X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/4af5e2a54dc4bf19e2fd247f6c106e8e14263e6e..1498ac2bab4aabdd71066e4644ad20a6ac555827:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ebc749e20f..b9d9743bdb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,12 +4,13 @@ class ApplicationController < ActionController::Base protect_from_forgery before_filter :uncamelcase_params_hash_keys around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found] - before_filter :find_object_by_uuid, :except => :index + before_filter :find_object_by_uuid, :except => [:index, :create] before_filter :remote_ip before_filter :login_required, :except => :render_not_found before_filter :catch_redirect_hint + attr_accessor :resource_attrs def catch_redirect_hint if !current_user @@ -49,13 +50,18 @@ class ApplicationController < ActionController::Base end def index + uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)] + sanitized_uuid_list = uuid_list. + collect { |uuid| model_class.sanitize(uuid) }.join(', ') @objects ||= model_class. - joins("LEFT JOIN metadata permissions ON permissions.tail=#{table_name}.uuid AND permissions.head=#{model_class.sanitize current_user.uuid} AND permissions.metadata_class='permission' AND permissions.name='visible_to'"). - where("#{table_name}.created_by_user=? OR #{table_name}.uuid=? OR permissions.head IS NOT NULL", - current_user.uuid, current_user.uuid) + joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'"). + where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", + true, current_user.is_admin, + uuid_list, + current_user.uuid) if params[:where] where = params[:where] - where = JSON.parse(where) if where.is_a?(String) + where = Oj.load(where) if where.is_a?(String) conditions = ['1=1'] where.each do |attr,value| if (!value.nil? and @@ -68,6 +74,11 @@ class ApplicationController < ActionController::Base conditions[0] << " and #{table_name}.#{attr}=?" conditions << value end + elsif (!value.nil? and attr == 'any' and + value.is_a?(Array) and value[0] == 'contains' and + model_class.columns.collect(&:name).index('name')) then + conditions[0] << " and #{table_name}.name ilike ?" + conditions << "%#{value[1]}%" end end if conditions.length > 1 @@ -76,6 +87,17 @@ class ApplicationController < ActionController::Base where(*conditions) end end + if params[:limit] + begin + @objects = @objects.limit(params[:limit].to_i) + rescue + raise "invalid argument (limit)" + end + else + @objects = @objects.limit(100) + end + @objects = @objects.order('modified_at desc') + @objects.uniq!(&:id) if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) end @@ -91,29 +113,33 @@ class ApplicationController < ActionController::Base end def create - @attrs = params[resource_name] - if @attrs.nil? - raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) provided with request #{params.inspect}" - end - if @attrs.class == String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) - end - @object = model_class.new @attrs + @object = model_class.new resource_attrs @object.save show end def update - @attrs = params[resource_name] - if @attrs.is_a? String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) - end - @object.update_attributes @attrs + @object.update_attributes resource_attrs show end protected + def resource_attrs + return @attrs if @attrs + @attrs = params[resource_name] + if @attrs.is_a? String + @attrs = uncamelcase_hash_keys(Oj.load @attrs) + end + unless @attrs.is_a? Hash + raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) hash provided with request #{params.inspect}" + end + %w(created_at modified_by_client modified_by_user modified_at).each do |x| + @attrs.delete x + end + @attrs + end + # Authentication def login_required if !current_user @@ -133,14 +159,16 @@ class ApplicationController < ActionController::Base user = nil api_client = nil api_client_auth = nil - if params[:api_token] + supplied_token = params[:api_token] || params[:oauth_token] + if supplied_token api_client_auth = ApiClientAuthorization. includes(:api_client, :user). - where('api_token=?', params[:api_token]). + where('api_token=?', supplied_token). first if api_client_auth session[:user_id] = api_client_auth.user.id session[:api_client_uuid] = api_client_auth.api_client.uuid + session[:api_client_authorization_id] = api_client_auth.id user = api_client_auth.user api_client = api_client_auth.api_client end @@ -149,16 +177,22 @@ class ApplicationController < ActionController::Base api_client = ApiClient. where('uuid=?',session[:api_client_uuid]). first rescue nil + api_client_auth = ApiClientAuthorization. + find session[:api_client_authorization_id] end Thread.current[:api_client_trusted] = session[:api_client_trusted] Thread.current[:api_client_ip_address] = remote_ip + Thread.current[:api_client_authorization] = api_client_auth + Thread.current[:api_client_uuid] = api_client && api_client.uuid Thread.current[:api_client] = api_client Thread.current[:user] = user yield ensure Thread.current[:api_client_trusted] = nil Thread.current[:api_client_ip_address] = nil + Thread.current[:api_client_authorization] = nil Thread.current[:api_client_uuid] = nil + Thread.current[:api_client] = nil Thread.current[:user] = nil end end @@ -189,7 +223,7 @@ class ApplicationController < ActionController::Base def accept_attribute_as_json(attr, force_class) if params[resource_name].is_a? Hash if params[resource_name][attr].is_a? String - params[resource_name][attr] = JSON.parse params[resource_name][attr] + params[resource_name][attr] = Oj.load params[resource_name][attr] if force_class and !params[resource_name][attr].is_a? force_class raise TypeError.new("#{resource_name}[#{attr.to_s}] must be a #{force_class.to_s}") end