projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch '15720-fed-user-list'
[arvados.git] / services / api / app / controllers / arvados / v1 / groups_controller.rb
diff --git a/services/api/app/controllers/arvados/v1/groups_controller.rb b/services/api/app/controllers/arvados/v1/groups_controller.rb
index 9fca207dd2140c858a87708d4879ed12fa096919..46d3a75a3a24407ac8ecb1541f2e646b89daf946 100644 (file)
--- a/services/api/app/controllers/arvados/v1/groups_controller.rb
+++ b/services/api/app/controllers/arvados/v1/groups_controller.rb
@@ -1,17 +1,99 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+require "trashable"
+
 class Arvados::V1::GroupsController < ApplicationController
+  include TrashableController
+
+  skip_before_action :find_object_by_uuid, only: :shared
+  skip_before_action :render_404_if_no_object, only: :shared
+
+  def self._index_requires_parameters
+    (super rescue {}).
+      merge({
+        include_trash: {
+          type: 'boolean', required: false, description: "Include items whose is_trashed attribute is true."
+        },
+      })
+  end
+
+  def self._show_requires_parameters
+    (super rescue {}).
+      merge({
+        include_trash: {
+          type: 'boolean', required: false, description: "Show group/project even if its is_trashed attribute is true."
+        },
+      })
+  end
 
   def self._contents_requires_parameters
-    _index_requires_parameters.
+    params = _index_requires_parameters.
       merge({
               uuid: {
                 type: 'string', required: false, default: nil
               },
-              # include_linked returns name links, which are obsolete, so
-              # remove it when clients have been migrated.
-              include_linked: {
-                type: 'boolean', required: false, default: false
+              recursive: {
+                type: 'boolean', required: false, description: 'Include contents from child groups recursively.'
               },
+              include: {
+                type: 'string', required: false, description: 'Include objects referred to by listed field in "included" (only owner_uuid)'
+              }
             })
+    params.delete(:select)
+    params
+  end
+
+  def self._create_requires_parameters
+    super.merge(
+      {
+        async: {
+          required: false,
+          type: 'boolean',
+          location: 'query',
+          default: false,
+          description: 'defer permissions update'
+        }
+      }
+    )
+  end
+
+  def self._update_requires_parameters
+    super.merge(
+      {
+        async: {
+          required: false,
+          type: 'boolean',
+          location: 'query',
+          default: false,
+          description: 'defer permissions update'
+        }
+      }
+    )
+  end
+
+  def create
+    if params[:async]
+      @object = model_class.new(resource_attrs.merge({async_permissions_update: true}))
+      @object.save!
+      render_accepted
+    else
+      super
+    end
+  end
+
+  def update
+    if params[:async]
+      attrs_to_update = resource_attrs.reject { |k, v|
+        [:kind, :etag, :href].index k
+      }.merge({async_permissions_update: true})
+      @object.update_attributes!(attrs_to_update)
+      @object.save!
+      render_accepted
+    else
+      super
+    end
   end
 
   def render_404_if_no_object
@@ -35,73 +117,207 @@ class Arvados::V1::GroupsController < ApplicationController
   end
 
   def contents
-    # Set @objects:
-    # include_linked returns name links, which are obsolete, so
-    # remove it when clients have been migrated.
-    load_searchable_objects(owner_uuid: @object.andand.uuid,
-                            include_linked: params[:include_linked])
-    sql = 'link_class=? and head_uuid in (?)'
-    sql_params = ['name', @objects.collect(&:uuid)]
-    if @object
-      sql += ' and tail_uuid=?'
-      sql_params << @object.uuid
-    end
-    @links = Link.where sql, *sql_params
-    @object_list = {
-      :kind  => "arvados#objectList",
+    load_searchable_objects
+    list = {
+      :kind => "arvados#objectList",
       :etag => "",
       :self_link => "",
-      :links => @links.as_api_response(nil),
       :offset => @offset,
       :limit => @limit,
       :items_available => @items_available,
       :items => @objects.as_api_response(nil)
     }
-    render json: @object_list
+    if @extra_included
+      list[:included] = @extra_included.as_api_response(nil, {select: @select})
+    end
+    send_json(list)
+  end
+
+  def shared
+    # The purpose of this endpoint is to return the toplevel set of
+    # groups which are *not* reachable through a direct ownership
+    # chain of projects starting from the current user account.  In
+    # other words, groups which to which access was granted via a
+    # permission link or chain of links.
+    #
+    # This also returns (in the "included" field) the objects that own
+    # those projects (users or non-project groups).
+    #
+    #
+    # The intended use of this endpoint is to support clients which
+    # wish to browse those projects which are visible to the user but
+    # are not part of the "home" project.
+
+    load_limit_offset_order_params
+    load_filters_param
+
+    @objects = exclude_home Group.readable_by(*@read_users), Group
+
+    apply_where_limit_order_params
+
+    if params["include"] == "owner_uuid"
+      owners = @objects.map(&:owner_uuid).to_set
+      @extra_included = []
+      [Group, User].each do |klass|
+        @extra_included += klass.readable_by(*@read_users).where(uuid: owners.to_a).to_a
+      end
+    end
+
+    index
+  end
+
+  def self._shared_requires_parameters
+    rp = self._index_requires_parameters
+    rp[:include] = { type: 'string', required: false }
+    rp
   end
 
   protected
 
-  def load_searchable_objects opts
+  def load_searchable_objects
     all_objects = []
     @items_available = 0
 
+    # Reload the orders param, this time without prefixing unqualified
+    # columns ("name" => "groups.name"). Here, unqualified orders
+    # apply to each table being searched, not "groups".
+    load_limit_offset_order_params(fill_table_names: false)
+
     # Trick apply_where_limit_order_params into applying suitable
     # per-table values. *_all are the real ones we'll apply to the
     # aggregate set.
     limit_all = @limit
     offset_all = @offset
+    # save the orders from the current request as determined by load_param,
+    # but otherwise discard them because we're going to be getting objects
+    # from many models
+    request_orders = @orders.clone
     @orders = []
 
-    [Group,
-     Job, PipelineInstance, PipelineTemplate,
+    request_filters = @filters
+
+    klasses = [Group,
+     Job, PipelineInstance, PipelineTemplate, ContainerRequest, Workflow,
      Collection,
-     Human, Specimen, Trait].each do |klass|
-      @objects = klass.readable_by(*@read_users)
-      if klass == Group
-        @objects = @objects.where(group_class: 'project')
+     Human, Specimen, Trait]
+
+    table_names = Hash[klasses.collect { |k| [k, k.table_name] }]
+
+    disabled_methods = Rails.configuration.API.DisabledAPIs
+    avail_klasses = table_names.select{|k, t| !disabled_methods[t+'.index']}
+    klasses = avail_klasses.keys
+
+    request_filters.each do |col, op, val|
+      if col.index('.') && !table_names.values.include?(col.split('.', 2)[0])
+        raise ArgumentError.new("Invalid attribute '#{col}' in filter")
       end
-      if opts[:owner_uuid]
-        conds = []
-        cond_params = []
-        conds << "#{klass.table_name}.owner_uuid = ?"
-        cond_params << opts[:owner_uuid]
-        if conds.any?
-          cond_sql = '(' + conds.join(') OR (') + ')'
-          @objects = @objects.where(cond_sql, *cond_params)
+    end
+
+    wanted_klasses = []
+    request_filters.each do |col,op,val|
+      if op == 'is_a'
+        (val.is_a?(Array) ? val : [val]).each do |type|
+          type = type.split('#')[-1]
+          type[0] = type[0].capitalize
+          wanted_klasses << type
         end
       end
+    end
+
+    filter_by_owner = {}
+    if @object
+      if params['recursive']
+        filter_by_owner[:owner_uuid] = [@object.uuid] + @object.descendant_project_uuids
+      else
+        filter_by_owner[:owner_uuid] = @object.uuid
+      end
+
+      if params['exclude_home_project']
+        raise ArgumentError.new "Cannot use 'exclude_home_project' with a parent object"
+      end
+    end
+
+    included_by_uuid = {}
+
+    seen_last_class = false
+    klasses.each do |klass|
+      @offset = 0 if seen_last_class  # reset offset for the new next type being processed
+
+      # if current klass is same as params['last_object_class'], mark that fact
+      seen_last_class = true if((params['count'].andand.==('none')) and
+                                (params['last_object_class'].nil? or
+                                 params['last_object_class'].empty? or
+                                 params['last_object_class'] == klass.to_s))
+
+      # if klasses are specified, skip all other klass types
+      next if wanted_klasses.any? and !wanted_klasses.include?(klass.to_s)
+
+      # don't reprocess klass types that were already seen
+      next if params['count'] == 'none' and !seen_last_class
+
+      # don't process rest of object types if we already have needed number of objects
+      break if params['count'] == 'none' and all_objects.size >= limit_all
+
+      # If the currently requested orders specifically match the
+      # table_name for the current klass, apply that order.
+      # Otherwise, order by recency.
+      request_order =
+        request_orders.andand.find { |r| r =~ /^#{klass.table_name}\./i || r !~ /\./ } ||
+        klass.default_orders.join(", ")
 
-      @objects = @objects.order("#{klass.table_name}.uuid")
-      @limit = limit_all - all_objects.count
+      @select = nil
+      where_conds = filter_by_owner
+      if klass == Collection
+        @select = klass.selectable_attributes - ["manifest_text"]
+      elsif klass == Group
+        where_conds = where_conds.merge(group_class: "project")
+      end
+
+      @filters = request_filters.map do |col, op, val|
+        if !col.index('.')
+          [col, op, val]
+        elsif (col = col.split('.', 2))[0] == klass.table_name
+          [col[1], op, val]
+        else
+          nil
+        end
+      end.compact
+
+      @objects = klass.readable_by(*@read_users, {:include_trash => params[:include_trash]}).
+                 order(request_order).where(where_conds)
+
+      if params['exclude_home_project']
+        @objects = exclude_home @objects, klass
+      end
+
+      klass_limit = limit_all - all_objects.count
+      @limit = klass_limit
       apply_where_limit_order_params klass
-      klass_items_available = @objects.
-        except(:limit).except(:offset).
-        count(:id, distinct: true)
+      klass_object_list = object_list(model_class: klass)
+      klass_items_available = klass_object_list[:items_available] || 0
       @items_available += klass_items_available
       @offset = [@offset - klass_items_available, 0].max
+      all_objects += klass_object_list[:items]
 
-      all_objects += @objects.to_a
+      if klass_object_list[:limit] < klass_limit
+        # object_list() had to reduce @limit to comply with
+        # max_index_database_read. From now on, we'll do all queries
+        # with limit=0 and just accumulate items_available.
+        limit_all = all_objects.count
+      end
+
+      if params["include"] == "owner_uuid"
+        owners = klass_object_list[:items].map {|i| i[:owner_uuid]}.to_set
+        [Group, User].each do |ownerklass|
+          ownerklass.readable_by(*@read_users).where(uuid: owners.to_a).each do |ow|
+            included_by_uuid[ow.uuid] = ow
+          end
+        end
+      end
+    end
+
+    if params["include"]
+      @extra_included = included_by_uuid.values
     end
 
     @objects = all_objects
@@ -109,4 +325,25 @@ class Arvados::V1::GroupsController < ApplicationController
     @offset = offset_all
   end
 
+  protected
+
+  def exclude_home objectlist, klass
+    # select records that are readable by current user AND
+    #   the owner_uuid is a user (but not the current user) OR
+    #   the owner_uuid is not readable by the current user
+    #   the owner_uuid is a group but group_class is not a project
+
+    read_parent_check = if current_user.is_admin
+                          ""
+                        else
+                          "NOT EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} WHERE "+
+                            "user_uuid=(:user_uuid) AND target_uuid=#{klass.table_name}.owner_uuid AND perm_level >= 1) OR "
+                        end
+
+    objectlist.where("#{klass.table_name}.owner_uuid IN (SELECT users.uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+
+                     read_parent_check+
+                     "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=#{klass.table_name}.owner_uuid and gp.group_class != 'project')",
+                     user_uuid: current_user.uuid)
+  end
+
 end