X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6603d04024c256bbaa53cb2d3764342d48124665..2b6c9d3422db414431c32d2945ee120d0556379b:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4fda8f9419..3d96706d3b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -50,11 +50,15 @@ class ApplicationController < ActionController::Base end def index + uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)] + sanitized_uuid_list = uuid_list. + collect { |uuid| model_class.sanitize(uuid) }.join(', ') @objects ||= model_class. - joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid=#{model_class.sanitize current_user.uuid} AND permissions.link_class='permission'"). - where("?=? OR #{table_name}.owner=? OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", + joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'"). + where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", true, current_user.is_admin, - current_user.uuid, current_user.uuid) + uuid_list, + current_user.uuid) if params[:where] where = params[:where] where = Oj.load(where) if where.is_a?(String) @@ -155,10 +159,11 @@ class ApplicationController < ActionController::Base user = nil api_client = nil api_client_auth = nil - if params[:api_token] + supplied_token = params[:api_token] || params[:oauth_token] + if supplied_token api_client_auth = ApiClientAuthorization. includes(:api_client, :user). - where('api_token=?', params[:api_token]). + where('api_token=?', supplied_token). first if api_client_auth session[:user_id] = api_client_auth.user.id