X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/85ee7f10d6aa8084da51a388011395c080842c70..1a4282c6d30b209a882c255e0d5777851ff6f034:/services/api/app/controllers/arvados/v1/users_controller.rb

diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb
index 568dd97a10..50ee3b0547 100644
--- a/services/api/app/controllers/arvados/v1/users_controller.rb
+++ b/services/api/app/controllers/arvados/v1/users_controller.rb
@@ -114,38 +114,39 @@ class Arvados::V1::UsersController < ApplicationController
     show
   end
 
-  # update profile for the user
-  def profile
-    reload_object_before_update
-
-    # update profile
-    @object.profile params
-
-    # profile update succeeded. send email if requested by the client
-    profile_notification_address = params[:send_profile_notification_email]
-    if profile_notification_address
-      ProfileNotifier.profile_created(@object, profile_notification_address).deliver
-    end
-
-    show
-  end
-
   protected
 
   def self._setup_requires_parameters
     {
-      send_notification_email: { type: 'boolean', required: true },
+      user: {
+        type: 'object', required: false
+      },
+      openid_prefix: {
+        type: 'string', required: false
+      },
+      repo_name: {
+        type: 'string', required: false
+      },
+      vm_uuid: {
+        type: 'string', required: false
+      },
+      send_notification_email: {
+        type: 'boolean', required: false, default: false
+      },
     }
   end
 
-  def find_objects_for_index
-    if (action_name == "index") and (not @read_users.any? { |u| u.is_admin })
-      # Non-admin index returns very basic information about all active users.
-      # We ignore where and filters params to avoid leaking information.
-      @where = {}
-      @filters = []
-      @select = ["uuid", "is_active", "email", "first_name", "last_name"]
-      @objects = model_class.where(is_active: true)
+  def apply_filters
+    return super if @read_users.any? &:is_admin
+    if params[:uuid] != current_user.andand.uuid
+      # Non-admin index/show returns very basic information about readable users.
+      safe_attrs = ["uuid", "is_active", "email", "first_name", "last_name"]
+      if @select
+        @select = @select & safe_attrs
+      else
+        @select = safe_attrs
+      end
+      @filters += [['is_active', '=', true]]
     end
     super
   end