < ArvadosModel
end
def can?(actions)
end
def can?(actions)
- return true if is_admin
actions.each do |action, target|
unless target.nil?
if target.respond_to? :uuid
actions.each do |action, target|
unless target.nil?
if target.respond_to? :uuid
@@
-124,11
+123,19
@@
class User < ArvadosModel
end
next if target_uuid == self.uuid
end
next if target_uuid == self.uuid
+ if action == :write && target && !target.new_record? &&
+ target.respond_to?(:frozen_by_uuid) &&
+ target.frozen_by_uuid_was
+ # Just an optimization to skip the PERMISSION_VIEW and
+ # FrozenGroup queries below
+ return false
+ end
+
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
-
unless
ActiveRecord::Base.connection.
+
if !is_admin && !
ActiveRecord::Base.connection.
exec_query(%{
SELECT 1 FROM #{PERMISSION_VIEW}
WHERE user_uuid in (#{user_uuids_subquery}) and
exec_query(%{
SELECT 1 FROM #{PERMISSION_VIEW}
WHERE user_uuid in (#{user_uuids_subquery}) and