+
+ protected
+
+ def permission_to_attach_to_objects
+ # Anonymous users cannot write metadata
+ return false if !current_user
+
+ # All users can write metadata that doesn't affect permissions
+ return true if self.metadata_class != 'permission'
+
+ # Administrators can grant permissions
+ return true if current_user.is_admin
+
+ # All users can grant permissions on objects they own
+ head_obj = self.class.
+ kind_class(self.head_kind).
+ where('uuid=?',head_uuid).
+ first
+ if head_obj
+ return true if head_obj.owner == current_user.uuid
+ end
+
+ # Users with "can_grant" permission on an object can grant
+ # permissions on that object
+ has_grant_permission = self.class.
+ where('metadata_class=? AND name=? AND tail=? AND head=?',
+ 'permission', 'can_grant', current_user.uuid, self.head).
+ count > 0
+ return true if has_grant_permission
+
+ # Default = deny.
+ false
+ end