X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/4b0200c3f6f70e90534a2f623cdf631b3a75ec6d..9cdec66d5b0238e9d99c1e8e1d5c8571d798689d:/services/api/app/controllers/arvados/v1/links_controller.rb

diff --git a/services/api/app/controllers/arvados/v1/links_controller.rb b/services/api/app/controllers/arvados/v1/links_controller.rb
index 14e010640e..7716a3d5cf 100644
--- a/services/api/app/controllers/arvados/v1/links_controller.rb
+++ b/services/api/app/controllers/arvados/v1/links_controller.rb
@@ -57,12 +57,17 @@ class Arvados::V1::LinksController < ApplicationController
       # by UUID, then check whether (a) its tail_uuid is the current
       # user or (b) its head_uuid is an object the current_user
       # can_manage.
-      @object = Link.unscoped.where(uuid: params[:uuid]).first
-      if @object.link_class != 'permission'
+      link = Link.unscoped.where(uuid: params[:uuid]).first
+      if link && link.link_class != 'permission'
+        # Not a permission link. Re-fetch using generic
+        # permission-filtering query.
         super
-      elsif @object &&
-         current_user.uuid != @object.tail_uuid &&
-         !current_user.can?(manage: @object.head_uuid)
+      elsif link && (current_user.uuid == link.tail_uuid ||
+                     current_user.can?(manage: link.head_uuid))
+        # Permission granted.
+        @object = link
+      else
+        # Permission denied, i.e., link is invisible => 404.
         @object = nil
       end
     end
@@ -120,6 +125,8 @@ class Arvados::V1::LinksController < ApplicationController
           if k[1] == '=' && current_user.can?(manage: k[2])
             @objects = Link.unscoped
           elsif k[1] == 'in'
+            # Modify the filter operand element (k[2]) in place,
+            # removing any non-permitted UUIDs.
             k[2].select! do |head_uuid|
               current_user.can?(manage: head_uuid)
             end