end
def initialize raw_params={}
- begin
- super self.class.permit_attribute_params(raw_params)
- rescue Exception => e
- logger.debug raw_params
- logger.debug self.class.permit_attribute_params(raw_params).inspect
- logger.debug self.class.attribute_info.inspect
- raise e
- end
+ super self.class.permit_attribute_params(raw_params)
@attribute_sortkey ||= {
'id' => nil,
'name' => '000',
# strong_parameters does not provide security in Workbench: anyone
# who can get this far can just as well do a call directly to our
# database (Arvados) with the same credentials we use.
+ #
+ # The following permit! is necessary even with
+ # "ActionController::Parameters.permit_all_parameters = true",
+ # because permit_all does not permit nested attributes.
ActionController::Parameters.new(raw_params).permit!
end
def self.create raw_params={}
- logger.error permit_attribute_params(raw_params).inspect
super(permit_attribute_params(raw_params))
end
(current_user and current_user.is_active and
(current_user.is_admin or
current_user.uuid == self.owner_uuid or
- new_record?))
+ new_record? or
+ (writable_by.include? current_user.uuid rescue false)))
end
def attribute_editable?(attr)
false
elsif not (current_user.andand.is_active)
false
- elsif "uuid owner_uuid".index(attr.to_s) or current_user.is_admin
+ elsif attr == 'uuid'
current_user.is_admin
else
- current_user.uuid == self.owner_uuid or
- current_user.uuid == self.uuid or
- new_record?
+ editable?
end
end
friendly_link_name
end
+ def owner
+ ArvadosBase.find(owner_uuid) rescue nil
+ end
+
protected
def forget_uuid!