projects
/
arvados.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
3235: Split GroupsController#contents logic out to load_searchable_objects.
[arvados.git]
/
services
/
api
/
app
/
models
/
user.rb
diff --git
a/services/api/app/models/user.rb
b/services/api/app/models/user.rb
index 8743b92b25e78c46fa8a99a41e2a3a27cdbf0e07..e79c485f17493cde51cb7bec59c212bb5dc7857e 100644
(file)
--- a/
services/api/app/models/user.rb
+++ b/
services/api/app/models/user.rb
@@
-12,7
+12,7
@@
class User < ArvadosModel
before_update :prevent_inactive_admin
before_create :check_auto_admin
after_create :add_system_group_permission_link
before_update :prevent_inactive_admin
before_create :check_auto_admin
after_create :add_system_group_permission_link
- after_create
AdminNotifier
+ after_create
:send_admin_notifications
has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
@@
-41,7
+41,11
@@
class User < ArvadosModel
end
def groups_i_can(verb)
end
def groups_i_can(verb)
- self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+ my_groups = self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+ if verb == :read
+ my_groups << anonymous_group_uuid
+ end
+ my_groups
end
def can?(actions)
end
def can?(actions)
@@
-71,19
+75,30
@@
class User < ArvadosModel
# Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
# and perm_hash[:write] are true if this user can read and write
# objects owned by group_uuid.
# Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
# and perm_hash[:write] are true if this user can read and write
# objects owned by group_uuid.
+ #
+ # The permission graph is built by repeatedly enumerating all
+ # permission links reachable from self.uuid, and then calling
+ # search_permissions
def group_permissions
Rails.cache.fetch "groups_for_user_#{self.uuid}" do
permissions_from = {}
todo = {self.uuid => true}
done = {}
def group_permissions
Rails.cache.fetch "groups_for_user_#{self.uuid}" do
permissions_from = {}
todo = {self.uuid => true}
done = {}
+ # Build the equivalence class of permissions starting with
+ # self.uuid. On each iteration of this loop, todo contains
+ # the next set of uuids in the permission equivalence class
+ # to evaluate.
while !todo.empty?
lookup_uuids = todo.keys
lookup_uuids.each do |uuid| done[uuid] = true end
todo = {}
newgroups = []
while !todo.empty?
lookup_uuids = todo.keys
lookup_uuids.each do |uuid| done[uuid] = true end
todo = {}
newgroups = []
+ # include all groups owned by the current set of uuids.
Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
newgroups << [group.owner_uuid, group.uuid, 'can_manage']
end
Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
newgroups << [group.owner_uuid, group.uuid, 'can_manage']
end
+ # add any permission links from the current lookup_uuids to a
+ # User or Group.
Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
lookup_uuids,
'permission',
Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
lookup_uuids,
'permission',
@@
-338,21
+353,21
@@
class User < ArvadosModel
perm_exists = false
login_perms.each do |perm|
perm_exists = false
login_perms.each do |perm|
- if perm.properties[
:username
] == repo_name
- perm_exists =
true
+ if perm.properties[
'username'
] == repo_name
+ perm_exists =
perm
break
end
end
break
end
end
- if !perm_exists
+ if perm_exists
+ login_perm = perm_exists
+ else
login_perm = Link.create(tail_uuid: self.uuid,
head_uuid: vm[:uuid],
link_class: 'permission',
name: 'can_login',
login_perm = Link.create(tail_uuid: self.uuid,
head_uuid: vm[:uuid],
link_class: 'permission',
name: 'can_login',
- properties: {
username:
repo_name})
+ properties: {
'username' =>
repo_name})
logger.info { "login permission: " + login_perm[:uuid] }
logger.info { "login permission: " + login_perm[:uuid] }
- else
- login_perm = login_perms.first
end
return login_perm
end
return login_perm
@@
-402,4
+417,12
@@
class User < ArvadosModel
head_uuid: self.uuid)
end
end
head_uuid: self.uuid)
end
end
+
+ # Send admin notifications
+ def send_admin_notifications
+ AdminNotifier.new_user(self).deliver
+ if not self.is_active then
+ AdminNotifier.new_inactive_user(self).deliver
+ end
+ end
end
end