X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/675794872a5d064cf0a8177d662555c04b0dae51..7d598997ce1851f37ac0ec21c47abc76d5e84277:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 8743b92b25..64e0d09451 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -12,7 +12,9 @@ class User < ArvadosModel before_update :prevent_inactive_admin before_create :check_auto_admin after_create :add_system_group_permission_link - after_create AdminNotifier + after_create :send_admin_notifications + after_update :send_profile_created_notification + has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid @@ -41,15 +43,23 @@ class User < ArvadosModel end def groups_i_can(verb) - self.group_permissions.select { |uuid, mask| mask[verb] }.keys + my_groups = self.group_permissions.select { |uuid, mask| mask[verb] }.keys + if verb == :read + my_groups << anonymous_group_uuid + end + my_groups end def can?(actions) return true if is_admin actions.each do |action, target| - target_uuid = target - if target.respond_to? :uuid - target_uuid = target.uuid + unless target.nil? + if target.respond_to? :uuid + target_uuid = target.uuid + else + target_uuid = target + target = ArvadosModel.find_by_uuid(target_uuid) + end end next if target_uuid == self.uuid next if (group_permissions[target_uuid] and @@ -71,19 +81,30 @@ class User < ArvadosModel # Return a hash of {group_uuid: perm_hash} where perm_hash[:read] # and perm_hash[:write] are true if this user can read and write # objects owned by group_uuid. + # + # The permission graph is built by repeatedly enumerating all + # permission links reachable from self.uuid, and then calling + # search_permissions def group_permissions Rails.cache.fetch "groups_for_user_#{self.uuid}" do permissions_from = {} todo = {self.uuid => true} done = {} + # Build the equivalence class of permissions starting with + # self.uuid. On each iteration of this loop, todo contains + # the next set of uuids in the permission equivalence class + # to evaluate. while !todo.empty? lookup_uuids = todo.keys lookup_uuids.each do |uuid| done[uuid] = true end todo = {} newgroups = [] + # include all groups owned by the current set of uuids. Group.where('owner_uuid in (?)', lookup_uuids).each do |group| newgroups << [group.owner_uuid, group.uuid, 'can_manage'] end + # add any permission links from the current lookup_uuids to a + # User or Group. Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)', lookup_uuids, 'permission', @@ -142,7 +163,7 @@ class User < ArvadosModel # delete repo_perms for this user repo_perms = Link.where(tail_uuid: self.uuid, link_class: 'permission', - name: 'can_write') + name: 'can_manage') repo_perms.each do |perm| Link.delete perm end @@ -199,7 +220,7 @@ class User < ArvadosModel def check_auto_admin if User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and Rails.configuration.auto_admin_user - if current_user.email == Rails.configuration.auto_admin_user + if self.email == Rails.configuration.auto_admin_user self.is_admin = true self.is_active = true end @@ -293,7 +314,7 @@ class User < ArvadosModel repo_perms = Link.where(tail_uuid: self.uuid, head_uuid: repo[:uuid], link_class: 'permission', - name: 'can_write') + name: 'can_manage') if repo_perms.any? logger.warn "User already has repository access " + repo_perms.collect { |p| p[:uuid] }.inspect @@ -308,7 +329,7 @@ class User < ArvadosModel repo_perm = Link.create(tail_uuid: self.uuid, head_uuid: repo[:uuid], link_class: 'permission', - name: 'can_write') + name: 'can_manage') logger.info { "repo permission: " + repo_perm[:uuid] } return repo_perm end @@ -338,21 +359,21 @@ class User < ArvadosModel perm_exists = false login_perms.each do |perm| - if perm.properties[:username] == repo_name - perm_exists = true + if perm.properties['username'] == repo_name + perm_exists = perm break end end - if !perm_exists + if perm_exists + login_perm = perm_exists + else login_perm = Link.create(tail_uuid: self.uuid, head_uuid: vm[:uuid], link_class: 'permission', name: 'can_login', - properties: {username: repo_name}) + properties: {'username' => repo_name}) logger.info { "login permission: " + login_perm[:uuid] } - else - login_perm = login_perms.first end return login_perm @@ -402,4 +423,23 @@ class User < ArvadosModel head_uuid: self.uuid) end end + + # Send admin notifications + def send_admin_notifications + AdminNotifier.new_user(self).deliver + if not self.is_active then + AdminNotifier.new_inactive_user(self).deliver + end + end + + # Send notification if the user saved profile for the first time + def send_profile_created_notification + if self.prefs_changed? + if self.prefs_was.andand.empty? || !self.prefs_was.andand['profile'] + profile_notification_address = Rails.configuration.user_profile_notification_address + ProfileNotifier.profile_created(self, profile_notification_address).deliver if profile_notification_address + end + end + end + end