X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a1c4ece152e1e992c18f0cb368528cd2ac843b07..7407f41105f8000bb3908d41a31daaf3a30d9440:/services/api/app/models/container.rb diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb index 8999b3e14e..912a801a6f 100644 --- a/services/api/app/models/container.rb +++ b/services/api/app/models/container.rb @@ -423,6 +423,10 @@ class Container < ArvadosModel current_user.andand.is_admin end + def permission_to_destroy + current_user.andand.is_admin + end + def ensure_owner_uuid_is_permitted # validate_change ensures owner_uuid can't be changed at all -- # except during create, which requires admin privileges. Checking @@ -566,8 +570,13 @@ class Container < ArvadosModel return errors.add :auth_uuid, 'is readonly' end if not [Locked, Running].include? self.state - # don't need one - self.auth.andand.update_attributes(expires_at: db_current_time) + # Don't need one. If auth already exists, expire it. + # + # We use db_transaction_time here (not db_current_time) to + # ensure the token doesn't validate later in the same + # transaction (e.g., in a test case) by satisfying expires_at > + # transaction timestamp. + self.auth.andand.update_attributes(expires_at: db_transaction_time) self.auth = nil return elsif self.auth