X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/44c95f99098fa6c6acbfa82d4b6cbc6015eb6e39..cec011b7718536de42ebd683aa96bee92cbca06c:/services/api/app/models/link.rb

diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb
index dc961667b0..bf21cf4b67 100644
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -48,8 +48,12 @@ class Link < ArvadosModel
     # Administrators can grant permissions
     return true if current_user.is_admin
 
-    # All users can grant permissions on objects they own or can manage
     head_obj = ArvadosModel.find_by_uuid(head_uuid)
+
+    # No permission links can be pointed to past collection versions
+    return false if head_obj.is_a?(Collection) && head_obj.current_version_uuid != head_uuid
+
+    # All users can grant permissions on objects they own or can manage
     return true if current_user.can?(manage: head_obj)
 
     # Default = deny.