X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7c098f97052780882fe4c08f48f83b47a1973d36..68aa07e5c152fd573e254614b34b71957b50ad8c:/services/api/app/models/arvados_model.rb?ds=sidebyside diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index 2df6686f28..5cd0c77c49 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -52,13 +52,16 @@ class ArvadosModel < ActiveRecord::Base def self.searchable_columns operator textonly_operator = !operator.match(/[<=>]/) - self.columns.collect do |col| - if [:string, :text].index(col.type) - col.name - elsif !textonly_operator and [:datetime, :integer].index(col.type) - col.name + self.columns.select do |col| + case col.type + when :string, :text + true + when :datetime, :integer, :boolean + !textonly_operator + else + false end - end.compact + end.map(&:name) end def self.attribute_column attr @@ -160,6 +163,13 @@ class ArvadosModel < ActiveRecord::Base attributes end + def has_permission? perm_type, target_uuid + Link.where(link_class: "permission", + name: perm_type, + tail_uuid: uuid, + head_uuid: target_uuid).any? + end + protected def ensure_ownership_path_leads_to_user @@ -196,29 +206,25 @@ class ArvadosModel < ActiveRecord::Base def ensure_owner_uuid_is_permitted raise PermissionDeniedError if !current_user - if respond_to? :owner_uuid= + if new_record? and respond_to? :owner_uuid= self.owner_uuid ||= current_user.uuid end - if self.owner_uuid_changed? - if new_record? - return true - elsif current_user.uuid == self.owner_uuid or - current_user.can? write: self.owner_uuid - # current_user is, or has :write permission on, the new owner - else - logger.warn "User #{current_user.uuid} tried to change owner_uuid of #{self.class.to_s} #{self.uuid} to #{self.owner_uuid} but does not have permission to write to #{self.owner_uuid}" - raise PermissionDeniedError - end - end - if new_record? - return true - elsif current_user.uuid == self.owner_uuid_was or + # Verify permission to write to old owner (unless owner_uuid was + # nil -- or hasn't changed, in which case the following + # "permission to write to new owner" block will take care of us) + unless !owner_uuid_changed? or + owner_uuid_was.nil? or + current_user.uuid == self.owner_uuid_was or current_user.uuid == self.uuid or current_user.can? write: self.owner_uuid_was - # current user is, or has :write permission on, the previous owner - return true - else - logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not have permission to write #{self.owner_uuid_was}" + logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{uuid} but does not have permission to write old owner_uuid #{owner_uuid_was}" + errors.add :owner_uuid, "cannot be changed without write permission on old owner" + raise PermissionDeniedError + end + # Verify permission to write to new owner + unless current_user == self or current_user.can? write: owner_uuid + logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{uuid} but does not have permission to write new owner_uuid #{owner_uuid}" + errors.add :owner_uuid, "cannot be changed without write permission on new owner" raise PermissionDeniedError end end @@ -447,6 +453,18 @@ class ArvadosModel < ActiveRecord::Base nil end + # ArvadosModel.find_by_uuid needs extra magic to allow it to return + # an object in any class. + def self.find_by_uuid uuid + if self == ArvadosModel + # If called directly as ArvadosModel.find_by_uuid rather than via subclass, + # delegate to the appropriate subclass based on the given uuid. + self.resource_class_for_uuid(uuid).find_by_uuid(uuid) + else + super + end + end + def log_start_state @old_etag = etag @old_attributes = logged_attributes