X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7b070fc8458f4108d44d6bfb939e36d3cc76af84..a38f5a5d70f836904690bcfac911b9765af479a7:/services/api/app/models/group.rb

diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb
index b1b2e942c6..09bb8af97d 100644
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -4,6 +4,7 @@
 
 require 'can_be_an_owner'
 require 'trashable'
+require 'update_priorities'
 
 class Group < ArvadosModel
   include HasUuid
@@ -44,6 +45,18 @@ class Group < ArvadosModel
     t.add :is_trashed
     t.add :properties
     t.add :frozen_by_uuid
+    t.add :can_write
+    t.add :can_manage
+  end
+
+  protected
+
+  def self.attributes_required_columns
+    super.merge(
+                'can_write' => ['owner_uuid', 'uuid'],
+                'can_manage' => ['owner_uuid', 'uuid'],
+                'writable_by' => ['owner_uuid', 'uuid'],
+                )
   end
 
   def ensure_filesystem_compatible_name
@@ -166,6 +179,13 @@ class Group < ArvadosModel
       "select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL " +
       "on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at",
       "Group.update_trash.insert")
+    ActiveRecord::Base.connection.exec_query(
+      "select container_uuid from container_requests where " +
+      "owner_uuid in (select target_uuid from #{temptable}) and " +
+      "requesting_container_uuid is NULL and state = 'Committed' and container_uuid is not NULL",
+      "Group.update_trash.update_priorities").each do |container_uuid|
+      update_priorities container_uuid["container_uuid"]
+    end
   end
 
   def update_frozen
@@ -239,7 +259,7 @@ class Group < ArvadosModel
       if self.owner_uuid != system_user_uuid
         raise "Owner uuid for role must be system user"
       end
-      raise PermissionDeniedError unless current_user.can?(manage: uuid)
+      raise PermissionDeniedError.new("role group cannot be modified without can_manage permission") unless current_user.can?(manage: uuid)
       true
     else
       super
@@ -257,6 +277,18 @@ class Group < ArvadosModel
     end
   end
 
+  def permission_to_create
+    if !super
+      return false
+    elsif group_class == "role" &&
+       !Rails.configuration.Users.CanCreateRoleGroups &&
+       !current_user.andand.is_admin
+      raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
+    else
+      return true
+    end
+  end
+
   def permission_to_update
     if !super
       return false