projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
18691: Refactor frozen_groups check.
[arvados.git] / services / api / app / models / user.rb
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index febb8ea51611eb5a21549b8133770fe059a2ca5c..096f5a86a4816b3ef889533ceea7e07cfe9301ac 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -86,6 +86,7 @@ class User < ArvadosModel
   VAL_FOR_PERM =
     {:read => 1,
      :write => 2,
+     :unfreeze => 2,
      :manage => 3}
 
 
@@ -140,6 +141,21 @@ SELECT 1 FROM #{PERMISSION_VIEW}
                   ).any?
         return false
       end
+
+      if action == :write
+        if FrozenGroup.where(uuid: [target_uuid, target_owner_uuid]).any?
+          # self or parent is frozen
+          return false
+        end
+      elsif action == :unfreeze
+        # "unfreeze" permission means "could write if target weren't
+        # frozen", which is relevant when a user is un-freezing a
+        # project. If the permission query above allows :write, and
+        # the parent isn't also frozen, then un-freeze is allowed.
+        if FrozenGroup.where(uuid: target_owner_uuid).any?
+          return false
+        end
+      end
     end
     true
   end