X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6fb45c9dda6a5c91fe7da9b35a71d6d585171aaa..dabc8e61c00e204e9b03ce8fce4efa4ce9927d8b:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 69ba750727..6b17fb4a30 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,7 +1,26 @@ class ApplicationController < ActionController::Base + include CurrentApiClient + protect_from_forgery before_filter :uncamelcase_params_hash_keys - before_filter :find_object_by_uuid, :except => :index + around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found] + + before_filter :remote_ip + before_filter :login_required, :except => :render_not_found + before_filter :catch_redirect_hint + + before_filter :find_objects_for_index, :only => :index + before_filter :find_object_by_uuid, :except => [:index, :create] + + attr_accessor :resource_attrs + + def catch_redirect_hint + if !current_user + if params.has_key?('redirect_to') then + session[:redirect_to] = params[:redirect_to] + end + end + end unless Rails.application.config.consider_all_requests_local rescue_from Exception, @@ -32,27 +51,58 @@ class ApplicationController < ActionController::Base render json: { errors: ["Path not found"] }, status: 404 end - def index - @objects ||= if params[:where] - where = params[:where] - where = JSON.parse(where) if where.is_a?(String) + def find_objects_for_index + uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)] + sanitized_uuid_list = uuid_list. + collect { |uuid| model_class.sanitize(uuid) }.join(', ') + @objects ||= model_class. + joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'"). + where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", + true, current_user.is_admin, + uuid_list, + current_user.uuid) + @where = params[:where] || {} + @where = Oj.load(@where) if @where.is_a?(String) + if params[:where] conditions = ['1=1'] - where.each do |attr,value| + @where.each do |attr,value| if (!value.nil? and attr.to_s.match(/^[a-z][_a-z0-9]+$/) and model_class.columns.collect(&:name).index(attr)) if value.is_a? Array - conditions[0] << " and #{attr} in (?)" + conditions[0] << " and #{table_name}.#{attr} in (?)" conditions << value - else - conditions[0] << " and #{attr}=?" + elsif value.is_a? String or value.is_a? Fixnum or value == true or value == false + conditions[0] << " and #{table_name}.#{attr}=?" conditions << value end + elsif (!value.nil? and attr == 'any' and + value.is_a?(Array) and value[0] == 'contains' and + model_class.columns.collect(&:name).index('name')) then + conditions[0] << " and #{table_name}.name ilike ?" + conditions << "%#{value[1]}%" end end - model_class.where(*conditions) + if conditions.length > 1 + conditions[0].sub!(/^1=1 and /, '') + @objects = @objects. + where(*conditions) + end end - @objects ||= model_class.all + if params[:limit] + begin + @objects = @objects.limit(params[:limit].to_i) + rescue + raise "invalid argument (limit)" + end + else + @objects = @objects.limit(100) + end + @objects = @objects.order("#{table_name}.modified_at desc") + end + + def index + @objects.uniq!(&:id) if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) end @@ -68,28 +118,97 @@ class ApplicationController < ActionController::Base end def create - @attrs = params[resource_name] - if @attrs.nil? - raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) provided with request #{params.inspect}" - end - if @attrs.class == String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) - end - @object = model_class.new @attrs + @object = model_class.new resource_attrs @object.save show end def update + @object.update_attributes resource_attrs + show + end + + def destroy + @object.destroy + show + end + + protected + + def resource_attrs + return @attrs if @attrs @attrs = params[resource_name] if @attrs.is_a? String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) + @attrs = uncamelcase_hash_keys(Oj.load @attrs) end - @object.update_attributes @attrs - show + unless @attrs.is_a? Hash + raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) hash provided with request #{params.inspect}" + end + %w(created_at modified_by_client modified_by_user modified_at).each do |x| + @attrs.delete x + end + @attrs end - protected + # Authentication + def login_required + if !current_user + respond_to do |format| + format.html { + redirect_to '/auth/joshid' + } + format.json { + render :json => { errors: ['Not logged in'] }.to_json + } + end + end + end + + def thread_with_auth_info + begin + user = nil + api_client = nil + api_client_auth = nil + supplied_token = params[:api_token] || params[:oauth_token] + if supplied_token + api_client_auth = ApiClientAuthorization. + includes(:api_client, :user). + where('api_token=?', supplied_token). + first + if api_client_auth + session[:user_id] = api_client_auth.user.id + session[:api_client_uuid] = api_client_auth.api_client.uuid + session[:api_client_authorization_id] = api_client_auth.id + user = api_client_auth.user + api_client = api_client_auth.api_client + end + elsif session[:user_id] + user = User.find(session[:user_id]) rescue nil + api_client = ApiClient. + where('uuid=?',session[:api_client_uuid]). + first rescue nil + if session[:api_client_authorization_id] then + api_client_auth = ApiClientAuthorization. + find session[:api_client_authorization_id] + end + end + Thread.current[:api_client_trusted] = session[:api_client_trusted] + Thread.current[:api_client_ip_address] = remote_ip + Thread.current[:api_client_authorization] = api_client_auth + Thread.current[:api_client_uuid] = api_client && api_client.uuid + Thread.current[:api_client] = api_client + Thread.current[:user] = user + yield + ensure + Thread.current[:api_client_trusted] = nil + Thread.current[:api_client_ip_address] = nil + Thread.current[:api_client_authorization] = nil + Thread.current[:api_client_uuid] = nil + Thread.current[:api_client] = nil + Thread.current[:user] = nil + end + end + # /Authentication def model_class controller_name.classify.constantize @@ -99,6 +218,10 @@ class ApplicationController < ActionController::Base controller_name.singularize end + def table_name + controller_name + end + def find_object_by_uuid if params[:id] and params[:id].match /\D/ params[:uuid] = params.delete :id @@ -112,7 +235,7 @@ class ApplicationController < ActionController::Base def accept_attribute_as_json(attr, force_class) if params[resource_name].is_a? Hash if params[resource_name][attr].is_a? String - params[resource_name][attr] = JSON.parse params[resource_name][attr] + params[resource_name][attr] = Oj.load params[resource_name][attr] if force_class and !params[resource_name][attr].is_a? force_class raise TypeError.new("#{resource_name}[#{attr.to_s}] must be a #{force_class.to_s}") end @@ -153,4 +276,15 @@ class ApplicationController < ActionController::Base } render json: @object_list end + + def remote_ip + # Caveat: this is highly dependent on the proxy setup. YMMV. + if request.headers.has_key?('HTTP_X_REAL_IP') then + # We're behind a reverse proxy + @remote_ip = request.headers['HTTP_X_REAL_IP'] + else + # Hopefully, we are not! + @remote_ip = request.env['REMOTE_ADDR'] + end + end end