projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
When auto_admin_first_user is set to true (default false), the first
[arvados.git] / services / api / app / models / user.rb
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 446a61f255761f5ff37eb6e3a895def86c477cde..3b201b5babd90ee9244263737e499b8a381b35a6 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -29,6 +29,7 @@ class User < ArvadosModel
     t.add :is_admin
     t.add :is_invited
     t.add :prefs
+    t.add :writable_by
   end
 
   ALL_PERMISSIONS = {read: true, write: true, manage: true}
@@ -70,6 +71,30 @@ class User < ArvadosModel
         next if (group_permissions[target.owner_uuid] and
                  group_permissions[target.owner_uuid][action])
       end
+      sufficient_perms = case action
+                         when :manage
+                           ['can_manage']
+                         when :write
+                           ['can_manage', 'can_write']
+                         when :read
+                           ['can_manage', 'can_write', 'can_read']
+                         else
+                           # (Skip this kind of permission opportunity
+                           # if action is an unknown permission type)
+                         end
+      if sufficient_perms
+        # Check permission links with head_uuid pointing directly at
+        # the target object. If target is a Group, this is redundant
+        # and will fail except [a] if permission caching is broken or
+        # [b] during a race condition, where a permission link has
+        # *just* been added.
+        if Link.where(link_class: 'permission',
+                      name: sufficient_perms,
+                      tail_uuid: groups_i_can(action) + [self.uuid],
+                      head_uuid: target_uuid).any?
+          next
+        end
+      end
       return false
     end
     true
@@ -209,8 +234,10 @@ class User < ArvadosModel
   end
 
   def check_auto_admin
-    if User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and Rails.configuration.auto_admin_user
-      if self.email == Rails.configuration.auto_admin_user
+    if not self.uuid.end_with?('anonymouspublic') and
+       User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0
+      if (Rails.configuration.auto_admin_user and self.email == Rails.configuration.auto_admin_user) or
+         Rails.configuration.auto_admin_first_user
         self.is_admin = true
         self.is_active = true
       end
@@ -426,6 +453,8 @@ class User < ArvadosModel
   def auto_setup_new_user
     return true if !Rails.configuration.auto_setup_new_users
     return true if !self.email
+    return true if self.uuid == system_user_uuid
+    return true if self.uuid == anonymous_user_uuid
 
     if Rails.configuration.auto_setup_new_users_with_vm_uuid ||
        Rails.configuration.auto_setup_new_users_with_repository