validate :identity_url_nil_if_empty
before_update :prevent_privilege_escalation
before_update :prevent_inactive_admin
+ before_update :prevent_nonadmin_system_root
before_update :verify_repositories_empty, :if => Proc.new {
username.nil? and username_changed?
}
t.add :is_invited
t.add :prefs
t.add :writable_by
+ t.add :can_write
+ t.add :can_manage
end
ALL_PERMISSIONS = {read: true, write: true, manage: true}
end
next if target_uuid == self.uuid
+ if action == :write && target && !target.new_record? &&
+ target.respond_to?(:frozen_by_uuid) &&
+ target.frozen_by_uuid_was
+ # Just an optimization to skip the PERMISSION_VIEW and
+ # FrozenGroup queries below
+ return false
+ end
+
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
# delete user signatures, login, repo, and vm perms, and mark as inactive
def unsetup
+ if self.uuid == system_user_uuid
+ raise "System root user cannot be deactivated"
+ end
+
# delete oid_login_perms for this user
#
- # note: these permission links are obsolete, they have no effect
- # on anything and they are not created for new users.
+ # note: these permission links are obsolete anyway: they have no
+ # effect on anything and they are not created for new users.
Link.where(tail_uuid: self.email,
- link_class: 'permission',
- name: 'can_login').destroy_all
-
- # delete repo_perms for this user
- Link.where(tail_uuid: self.uuid,
- link_class: 'permission',
- name: 'can_manage').destroy_all
-
- # delete vm_login_perms for this user
- Link.where(tail_uuid: self.uuid,
- link_class: 'permission',
- name: 'can_login').destroy_all
+ link_class: 'permission',
+ name: 'can_login').destroy_all
- # delete "All users" group read permissions for this user
+ # Delete all sharing permissions so (a) the user doesn't
+ # automatically regain access to anything if re-setup in future,
+ # (b) the user doesn't appear in "currently shared with" lists
+ # shown to other users.
+ #
+ # Notably this includes the can_read -> "all users" group
+ # permission.
Link.where(tail_uuid: self.uuid,
- head_uuid: all_users_group_uuid,
- link_class: 'permission',
- name: 'can_read').destroy_all
+ link_class: 'permission').destroy_all
# delete any signatures by this user
Link.where(link_class: 'signature',
- tail_uuid: self.uuid).destroy_all
+ tail_uuid: self.uuid).destroy_all
# delete tokens for this user
ApiClientAuthorization.where(user_id: self.id).destroy_all
self.save!
end
+ # Called from ArvadosModel
+ def set_default_owner
+ self.owner_uuid = system_user_uuid
+ end
+
def must_unsetup_to_deactivate
if !self.new_record? &&
self.uuid[0..4] == Rails.configuration.Login.LoginCluster &&
#
if Link.where(tail_uuid: self.uuid,
head_uuid: all_users_group_uuid,
- link_class: 'permission',
- name: 'can_read').any?
+ link_class: 'permission').any?
errors.add :is_active, "cannot be set to false directly, use the 'Deactivate' button on Workbench, or the 'unsetup' API call"
end
end
end
if redirect_to_new_user
- update_attributes!(redirect_to_user_uuid: new_user.uuid, username: nil)
+ update!(redirect_to_user_uuid: new_user.uuid, username: nil)
end
skip_check_permissions_against_full_refresh do
update_permissions self.uuid, self.uuid, CAN_MANAGE_PERM
protected
+ def self.attributes_required_columns
+ super.merge(
+ 'can_write' => ['owner_uuid', 'uuid'],
+ 'can_manage' => ['owner_uuid', 'uuid'],
+ )
+ end
+
def change_all_uuid_refs(old_uuid:, new_uuid:)
ActiveRecord::Base.descendants.reject(&:abstract_class?).each do |klass|
klass.columns.each do |col|
true
end
+ def prevent_nonadmin_system_root
+ if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin
+ raise "System root user cannot be non-admin"
+ end
+ true
+ end
+
def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
nextpaths = graph[start]
return merged if !nextpaths
resp = [Link.where(tail_uuid: self.uuid,
head_uuid: all_users_group_uuid,
link_class: 'permission',
- name: 'can_read').first ||
+ name: 'can_write').first ||
Link.create(tail_uuid: self.uuid,
head_uuid: all_users_group_uuid,
link_class: 'permission',
- name: 'can_read')]
+ name: 'can_write')]
if Rails.configuration.Users.ActivatedUsersAreVisibleToOthers
resp += [Link.where(tail_uuid: all_users_group_uuid,
head_uuid: self.uuid,