X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6603d04024c256bbaa53cb2d3764342d48124665..0ffeedce86038da0422ded9222785059fa8e716a:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4fda8f9419..eae4ede0ae 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,12 +4,14 @@ class ApplicationController < ActionController::Base protect_from_forgery before_filter :uncamelcase_params_hash_keys around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found] - before_filter :find_object_by_uuid, :except => [:index, :create] before_filter :remote_ip before_filter :login_required, :except => :render_not_found - before_filter :catch_redirect_hint + + before_filter :find_objects_for_index, :only => :index + before_filter :find_object_by_uuid, :except => [:index, :create] + attr_accessor :resource_attrs def catch_redirect_hint @@ -49,26 +51,38 @@ class ApplicationController < ActionController::Base render json: { errors: ["Path not found"] }, status: 404 end - def index + def find_objects_for_index + uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)] + sanitized_uuid_list = uuid_list. + collect { |uuid| model_class.sanitize(uuid) }.join(', ') @objects ||= model_class. - joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid=#{model_class.sanitize current_user.uuid} AND permissions.link_class='permission'"). - where("?=? OR #{table_name}.owner=? OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", + joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'"). + where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", true, current_user.is_admin, - current_user.uuid, current_user.uuid) + uuid_list, + current_user.uuid) + @where = params[:where] || {} + @where = Oj.load(@where) if @where.is_a?(String) if params[:where] - where = params[:where] - where = Oj.load(where) if where.is_a?(String) conditions = ['1=1'] - where.each do |attr,value| + @where.each do |attr,value| if (!value.nil? and attr.to_s.match(/^[a-z][_a-z0-9]+$/) and model_class.columns.collect(&:name).index(attr)) if value.is_a? Array conditions[0] << " and #{table_name}.#{attr} in (?)" conditions << value - else + elsif value.is_a? String or value.is_a? Fixnum or value == true or value == false conditions[0] << " and #{table_name}.#{attr}=?" conditions << value + elsif value.is_a? Hash + # Not quite the same thing as "equal?" but better than nothing? + value.each do |k,v| + if v.is_a? String + conditions[0] << " and #{table_name}.#{attr} like ?" + conditions << "%:#{k}: #{v}%" + end + end end elsif (!value.nil? and attr == 'any' and value.is_a?(Array) and value[0] == 'contains' and @@ -92,7 +106,10 @@ class ApplicationController < ActionController::Base else @objects = @objects.limit(100) end - @objects = @objects.order('modified_at desc') + @objects = @objects.order("#{table_name}.modified_at desc") + end + + def index @objects.uniq!(&:id) if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) @@ -119,6 +136,11 @@ class ApplicationController < ActionController::Base show end + def destroy + @object.destroy + show + end + protected def resource_attrs @@ -127,8 +149,8 @@ class ApplicationController < ActionController::Base if @attrs.is_a? String @attrs = uncamelcase_hash_keys(Oj.load @attrs) end - if @attrs.nil? - raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) provided with request #{params.inspect}" + unless @attrs.is_a? Hash + raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) hash provided with request #{params.inspect}" end %w(created_at modified_by_client modified_by_user modified_at).each do |x| @attrs.delete x @@ -155,14 +177,16 @@ class ApplicationController < ActionController::Base user = nil api_client = nil api_client_auth = nil - if params[:api_token] + supplied_token = params[:api_token] || params[:oauth_token] + if supplied_token api_client_auth = ApiClientAuthorization. includes(:api_client, :user). - where('api_token=?', params[:api_token]). + where('api_token=?', supplied_token). first if api_client_auth session[:user_id] = api_client_auth.user.id session[:api_client_uuid] = api_client_auth.api_client.uuid + session[:api_client_authorization_id] = api_client_auth.id user = api_client_auth.user api_client = api_client_auth.api_client end @@ -171,16 +195,24 @@ class ApplicationController < ActionController::Base api_client = ApiClient. where('uuid=?',session[:api_client_uuid]). first rescue nil + if session[:api_client_authorization_id] then + api_client_auth = ApiClientAuthorization. + find session[:api_client_authorization_id] + end end Thread.current[:api_client_trusted] = session[:api_client_trusted] Thread.current[:api_client_ip_address] = remote_ip + Thread.current[:api_client_authorization] = api_client_auth + Thread.current[:api_client_uuid] = api_client && api_client.uuid Thread.current[:api_client] = api_client Thread.current[:user] = user yield ensure Thread.current[:api_client_trusted] = nil Thread.current[:api_client_ip_address] = nil + Thread.current[:api_client_authorization] = nil Thread.current[:api_client_uuid] = nil + Thread.current[:api_client] = nil Thread.current[:user] = nil end end