X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ba917d72d48615cdd0c6da87d41b6bd0f9f26666..b112b002ee3239803d1948e99463144812a2c213:/services/api/app/controllers/application_controller.rb diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb index 6bac512043..649aa2b0df 100644 --- a/services/api/app/controllers/application_controller.rb +++ b/services/api/app/controllers/application_controller.rb @@ -1,3 +1,7 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + require 'safe_json' module ApiTemplateOverride @@ -28,6 +32,7 @@ class ApplicationController < ActionController::Base ERROR_ACTIONS = [:render_error, :render_not_found] + around_filter :set_current_request_id before_filter :disable_api_methods before_filter :set_cors_headers before_filter :respond_with_json_by_default @@ -83,9 +88,6 @@ class ApplicationController < ActionController::Base end def index - if @select.nil? || @select.include?("id") - @objects = @objects.uniq(&:id) - end if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) end @@ -179,7 +181,7 @@ class ApplicationController < ActionController::Base end def find_objects_for_index - @objects ||= model_class.readable_by(*@read_users) + @objects ||= model_class.readable_by(*@read_users, {:include_trash => (params[:include_trash] || 'untrash' == action_name)}) apply_where_limit_order_params end @@ -283,7 +285,7 @@ class ApplicationController < ActionController::Base limit_query = @objects. except(:select, :distinct). select("(%s) as read_length" % - limit_columns.map { |s| "octet_length(#{s})" }.join(" + ")) + limit_columns.map { |s| "octet_length(#{model_class.table_name}.#{s})" }.join(" + ")) new_limit = 0 read_total = 0 limit_query.each do |record| @@ -343,7 +345,7 @@ class ApplicationController < ActionController::Base .all end @read_auths.select! { |auth| auth.scopes_allow_request? request } - @read_users = @read_auths.map { |auth| auth.user }.uniq + @read_users = @read_auths.map(&:user).uniq end def require_login @@ -363,7 +365,7 @@ class ApplicationController < ActionController::Base end def require_auth_scope - if @read_auths.empty? + unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid } if require_login != false send_error("Forbidden", status: 403) end @@ -371,6 +373,25 @@ class ApplicationController < ActionController::Base end end + def set_current_request_id + req_id = request.headers['X-Request-Id'] + if !req_id || req_id.length < 1 || req_id.length > 1024 + # Client-supplied ID is either missing or too long to be + # considered friendly. + req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19] + end + response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id + yield + Thread.current[:request_id] = nil + end + + def append_info_to_payload(payload) + super + payload[:request_id] = response.headers['X-Request-Id'] + payload[:client_ipaddr] = @remote_ip + payload[:client_auth] = current_api_client_authorization.andand.uuid || nil + end + def disable_api_methods if Rails.configuration.disable_api_methods. include?(controller_name + "." + action_name)