X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/60022ad25ba8d143578d9f20eda93744688909d2..ddff0f5816f8100154c9ae0a95147b2061097da3:/services/api/lib/fix_roles_projects.rb diff --git a/services/api/lib/fix_roles_projects.rb b/services/api/lib/fix_roles_projects.rb index 448c50cee2..79fea45901 100644 --- a/services/api/lib/fix_roles_projects.rb +++ b/services/api/lib/fix_roles_projects.rb @@ -2,6 +2,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +require 'update_permissions' + include CurrentApiClient def fix_roles_projects @@ -11,23 +13,21 @@ def fix_roles_projects # shouldn't be anything to do at all. act_as_system_user do ActiveRecord::Base.transaction do - q = ActiveRecord::Base.connection.exec_query %{ -select uuid from groups limit 1 -} - - # 1) any group not group_class != project becomes a 'role' (both empty and invalid groups) - ActiveRecord::Base.connection.exec_query %{ -UPDATE groups set group_class='role' where group_class != 'project' or group_class is null - } - - Group.where("group_class='role' and owner_uuid != '#{system_user_uuid}'").each do |g| - # 2) Ownership of a role becomes a can_manage link - Link.create!(link_class: 'permission', - name: 'can_manage', - tail_uuid: g.owner_uuid, - head_uuid: g.uuid) + Group.where("(group_class != 'project' and group_class != 'filter') or group_class is null").each do |g| + # 1) any group not group_class != project and != filter becomes a 'role' (both empty and invalid groups) + old_owner = g.owner_uuid g.owner_uuid = system_user_uuid + g.group_class = 'role' g.save_with_unique_name! + + if old_owner != system_user_uuid + # 2) Ownership of a role becomes a can_manage link + Link.new(link_class: 'permission', + name: 'can_manage', + tail_uuid: old_owner, + head_uuid: g.uuid). + save!(validate: false) + end end ActiveRecord::Base.descendants.reject(&:abstract_class?).each do |klass| @@ -40,20 +40,22 @@ UPDATE groups set group_class='role' where group_class != 'project' or group_cla # 3) If a role owns anything, give it to system user and it # becomes a can_manage link klass.joins("join groups on groups.uuid=#{klass.table_name}.owner_uuid and groups.group_class='role'").each do |owned| - Link.create!(link_class: 'permission', - name: 'can_manage', - tail_uuid: owned.owner_uuid, - head_uuid: owned.uuid) + Link.new(link_class: 'permission', + name: 'can_manage', + tail_uuid: owned.owner_uuid, + head_uuid: owned.uuid). + save!(validate: false) owned.owner_uuid = system_user_uuid owned.save_with_unique_name! end end Group.joins("join groups as g2 on g2.uuid=groups.owner_uuid and g2.group_class='role'").each do |owned| - Link.create!(link_class: 'permission', + Link.new(link_class: 'permission', name: 'can_manage', tail_uuid: owned.owner_uuid, - head_uuid: owned.uuid) + head_uuid: owned.uuid). + save!(validate: false) owned.owner_uuid = system_user_uuid owned.save_with_unique_name! end @@ -66,8 +68,8 @@ select links.uuid from links, groups where groups.uuid = links.tail_uuid and } q.each do |lu| ln = Link.find_by_uuid(lu['uuid']) - puts "WARNING: Projects cannot have outgoing permission links, '#{ln.name}' link from #{ln.tail_uuid} to #{ln.head_uuid} will be removed" - Rails.logger.warn "Projects cannot have outgoing permission links, '#{ln.name}' link from #{ln.tail_uuid} to #{ln.head_uuid} will be removed" + puts "WARNING: Projects cannot have outgoing permission links, removing '#{ln.name}' link #{ln.uuid} from #{ln.tail_uuid} to #{ln.head_uuid}" + Rails.logger.warn "Projects cannot have outgoing permission links, removing '#{ln.name}' link #{ln.uuid} from #{ln.tail_uuid} to #{ln.head_uuid}" ln.destroy! end end