X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9551b59d3aab67f77240b90bbb550faec6b2a7d9..2e727c5d2d000faa6f1d9a566dc59568f1b276fe:/services/api/app/models/arvados_model.rb

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index e7ffe740b1..c2725506c0 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -275,18 +275,22 @@ class ArvadosModel < ApplicationRecord
 
   def can_write
     if respond_to?(:frozen_by_uuid) && frozen_by_uuid
+      # This special case is needed to return the correct value from a
+      # "freeze project" API, during which writable status changes
+      # from true to false.
+      #
+      # current_user.can?(write: self) returns true (which is correct
+      # in the context of permission-checking hooks) but the can_write
+      # value we're returning to the caller here represents the state
+      # _after_ the update, i.e., false.
       return false
     else
-      return owner_uuid == current_user.uuid ||
-             current_user.is_admin ||
-             current_user.can?(write: uuid)
+      return current_user.can?(write: self)
     end
   end
 
   def can_manage
-    return owner_uuid == current_user.uuid ||
-           current_user.is_admin ||
-           current_user.can?(manage: uuid)
+    return current_user.can?(manage: self)
   end
 
   # Return a query with read permissions restricted to the union of the