X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/32002eb6e87a391d1fad2b1b206dbc74d6659fc5..c371555926e3f361497b2bb1c9531fcaf7283ed4:/services/api/app/controllers/arvados/v1/groups_controller.rb diff --git a/services/api/app/controllers/arvados/v1/groups_controller.rb b/services/api/app/controllers/arvados/v1/groups_controller.rb index c82ffb49cd..46d3a75a3a 100644 --- a/services/api/app/controllers/arvados/v1/groups_controller.rb +++ b/services/api/app/controllers/arvados/v1/groups_controller.rb @@ -1,17 +1,99 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +require "trashable" + class Arvados::V1::GroupsController < ApplicationController + include TrashableController + + skip_before_action :find_object_by_uuid, only: :shared + skip_before_action :render_404_if_no_object, only: :shared + + def self._index_requires_parameters + (super rescue {}). + merge({ + include_trash: { + type: 'boolean', required: false, description: "Include items whose is_trashed attribute is true." + }, + }) + end + + def self._show_requires_parameters + (super rescue {}). + merge({ + include_trash: { + type: 'boolean', required: false, description: "Show group/project even if its is_trashed attribute is true." + }, + }) + end def self._contents_requires_parameters - _index_requires_parameters. + params = _index_requires_parameters. merge({ uuid: { type: 'string', required: false, default: nil }, - # include_linked returns name links, which are obsolete, so - # remove it when clients have been migrated. - include_linked: { - type: 'boolean', required: false, default: false + recursive: { + type: 'boolean', required: false, description: 'Include contents from child groups recursively.' }, + include: { + type: 'string', required: false, description: 'Include objects referred to by listed field in "included" (only owner_uuid)' + } }) + params.delete(:select) + params + end + + def self._create_requires_parameters + super.merge( + { + async: { + required: false, + type: 'boolean', + location: 'query', + default: false, + description: 'defer permissions update' + } + } + ) + end + + def self._update_requires_parameters + super.merge( + { + async: { + required: false, + type: 'boolean', + location: 'query', + default: false, + description: 'defer permissions update' + } + } + ) + end + + def create + if params[:async] + @object = model_class.new(resource_attrs.merge({async_permissions_update: true})) + @object.save! + render_accepted + else + super + end + end + + def update + if params[:async] + attrs_to_update = resource_attrs.reject { |k, v| + [:kind, :etag, :href].index k + }.merge({async_permissions_update: true}) + @object.update_attributes!(attrs_to_update) + @object.save! + render_accepted + else + super + end end def render_404_if_no_object @@ -35,37 +117,72 @@ class Arvados::V1::GroupsController < ApplicationController end def contents - # Set @objects: - # include_linked returns name links, which are obsolete, so - # remove it when clients have been migrated. - load_searchable_objects(owner_uuid: @object.andand.uuid, - include_linked: params[:include_linked]) - sql = 'link_class=? and head_uuid in (?)' - sql_params = ['name', @objects.collect(&:uuid)] - if @object - sql += ' and tail_uuid=?' - sql_params << @object.uuid - end - @links = Link.where sql, *sql_params - @object_list = { - :kind => "arvados#objectList", + load_searchable_objects + list = { + :kind => "arvados#objectList", :etag => "", :self_link => "", - :links => @links.as_api_response(nil), :offset => @offset, :limit => @limit, :items_available => @items_available, :items => @objects.as_api_response(nil) } - send_json @object_list + if @extra_included + list[:included] = @extra_included.as_api_response(nil, {select: @select}) + end + send_json(list) + end + + def shared + # The purpose of this endpoint is to return the toplevel set of + # groups which are *not* reachable through a direct ownership + # chain of projects starting from the current user account. In + # other words, groups which to which access was granted via a + # permission link or chain of links. + # + # This also returns (in the "included" field) the objects that own + # those projects (users or non-project groups). + # + # + # The intended use of this endpoint is to support clients which + # wish to browse those projects which are visible to the user but + # are not part of the "home" project. + + load_limit_offset_order_params + load_filters_param + + @objects = exclude_home Group.readable_by(*@read_users), Group + + apply_where_limit_order_params + + if params["include"] == "owner_uuid" + owners = @objects.map(&:owner_uuid).to_set + @extra_included = [] + [Group, User].each do |klass| + @extra_included += klass.readable_by(*@read_users).where(uuid: owners.to_a).to_a + end + end + + index + end + + def self._shared_requires_parameters + rp = self._index_requires_parameters + rp[:include] = { type: 'string', required: false } + rp end protected - def load_searchable_objects opts + def load_searchable_objects all_objects = [] @items_available = 0 + # Reload the orders param, this time without prefixing unqualified + # columns ("name" => "groups.name"). Here, unqualified orders + # apply to each table being searched, not "groups". + load_limit_offset_order_params(fill_table_names: false) + # Trick apply_where_limit_order_params into applying suitable # per-table values. *_all are the real ones we'll apply to the # aggregate set. @@ -77,43 +194,130 @@ class Arvados::V1::GroupsController < ApplicationController request_orders = @orders.clone @orders = [] - [Group, - Job, PipelineInstance, PipelineTemplate, + request_filters = @filters + + klasses = [Group, + Job, PipelineInstance, PipelineTemplate, ContainerRequest, Workflow, Collection, - Human, Specimen, Trait].each do |klass| - @objects = klass.readable_by(*@read_users) - if klass == Group - @objects = @objects.where(group_class: 'project') + Human, Specimen, Trait] + + table_names = Hash[klasses.collect { |k| [k, k.table_name] }] + + disabled_methods = Rails.configuration.API.DisabledAPIs + avail_klasses = table_names.select{|k, t| !disabled_methods[t+'.index']} + klasses = avail_klasses.keys + + request_filters.each do |col, op, val| + if col.index('.') && !table_names.values.include?(col.split('.', 2)[0]) + raise ArgumentError.new("Invalid attribute '#{col}' in filter") end - if opts[:owner_uuid] - conds = [] - cond_params = [] - conds << "#{klass.table_name}.owner_uuid = ?" - cond_params << opts[:owner_uuid] - if conds.any? - cond_sql = '(' + conds.join(') OR (') + ')' - @objects = @objects.where(cond_sql, *cond_params) + end + + wanted_klasses = [] + request_filters.each do |col,op,val| + if op == 'is_a' + (val.is_a?(Array) ? val : [val]).each do |type| + type = type.split('#')[-1] + type[0] = type[0].capitalize + wanted_klasses << type end end + end - # If the currently requested orders specifically match the table_name for the current klass, apply the order - request_order = request_orders && request_orders.find{ |r| r =~ /^#{klass.table_name}\./i } - if request_order - @objects = @objects.order(request_order) + filter_by_owner = {} + if @object + if params['recursive'] + filter_by_owner[:owner_uuid] = [@object.uuid] + @object.descendant_project_uuids else - # default to created_at desc, ignoring any currently requested ordering because it doesn't apply to this klass - @objects = @objects.order("#{klass.table_name}.created_at desc") + filter_by_owner[:owner_uuid] = @object.uuid end - @limit = limit_all - all_objects.count + if params['exclude_home_project'] + raise ArgumentError.new "Cannot use 'exclude_home_project' with a parent object" + end + end + + included_by_uuid = {} + + seen_last_class = false + klasses.each do |klass| + @offset = 0 if seen_last_class # reset offset for the new next type being processed + + # if current klass is same as params['last_object_class'], mark that fact + seen_last_class = true if((params['count'].andand.==('none')) and + (params['last_object_class'].nil? or + params['last_object_class'].empty? or + params['last_object_class'] == klass.to_s)) + + # if klasses are specified, skip all other klass types + next if wanted_klasses.any? and !wanted_klasses.include?(klass.to_s) + + # don't reprocess klass types that were already seen + next if params['count'] == 'none' and !seen_last_class + + # don't process rest of object types if we already have needed number of objects + break if params['count'] == 'none' and all_objects.size >= limit_all + + # If the currently requested orders specifically match the + # table_name for the current klass, apply that order. + # Otherwise, order by recency. + request_order = + request_orders.andand.find { |r| r =~ /^#{klass.table_name}\./i || r !~ /\./ } || + klass.default_orders.join(", ") + + @select = nil + where_conds = filter_by_owner + if klass == Collection + @select = klass.selectable_attributes - ["manifest_text"] + elsif klass == Group + where_conds = where_conds.merge(group_class: "project") + end + + @filters = request_filters.map do |col, op, val| + if !col.index('.') + [col, op, val] + elsif (col = col.split('.', 2))[0] == klass.table_name + [col[1], op, val] + else + nil + end + end.compact + + @objects = klass.readable_by(*@read_users, {:include_trash => params[:include_trash]}). + order(request_order).where(where_conds) + + if params['exclude_home_project'] + @objects = exclude_home @objects, klass + end + + klass_limit = limit_all - all_objects.count + @limit = klass_limit apply_where_limit_order_params klass - klass_items_available = @objects. - except(:limit).except(:offset). - count(:id, distinct: true) + klass_object_list = object_list(model_class: klass) + klass_items_available = klass_object_list[:items_available] || 0 @items_available += klass_items_available @offset = [@offset - klass_items_available, 0].max + all_objects += klass_object_list[:items] + + if klass_object_list[:limit] < klass_limit + # object_list() had to reduce @limit to comply with + # max_index_database_read. From now on, we'll do all queries + # with limit=0 and just accumulate items_available. + limit_all = all_objects.count + end + + if params["include"] == "owner_uuid" + owners = klass_object_list[:items].map {|i| i[:owner_uuid]}.to_set + [Group, User].each do |ownerklass| + ownerklass.readable_by(*@read_users).where(uuid: owners.to_a).each do |ow| + included_by_uuid[ow.uuid] = ow + end + end + end + end - all_objects += @objects.to_a + if params["include"] + @extra_included = included_by_uuid.values end @objects = all_objects @@ -121,4 +325,25 @@ class Arvados::V1::GroupsController < ApplicationController @offset = offset_all end + protected + + def exclude_home objectlist, klass + # select records that are readable by current user AND + # the owner_uuid is a user (but not the current user) OR + # the owner_uuid is not readable by the current user + # the owner_uuid is a group but group_class is not a project + + read_parent_check = if current_user.is_admin + "" + else + "NOT EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} WHERE "+ + "user_uuid=(:user_uuid) AND target_uuid=#{klass.table_name}.owner_uuid AND perm_level >= 1) OR " + end + + objectlist.where("#{klass.table_name}.owner_uuid IN (SELECT users.uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+ + read_parent_check+ + "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=#{klass.table_name}.owner_uuid and gp.group_class != 'project')", + user_uuid: current_user.uuid) + end + end