X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2e03d03bc55b5a612c2bf04d878a72f2ee420d99..6ad3e0ec18c16248aad6922a8f9fb594f8eda76c:/services/api/app/models/user.rb?ds=inline diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 1662278cc3..afc2d18b8a 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -56,8 +56,8 @@ class User < ArvadosModel before_destroy :clear_permissions after_destroy :remove_self_from_permissions - has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid - has_many :repositories, foreign_key: :owner_uuid, primary_key: :uuid + has_many :authorized_keys, foreign_key: 'authorized_user_uuid', primary_key: 'uuid' + has_many :repositories, foreign_key: 'owner_uuid', primary_key: 'uuid' default_scope { where('redirect_to_user_uuid is null') } @@ -308,31 +308,25 @@ SELECT target_uuid, perm_level # delete oid_login_perms for this user # - # note: these permission links are obsolete, they have no effect - # on anything and they are not created for new users. + # note: these permission links are obsolete anyway: they have no + # effect on anything and they are not created for new users. Link.where(tail_uuid: self.email, - link_class: 'permission', - name: 'can_login').destroy_all + link_class: 'permission', + name: 'can_login').destroy_all - # delete repo_perms for this user - Link.where(tail_uuid: self.uuid, - link_class: 'permission', - name: 'can_manage').destroy_all - - # delete vm_login_perms for this user - Link.where(tail_uuid: self.uuid, - link_class: 'permission', - name: 'can_login').destroy_all - - # delete "All users" group read permissions for this user + # Delete all sharing permissions so (a) the user doesn't + # automatically regain access to anything if re-setup in future, + # (b) the user doesn't appear in "currently shared with" lists + # shown to other users. + # + # Notably this includes the can_read -> "all users" group + # permission. Link.where(tail_uuid: self.uuid, - head_uuid: all_users_group_uuid, - link_class: 'permission', - name: 'can_read').destroy_all + link_class: 'permission').destroy_all # delete any signatures by this user Link.where(link_class: 'signature', - tail_uuid: self.uuid).destroy_all + tail_uuid: self.uuid).destroy_all # delete tokens for this user ApiClientAuthorization.where(user_id: self.id).destroy_all @@ -381,8 +375,7 @@ SELECT target_uuid, perm_level # if Link.where(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, - link_class: 'permission', - name: 'can_read').any? + link_class: 'permission').any? errors.add :is_active, "cannot be set to false directly, use the 'Deactivate' button on Workbench, or the 'unsetup' API call" end end @@ -504,7 +497,7 @@ SELECT target_uuid, perm_level end if redirect_to_new_user - update_attributes!(redirect_to_user_uuid: new_user.uuid, username: nil) + update!(redirect_to_user_uuid: new_user.uuid, username: nil) end skip_check_permissions_against_full_refresh do update_permissions self.uuid, self.uuid, CAN_MANAGE_PERM @@ -785,11 +778,11 @@ SELECT target_uuid, perm_level resp = [Link.where(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, link_class: 'permission', - name: 'can_read').first || + name: 'can_write').first || Link.create(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, link_class: 'permission', - name: 'can_read')] + name: 'can_write')] if Rails.configuration.Users.ActivatedUsersAreVisibleToOthers resp += [Link.where(tail_uuid: all_users_group_uuid, head_uuid: self.uuid,