X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/bdc87ddb113a2e05dd859a7f68f5fe1135bbc650..ac5cd5913a208c463206d2fa6cf62e42148682a4:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 497a693bb8..e4881edf4e 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -111,39 +111,17 @@ class User < ArvadosModel end def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil) - login_perm_props = {identity_url_prefix: openid_prefix} - - # Check oid_login_perm - oid_login_perms = Link.where(tail_uuid: user.email, - head_kind: 'arvados#user', - link_class: 'permission', - name: 'can_login') - - if !oid_login_perms.any? - # create openid login permission - oid_login_perm = Link.create(link_class: 'permission', - name: 'can_login', - tail_kind: 'email', - tail_uuid: user.email, - head_kind: 'arvados#user', - head_uuid: user.uuid, - properties: login_perm_props - ) - logger.info { "openid login permission: " + oid_login_perm[:uuid] } - else - oid_login_perm = oid_login_perms.first - end - - return [oid_login_perm] + user.setup_repo_vm_links(repo_name, vm_uuid) + return user.setup_repo_vm_links(repo_name, vm_uuid, openid_prefix) end # create links - def setup_repo_vm_links(repo_name, vm_uuid) + def setup_repo_vm_links(repo_name, vm_uuid, openid_prefix) + oid_login_perm = create_oid_login_perm openid_prefix repo_perm = create_user_repo_link repo_name vm_login_perm = create_vm_login_permission_link vm_uuid, repo_name group_perm = create_user_group_link - return [repo_perm, vm_login_perm, group_perm, self].compact + return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact end # delete user signatures, login, repo, and vm perms, and mark as inactive @@ -175,6 +153,19 @@ class User < ArvadosModel Link.delete perm end + # delete "All users' group read permissions for this user + group = Group.where(name: 'All users').select do |g| + g[:uuid].match /-f+$/ + end.first + group_perms = Link.where(tail_uuid: self.uuid, + head_uuid: group[:uuid], + head_kind: 'arvados#group', + link_class: 'permission', + name: 'can_read') + group_perms.each do |perm| + Link.delete perm + end + # delete any signatures by this user signed_uuids = Link.where(link_class: 'signature', tail_kind: 'arvados#user', @@ -257,6 +248,33 @@ class User < ArvadosModel merged end + def create_oid_login_perm (openid_prefix) + login_perm_props = {identity_url_prefix: openid_prefix} + + # Check oid_login_perm + oid_login_perms = Link.where(tail_uuid: self.email, + head_kind: 'arvados#user', + link_class: 'permission', + name: 'can_login') + + if !oid_login_perms.any? + # create openid login permission + oid_login_perm = Link.create(link_class: 'permission', + name: 'can_login', + tail_kind: 'email', + tail_uuid: self.email, + head_kind: 'arvados#user', + head_uuid: self.uuid, + properties: login_perm_props + ) + logger.info { "openid login permission: " + oid_login_perm[:uuid] } + else + oid_login_perm = oid_login_perms.first + end + + return oid_login_perm + end + def create_user_repo_link(repo_name) # repo_name is optional if not repo_name @@ -320,7 +338,16 @@ class User < ArvadosModel head_kind: 'arvados#virtualMachine', link_class: 'permission', name: 'can_login') - if !login_perms.any? + + perm_exists = false + login_perms.each do |perm| + if perm.properties[:username] == repo_name + perm_exists = true + break + end + end + + if !perm_exists login_perm = Link.create(tail_kind: 'arvados#user', tail_uuid: self.uuid, head_kind: 'arvados#virtualMachine',