X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6038a018b758e1a4babc5669df50622cd470df2f..9e3bb9b984ff700fc3455f87437a8f1ac5841f0e:/services/api/app/controllers/arvados/v1/collections_controller.rb

diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb
index 9198f583d3..294e092f6c 100644
--- a/services/api/app/controllers/arvados/v1/collections_controller.rb
+++ b/services/api/app/controllers/arvados/v1/collections_controller.rb
@@ -12,6 +12,7 @@ class Arvados::V1::CollectionsController < ApplicationController
                    'arvados#group'
                  end
     unless current_user.can? write: owner_uuid
+      logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}"
       raise ArvadosModel::PermissionDeniedError
     end
     act_as_system_user do
@@ -87,11 +88,11 @@ class Arvados::V1::CollectionsController < ApplicationController
       return ""
     end
 
-    #puts "visiting #{uuid}"
+    logger.debug "visiting #{uuid}"
 
     if m  
       # uuid is a collection
-      Collection.where(uuid: uuid).each do |c|
+      Collection.readable_by(current_user).where(uuid: uuid).each do |c|
         visited[uuid] = c.as_api_response
         visited[uuid][:files] = []
         c.files.each do |f|
@@ -99,11 +100,11 @@ class Arvados::V1::CollectionsController < ApplicationController
         end
       end
 
-      Job.where(output: uuid).each do |job|
+      Job.readable_by(current_user).where(output: uuid).each do |job|
         generate_provenance_edges(visited, job.uuid)
       end
 
-      Job.where(log: uuid).each do |job|
+      Job.readable_by(current_user).where(log: uuid).each do |job|
         generate_provenance_edges(visited, job.uuid)
       end
       
@@ -111,7 +112,7 @@ class Arvados::V1::CollectionsController < ApplicationController
       # uuid is something else
       rsc = ArvadosModel::resource_class_for_uuid uuid
       if rsc == Job
-        Job.where(uuid: uuid).each do |job|
+        Job.readable_by(current_user).where(uuid: uuid).each do |job|
           visited[uuid] = job.as_api_response
           script_param_edges(visited, job.script_parameters)
         end
@@ -122,7 +123,9 @@ class Arvados::V1::CollectionsController < ApplicationController
       end
     end
 
-    Link.where(head_uuid: uuid, link_class: "provenance").each do |link|
+    Link.readable_by(current_user).
+      where(head_uuid: uuid, link_class: "provenance").
+      each do |link|
       visited[link.uuid] = link.as_api_response
       generate_provenance_edges(visited, link.tail_uuid)
     end