X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/918c139d84d76884be005477117fa418a0531441..1498ac2bab4aabdd71066e4644ad20a6ac555827:/app/controllers/application_controller.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 738a07346b..b9d9743bdb 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -4,12 +4,13 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
   before_filter :uncamelcase_params_hash_keys
   around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
-  before_filter :find_object_by_uuid, :except => :index
+  before_filter :find_object_by_uuid, :except => [:index, :create]
 
   before_filter :remote_ip
   before_filter :login_required, :except => :render_not_found
 
   before_filter :catch_redirect_hint
+  attr_accessor :resource_attrs
 
   def catch_redirect_hint
     if !current_user
@@ -49,11 +50,15 @@ class ApplicationController < ActionController::Base
   end
 
   def index
+    uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)]
+    sanitized_uuid_list = uuid_list.
+      collect { |uuid| model_class.sanitize(uuid) }.join(', ')
     @objects ||= model_class.
-      joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid=#{model_class.sanitize current_user.uuid} AND permissions.link_class='permission'").
-      where("?=? OR #{table_name}.owner=? OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL",
+      joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+      where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL",
             true, current_user.is_admin,
-            current_user.uuid, current_user.uuid)
+            uuid_list,
+            current_user.uuid)
     if params[:where]
       where = params[:where]
       where = Oj.load(where) if where.is_a?(String)
@@ -69,6 +74,11 @@ class ApplicationController < ActionController::Base
             conditions[0] << " and #{table_name}.#{attr}=?"
             conditions << value
           end
+        elsif (!value.nil? and attr == 'any' and
+          value.is_a?(Array) and value[0] == 'contains' and
+          model_class.columns.collect(&:name).index('name')) then
+            conditions[0] << " and #{table_name}.name ilike ?"
+            conditions << "%#{value[1]}%"
         end
       end
       if conditions.length > 1
@@ -86,6 +96,7 @@ class ApplicationController < ActionController::Base
     else
       @objects = @objects.limit(100)
     end
+    @objects = @objects.order('modified_at desc')
     @objects.uniq!(&:id)
     if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != ''
       @objects.each(&:eager_load_associations)
@@ -102,29 +113,33 @@ class ApplicationController < ActionController::Base
   end
 
   def create
-    @attrs = params[resource_name]
-    if @attrs.nil?
-      raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) provided with request #{params.inspect}"
-    end
-    if @attrs.class == String
-      @attrs = uncamelcase_hash_keys(Oj.load @attrs)
-    end
-    @object = model_class.new @attrs
+    @object = model_class.new resource_attrs
     @object.save
     show
   end
 
   def update
+    @object.update_attributes resource_attrs
+    show
+  end
+
+  protected
+
+  def resource_attrs
+    return @attrs if @attrs
     @attrs = params[resource_name]
     if @attrs.is_a? String
       @attrs = uncamelcase_hash_keys(Oj.load @attrs)
     end
-    @object.update_attributes @attrs
-    show
+    unless @attrs.is_a? Hash
+      raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) hash provided with request #{params.inspect}"
+    end
+    %w(created_at modified_by_client modified_by_user modified_at).each do |x|
+      @attrs.delete x
+    end
+    @attrs
   end
 
-  protected
-
   # Authentication
   def login_required
     if !current_user
@@ -144,14 +159,16 @@ class ApplicationController < ActionController::Base
       user = nil
       api_client = nil
       api_client_auth = nil
-      if params[:api_token]
+      supplied_token = params[:api_token] || params[:oauth_token]
+      if supplied_token
         api_client_auth = ApiClientAuthorization.
           includes(:api_client, :user).
-          where('api_token=?', params[:api_token]).
+          where('api_token=?', supplied_token).
           first
         if api_client_auth
           session[:user_id] = api_client_auth.user.id
           session[:api_client_uuid] = api_client_auth.api_client.uuid
+          session[:api_client_authorization_id] = api_client_auth.id
           user = api_client_auth.user
           api_client = api_client_auth.api_client
         end
@@ -160,16 +177,22 @@ class ApplicationController < ActionController::Base
         api_client = ApiClient.
           where('uuid=?',session[:api_client_uuid]).
           first rescue nil
+        api_client_auth = ApiClientAuthorization.
+          find session[:api_client_authorization_id]
       end
       Thread.current[:api_client_trusted] = session[:api_client_trusted]
       Thread.current[:api_client_ip_address] = remote_ip
+      Thread.current[:api_client_authorization] = api_client_auth
+      Thread.current[:api_client_uuid] = api_client && api_client.uuid
       Thread.current[:api_client] = api_client
       Thread.current[:user] = user
       yield
     ensure
       Thread.current[:api_client_trusted] = nil
       Thread.current[:api_client_ip_address] = nil
+      Thread.current[:api_client_authorization] = nil
       Thread.current[:api_client_uuid] = nil
+      Thread.current[:api_client] = nil
       Thread.current[:user] = nil
     end
   end