X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3a6b1a17f1b073e381b053b52e3cb0bb9c81d249..2b2707e4acb9ee7eed53f573cf5365af9189a8e3:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 52d36ac577..bbdd9c2843 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -24,6 +24,7 @@ class User < ArvadosModel validate :identity_url_nil_if_empty before_update :prevent_privilege_escalation before_update :prevent_inactive_admin + before_update :prevent_nonadmin_system_root before_update :verify_repositories_empty, :if => Proc.new { username.nil? and username_changed? } @@ -301,33 +302,31 @@ SELECT target_uuid, perm_level # delete user signatures, login, repo, and vm perms, and mark as inactive def unsetup + if self.uuid == system_user_uuid + raise "System root user cannot be deactivated" + end + # delete oid_login_perms for this user # - # note: these permission links are obsolete, they have no effect - # on anything and they are not created for new users. + # note: these permission links are obsolete anyway: they have no + # effect on anything and they are not created for new users. Link.where(tail_uuid: self.email, - link_class: 'permission', - name: 'can_login').destroy_all - - # delete repo_perms for this user - Link.where(tail_uuid: self.uuid, - link_class: 'permission', - name: 'can_manage').destroy_all + link_class: 'permission', + name: 'can_login').destroy_all - # delete vm_login_perms for this user - Link.where(tail_uuid: self.uuid, - link_class: 'permission', - name: 'can_login').destroy_all - - # delete "All users" group read permissions for this user + # Delete all sharing permissions so (a) the user doesn't + # automatically regain access to anything if re-setup in future, + # (b) the user doesn't appear in "currently shared with" lists + # shown to other users. + # + # Notably this includes the can_read -> "all users" group + # permission. Link.where(tail_uuid: self.uuid, - head_uuid: all_users_group_uuid, - link_class: 'permission', - name: 'can_read').destroy_all + link_class: 'permission').destroy_all # delete any signatures by this user Link.where(link_class: 'signature', - tail_uuid: self.uuid).destroy_all + tail_uuid: self.uuid).destroy_all # delete tokens for this user ApiClientAuthorization.where(user_id: self.id).destroy_all @@ -345,6 +344,11 @@ SELECT target_uuid, perm_level self.save! end + # Called from ArvadosModel + def set_default_owner + self.owner_uuid = system_user_uuid + end + def must_unsetup_to_deactivate if !self.new_record? && self.uuid[0..4] == Rails.configuration.Login.LoginCluster && @@ -371,8 +375,7 @@ SELECT target_uuid, perm_level # if Link.where(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, - link_class: 'permission', - name: 'can_read').any? + link_class: 'permission').any? errors.add :is_active, "cannot be set to false directly, use the 'Deactivate' button on Workbench, or the 'unsetup' API call" end end @@ -702,6 +705,13 @@ SELECT target_uuid, perm_level true end + def prevent_nonadmin_system_root + if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin + raise "System root user cannot be non-admin" + end + true + end + def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={}) nextpaths = graph[start] return merged if !nextpaths @@ -768,11 +778,11 @@ SELECT target_uuid, perm_level resp = [Link.where(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, link_class: 'permission', - name: 'can_read').first || + name: 'can_write').first || Link.create(tail_uuid: self.uuid, head_uuid: all_users_group_uuid, link_class: 'permission', - name: 'can_read')] + name: 'can_write')] if Rails.configuration.Users.ActivatedUsersAreVisibleToOthers resp += [Link.where(tail_uuid: all_users_group_uuid, head_uuid: self.uuid,