(not user.username_was.nil?)
}
before_destroy :clear_permissions
- after_destroy :check_permissions
+ after_destroy :remove_self_from_permissions
has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
has_many :repositories, foreign_key: :owner_uuid, primary_key: :uuid
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
+ user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
+
unless ActiveRecord::Base.connection.
exec_query(%{
SELECT 1 FROM #{PERMISSION_VIEW}
- WHERE user_uuid = $1 and
+ WHERE user_uuid in (#{user_uuids_subquery}) and
((target_uuid = $2 and perm_level >= $3)
or (target_uuid = $4 and perm_level >= $3 and traverse_owned))
},
def before_ownership_change
if owner_uuid_changed? and !self.owner_uuid_was.nil?
MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
- update_permissions self.owner_uuid_was, self.uuid, 0
+ update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
end
end
def after_ownership_change
if owner_uuid_changed?
- update_permissions self.owner_uuid, self.uuid, 3
+ update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
end
end
def clear_permissions
- update_permissions self.owner_uuid, self.uuid, 0
- MaterializedPermission.where("user_uuid = ? or target_uuid = ?", uuid, uuid).delete_all
+ MaterializedPermission.where("user_uuid = ? and target_uuid != ?", uuid, uuid).delete_all
end
- def check_permissions
+ def remove_self_from_permissions
+ MaterializedPermission.where("target_uuid = ?", uuid).delete_all
check_permissions_against_full_refresh
end
# Return a hash of {user_uuid: group_perms}
+ #
+ # note: this does not account for permissions that a user gains by
+ # having can_manage on another user.
def self.all_group_permissions
all_perms = {}
ActiveRecord::Base.connection.
- exec_query("SELECT user_uuid, target_uuid, perm_level
+ exec_query(%{
+SELECT user_uuid, target_uuid, perm_level
FROM #{PERMISSION_VIEW}
- WHERE traverse_owned",
+ WHERE traverse_owned
+},
# "name" arg is a query label that appears in logs:
"all_group_permissions").
rows.each do |user_uuid, group_uuid, max_p_val|
# objects owned by group_uuid.
def group_permissions(level=1)
group_perms = {}
+
+ user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$2"}
+
ActiveRecord::Base.connection.
exec_query(%{
SELECT target_uuid, perm_level
FROM #{PERMISSION_VIEW}
- WHERE user_uuid = $1 and perm_level >= $2
+ WHERE user_uuid in (#{user_uuids_subquery}) and perm_level >= $2
},
# "name" arg is a query label that appears in logs:
- "group_permissions_for_user",
+ "User.group_permissions",
# "binds" arg is an array of [col_id, value] for '$1' vars:
[[nil, uuid],
[nil, level]]).
raise "cannot merge to an already merged user" if new_user.redirect_to_user_uuid
self.clear_permissions
+ new_user.clear_permissions
# If 'self' is a remote user, don't transfer authorizations
# (i.e. ability to access the account) to the new user, because
update_attributes!(redirect_to_user_uuid: new_user.uuid, username: nil)
end
skip_check_permissions_against_full_refresh do
- update_permissions self.owner_uuid, self.uuid, 3
+ update_permissions self.uuid, self.uuid, CAN_MANAGE_PERM
+ update_permissions new_user.uuid, new_user.uuid, CAN_MANAGE_PERM
+ update_permissions new_user.owner_uuid, new_user.uuid, CAN_MANAGE_PERM
end
- update_permissions new_user.owner_uuid, new_user.uuid, 3
+ update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
end
end
projects / arvados.git / blobdiff