X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/17745128f72eeaef62ea2d367ec316502107f272..71fd7a7a8bc1d00ef0ed3a9e6e5240c13b7967a0:/services/api/app/models/group.rb diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb index e16433c815..7e015f3564 100644 --- a/services/api/app/models/group.rb +++ b/services/api/app/models/group.rb @@ -25,6 +25,8 @@ class Group < ArvadosModel before_update :before_ownership_change after_update :after_ownership_change + after_create :add_role_manage_link + after_update :update_trash before_destroy :clear_permissions_and_trash @@ -55,7 +57,7 @@ class Group < ArvadosModel end def update_trash - if trash_at_changed? or owner_uuid_changed? + if saved_change_to_trash_at? or saved_change_to_owner_uuid? # The group was added or removed from the trash. # # Strategy: @@ -95,7 +97,7 @@ on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at; end def after_ownership_change - if owner_uuid_changed? + if saved_change_to_owner_uuid? update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM end end @@ -114,4 +116,33 @@ delete from trashed_groups where group_uuid=$1 end true end + + def ensure_owner_uuid_is_permitted + if group_class == "role" + @requested_manager_uuid = nil + if new_record? + @requested_manager_uuid = owner_uuid + self.owner_uuid = system_user_uuid + return true + end + if self.owner_uuid != system_user_uuid + raise "Owner uuid for role must be system user" + end + raise PermissionDeniedError unless current_user.can?(manage: uuid) + true + else + super + end + end + + def add_role_manage_link + if group_class == "role" && @requested_manager_uuid + act_as_system_user do + Link.create!(tail_uuid: @requested_manager_uuid, + head_uuid: self.uuid, + link_class: "permission", + name: "can_manage") + end + end + end end