around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
before_filter :remote_ip
- before_filter :login_required, :except => :render_not_found
+ before_filter :require_auth_scope_all, :except => :render_not_found
before_filter :catch_redirect_hint
before_filter :load_where_param, :only => :index
collect { |uuid| model_class.sanitize(uuid) }.join(', ')
or_references_me = ''
if model_class == Link and current_user
- or_references_me = "OR #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid)"
+ or_references_me = "OR (#{table_name}.link_class in (#{model_class.sanitize 'permission'}, #{model_class.sanitize 'resources'}) AND #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid))"
end
@objects ||= model_class.
- joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
- where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
+ joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner_uuid, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+ where("?=? OR #{table_name}.owner_uuid in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
true, current_user.is_admin,
uuid_list,
current_user.uuid)
message << " hash provided with request"
raise ArgumentError.new(message)
end
- %w(created_at modified_by_client modified_by_user modified_at).each do |x|
+ %w(created_at modified_by_client_uuid modified_by_user_uuid modified_at).each do |x|
@attrs.delete x
end
@attrs
end
# Authentication
- def login_required
- if !current_user
+ def require_login
+ if current_user
+ true
+ else
respond_to do |format|
format.json {
render :json => { errors: ['Not logged in'] }.to_json, status: 401
redirect_to '/auth/joshid'
}
end
+ false
end
end
end
end
+ def require_auth_scope_all
+ require_login and require_auth_scope(['all'])
+ end
+
+ def require_auth_scope(ok_scopes)
+ unless current_api_client_auth_has_scope(ok_scopes)
+ render :json => { errors: ['Forbidden'] }.to_json, status: 403
+ end
+ end
+
def thread_with_auth_info
begin
user = nil
projects / arvados.git / blobdiff