Merge branch '3178-discoverable-parameters' closes #3178

[arvados.git] / services / api / app / models / user.rb

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 677685d67abdb60270b113ffeb46d6bb5edea81c..4fc6204eb504cf941e14abba0d15113dd1935ccc 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -51,9 +51,13 @@ class User < ArvadosModel
   def can?(actions)
     return true if is_admin
     actions.each do |action, target|
-      target_uuid = target
-      if target.respond_to? :uuid
-        target_uuid = target.uuid
+      unless target.nil?
+        if target.respond_to? :uuid
+          target_uuid = target.uuid
+        else
+          target_uuid = target
+          target = ArvadosModel.find_by_uuid(target_uuid)
+        end
       end
       next if target_uuid == self.uuid
       next if (group_permissions[target_uuid] and
@@ -75,19 +79,30 @@ class User < ArvadosModel
   # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
+  #
+  # The permission graph is built by repeatedly enumerating all
+  # permission links reachable from self.uuid, and then calling
+  # search_permissions
   def group_permissions
     Rails.cache.fetch "groups_for_user_#{self.uuid}" do
       permissions_from = {}
       todo = {self.uuid => true}
       done = {}
+      # Build the equivalence class of permissions starting with
+      # self.uuid. On each iteration of this loop, todo contains
+      # the next set of uuids in the permission equivalence class
+      # to evaluate.
       while !todo.empty?
         lookup_uuids = todo.keys
         lookup_uuids.each do |uuid| done[uuid] = true end
         todo = {}
         newgroups = []
+        # include all groups owned by the current set of uuids.
         Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
           newgroups << [group.owner_uuid, group.uuid, 'can_manage']
         end
+        # add any permission links from the current lookup_uuids to a
+        # User or Group.
         Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
                    lookup_uuids,
                    'permission',
@@ -146,7 +161,7 @@ class User < ArvadosModel
     # delete repo_perms for this user
     repo_perms = Link.where(tail_uuid: self.uuid,
                             link_class: 'permission',
-                            name: 'can_write')
+                            name: 'can_manage')
     repo_perms.each do |perm|
       Link.delete perm
     end
@@ -203,7 +218,7 @@ class User < ArvadosModel
 
   def check_auto_admin
     if User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and Rails.configuration.auto_admin_user
-      if current_user.email == Rails.configuration.auto_admin_user
+      if self.email == Rails.configuration.auto_admin_user
         self.is_admin = true
         self.is_active = true
       end
@@ -297,7 +312,7 @@ class User < ArvadosModel
       repo_perms = Link.where(tail_uuid: self.uuid,
                               head_uuid: repo[:uuid],
                               link_class: 'permission',
-                              name: 'can_write')
+                              name: 'can_manage')
       if repo_perms.any?
         logger.warn "User already has repository access " +
             repo_perms.collect { |p| p[:uuid] }.inspect
@@ -312,7 +327,7 @@ class User < ArvadosModel
     repo_perm = Link.create(tail_uuid: self.uuid,
                             head_uuid: repo[:uuid],
                             link_class: 'permission',
-                            name: 'can_write')
+                            name: 'can_manage')
     logger.info { "repo permission: " + repo_perm[:uuid] }
     return repo_perm
   end