X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a9980e0967507a3d74a12f93d82f8330c8ce3009..607fe087f6167061714a524dd53cbbc21b974973:/services/api/app/controllers/arvados/v1/links_controller.rb

diff --git a/services/api/app/controllers/arvados/v1/links_controller.rb b/services/api/app/controllers/arvados/v1/links_controller.rb
index 722afd13a9..acc7100f08 100644
--- a/services/api/app/controllers/arvados/v1/links_controller.rb
+++ b/services/api/app/controllers/arvados/v1/links_controller.rb
@@ -2,7 +2,8 @@ class Arvados::V1::LinksController < ApplicationController
 
   def check_uuid_kind uuid, kind
     if kind and ArvadosModel::resource_class_for_uuid(uuid).andand.kind != kind
-      render :json => { errors: ["'#{kind}' does not match uuid '#{uuid}', expected '#{ArvadosModel::resource_class_for_uuid(uuid).andand.kind}'"] }.to_json, status: 422
+      send_error("'#{kind}' does not match uuid '#{uuid}', expected '#{ArvadosModel::resource_class_for_uuid(uuid).andand.kind}'",
+                 status: 422)
       nil
     else
       true
@@ -19,7 +20,7 @@ class Arvados::V1::LinksController < ApplicationController
   end
 
   def get_permissions
-    if current_user.can?(manage: @object)
+    if current_user.andand.can?(manage: @object)
       # find all links and return them
       @objects = Link.where(link_class: "permission",
                             head_uuid: params[:uuid])
@@ -33,16 +34,26 @@ class Arvados::V1::LinksController < ApplicationController
 
   protected
 
-  # Override find_object_by_uuid: the get_permissions method may be
-  # called on a uuid belonging to any class.
   def find_object_by_uuid
     if action_name == 'get_permissions'
+      # get_permissions accepts a UUID for any kind of object.
       @object = ArvadosModel::resource_class_for_uuid(params[:uuid])
         .readable_by(*@read_users)
         .where(uuid: params[:uuid])
         .first
     else
       super
+      if @object.nil?
+        # Normally group permission links are not readable_by users.
+        # Make an exception for users with permission to manage the group.
+        # FIXME: Solve this more generally - see the controller tests.
+        link = Link.find_by_uuid(params[:uuid])
+        if (not link.nil?) and
+            (link.link_class == "permission") and
+            (@read_users.any? { |u| u.can?(manage: link.head_uuid) })
+          @object = link
+        end
+      end
     end
   end