X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2bc21107e3fa6c4ecea7efb22e4dfc7e30b3233d..b629d9e88ad0c6e62018a8fb4768013975eccc70:/services/api/app/models/log.rb

diff --git a/services/api/app/models/log.rb b/services/api/app/models/log.rb
index 7a8b50a6c4..75e1a4e402 100644
--- a/services/api/app/models/log.rb
+++ b/services/api/app/models/log.rb
@@ -1,11 +1,17 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+require 'audit_logs'
+
 class Log < ArvadosModel
   include HasUuid
   include KindAndEtag
   include CommonApiTemplate
   serialize :properties, Hash
   before_validation :set_default_event_at
-  attr_accessor :object, :object_kind
   after_save :send_notify
+  after_commit { AuditLogs.tidy_in_background }
 
   api_accessible :user, extend: :common do |t|
     t.add :id
@@ -47,22 +53,26 @@ class Log < ArvadosModel
       self.event_at = thing.created_at
     when "update"
       self.event_at = thing.modified_at
-    when "destroy"
+    when "delete"
       self.event_at = db_current_time
     end
     self
   end
 
-  def self.readable_by *users_list
+  def self.readable_by(*users_list)
+    if users_list.last.is_a? Hash
+      users_list.pop
+    end
     if users_list.select { |u| u.is_admin }.any?
       return self
     end
     user_uuids = users_list.map { |u| u.uuid }
-    uuid_list = user_uuids + users_list.flat_map { |u| u.groups_i_can(:read) }
-    permitted_uuids = "(SELECT head_uuid FROM links WHERE link_class='permission' AND tail_uuid IN (?))"
+
     joins("LEFT JOIN container_requests ON container_requests.container_uuid=logs.object_uuid").
-      where("logs.object_uuid IN #{permitted_uuids} OR container_requests.uuid IN (?)  OR container_requests.owner_uuid IN (?) OR logs.object_uuid IN (?) OR logs.object_owner_uuid IN (?)",
-            uuid_list, uuid_list, uuid_list, uuid_list, uuid_list)
+      where("EXISTS(SELECT target_uuid FROM #{PERMISSION_VIEW} "+
+            "WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND "+
+            "target_uuid IN (container_requests.uuid, container_requests.owner_uuid, logs.object_uuid, logs.owner_uuid, logs.object_owner_uuid))",
+            user_uuids: user_uuids)
   end
 
   protected
@@ -94,7 +104,6 @@ class Log < ArvadosModel
   end
 
   def send_notify
-    connection.execute "NOTIFY logs, '#{self.id}'"
+    ActiveRecord::Base.connection.execute "NOTIFY logs, '#{self.id}'"
   end
-
 end