X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/49fb55aa1a9fb35d8e7e620717cb42f77d448a43..cec8e2705d260c9df1042858941419a3b9160c0e:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 4296d6104a..cc3a22cbf0 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -30,6 +30,7 @@ class User < ArvadosModel before_create :set_initial_username, :if => Proc.new { |user| user.username.nil? and user.email } + after_create :setup_on_activate after_create :add_system_group_permission_link after_create :invalidate_permissions_cache after_create :auto_setup_new_user, :if => Proc.new { |user| @@ -275,32 +276,59 @@ class User < ArvadosModel end end - # Merge this user's owned items into dst_user. + # Move this user's (i.e., self's) owned items into new_owner_uuid. + # Also redirect future uses of this account to + # redirect_to_user_uuid, i.e., when a caller authenticates to this + # account in the future, the account redirect_to_user_uuid account + # will be used instead. + # + # current_user must have admin privileges, i.e., the caller is + # responsible for checking permission to do this. def merge(new_owner_uuid:, redirect_to_user_uuid:) raise PermissionDeniedError if !current_user.andand.is_admin raise "not implemented" if !redirect_to_user_uuid transaction(requires_new: true) do reload + raise "cannot merge an already merged user" if self.redirect_to_user_uuid + new_user = User.where(uuid: redirect_to_user_uuid).first raise "user does not exist" if !new_user - if User.where('uuid in (?) and redirect_to_user_uuid is not null', - [new_owner_uuid, redirect_to_user_uuid]).any? - raise "cannot merge to/from an already merged user" - end + raise "cannot merge to an already merged user" if new_user.redirect_to_user_uuid + + # Existing API tokens are updated to authenticate to the new + # user. ApiClientAuthorization. where(user_id: id). update_all(user_id: new_user.id) + + # References to the old user UUID in the context of a user ID + # (rather than a "home project" in the project hierarchy) are + # updated to point to the new user. [ [AuthorizedKey, :owner_uuid], [AuthorizedKey, :authorized_user_uuid], [Repository, :owner_uuid], + [Link, :owner_uuid], [Link, :tail_uuid], [Link, :head_uuid], ].each do |klass, column| klass.where(column => uuid).update_all(column => new_user.uuid) end - change_all_uuid_refs(old_uuid: uuid, new_uuid: new_owner_uuid) + + # References to the merged user's "home project" are updated to + # point to new_owner_uuid. + ActiveRecord::Base.descendants.reject(&:abstract_class?).each do |klass| + next if [ApiClientAuthorization, + AuthorizedKey, + Link, + Log, + Repository].include?(klass) + next if !klass.columns.collect(&:name).include?('owner_uuid') + klass.where(owner_uuid: uuid).update_all(owner_uuid: new_owner_uuid) + end + update_attributes!(redirect_to_user_uuid: new_user.uuid) + invalidate_permissions_cache end end @@ -387,7 +415,7 @@ class User < ArvadosModel end if self.is_active_changed? if self.is_active != self.is_active_was - logger.warn "User #{current_user.uuid} tried to change is_active from #{self.is_admin_was} to #{self.is_admin} for #{self.uuid}" + logger.warn "User #{current_user.uuid} tried to change is_active from #{self.is_active_was} to #{self.is_active} for #{self.uuid}" self.is_active = self.is_active_was end end @@ -436,7 +464,7 @@ class User < ArvadosModel if !oid_login_perms.any? # create openid login permission - oid_login_perm = Link.create(link_class: 'permission', + oid_login_perm = Link.create!(link_class: 'permission', name: 'can_login', tail_uuid: self.email, head_uuid: self.uuid,