projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add auth scopes
[arvados.git] / services / api / app / controllers / application_controller.rb
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index a47ccf78ff5dba0d5ead7469724211c9fae13b93..0a89e21021769cb708c4c6977f42737acf369b6a 100644 (file)
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -6,7 +6,7 @@ class ApplicationController < ActionController::Base
   around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
 
   before_filter :remote_ip
-  before_filter :login_required, :except => :render_not_found
+  before_filter :require_auth_scope_all, :except => :render_not_found
   before_filter :catch_redirect_hint
 
   before_filter :load_where_param, :only => :index
@@ -112,11 +112,11 @@ class ApplicationController < ActionController::Base
       collect { |uuid| model_class.sanitize(uuid) }.join(', ')
     or_references_me = ''
     if model_class == Link and current_user
-      or_references_me = "OR #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid)"
+      or_references_me = "OR (#{table_name}.link_class in (#{model_class.sanitize 'permission'}, #{model_class.sanitize 'resources'}) AND #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid))"
     end
     @objects ||= model_class.
-      joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
-      where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
+      joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner_uuid, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+      where("?=? OR #{table_name}.owner_uuid in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
             true, current_user.is_admin,
             uuid_list,
             current_user.uuid)
@@ -199,23 +199,26 @@ class ApplicationController < ActionController::Base
       message << " hash provided with request"
       raise ArgumentError.new(message)
     end
-    %w(created_at modified_by_client modified_by_user modified_at).each do |x|
+    %w(created_at modified_by_client_uuid modified_by_user_uuid modified_at).each do |x|
       @attrs.delete x
     end
     @attrs
   end
 
   # Authentication
-  def login_required
-    if !current_user
+  def require_login
+    if current_user
+      true
+    else
       respond_to do |format|
+        format.json {
+          render :json => { errors: ['Not logged in'] }.to_json, status: 401
+        }
         format.html  {
           redirect_to '/auth/joshid'
         }
-        format.json {
-          render :json => { errors: ['Not logged in'] }.to_json
-        }
       end
+      false
     end
   end
 
@@ -225,6 +228,16 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def require_auth_scope_all
+    require_login and require_auth_scope(['all'])
+  end
+
+  def require_auth_scope(ok_scopes)
+    unless current_api_client_auth_has_scope(ok_scopes)
+      render :json => { errors: ['Forbidden'] }.to_json, status: 403
+    end
+  end
+
   def thread_with_auth_info
     begin
       user = nil
@@ -241,7 +254,7 @@ class ApplicationController < ActionController::Base
           first
         if api_client_auth
           session[:user_id] = api_client_auth.user.id
-          session[:api_client_uuid] = api_client_auth.api_client.uuid
+          session[:api_client_uuid] = api_client_auth.api_client.andand.uuid
           session[:api_client_authorization_id] = api_client_auth.id
           user = api_client_auth.user
           api_client = api_client_auth.api_client
@@ -258,7 +271,7 @@ class ApplicationController < ActionController::Base
       end
       Thread.current[:api_client_ip_address] = remote_ip
       Thread.current[:api_client_authorization] = api_client_auth
-      Thread.current[:api_client_uuid] = api_client && api_client.uuid
+      Thread.current[:api_client_uuid] = api_client.andand.uuid
       Thread.current[:api_client] = api_client
       Thread.current[:user] = user
       if api_client_auth