X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/747aa7b4d080b4ea95bf7d6d8643c43e70966f33..c1e7255a85dfc2807ba78e1cf9d109d896c80b42:/services/api/app/models/arvados_model.rb diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index adff09d53c..a6c9d31d41 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -27,7 +27,7 @@ class ArvadosModel < ActiveRecord::Base # Note: This only returns permission links. It does not account for # permissions obtained via user.is_admin or # user.uuid==object.owner_uuid. - has_many :permissions, :foreign_key => :head_uuid, :class_name => 'Link', :primary_key => :uuid, :conditions => "link_class = 'permission'", dependent: :destroy + has_many :permissions, :foreign_key => :head_uuid, :class_name => 'Link', :primary_key => :uuid, :conditions => "link_class = 'permission'" class PermissionDeniedError < StandardError def http_status @@ -197,10 +197,21 @@ class ArvadosModel < ActiveRecord::Base current_user.can? write: self.owner_uuid # current_user is, or has :write permission on, the new owner else - logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not have permission to write #{self.owner_uuid_was}" + logger.warn "User #{current_user.uuid} tried to change owner_uuid of #{self.class.to_s} #{self.uuid} to #{self.owner_uuid} but does not have permission to write to #{self.owner_uuid}" raise PermissionDeniedError end end + if new_record? + return true + elsif current_user.uuid == self.owner_uuid_was or + current_user.uuid == self.uuid or + current_user.can? write: self.owner_uuid_was + # current user is, or has :write permission on, the previous owner + return true + else + logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not have permission to write #{self.owner_uuid_was}" + raise PermissionDeniedError + end end def ensure_permission_to_save