X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c6c2f3518bc745eed95b5f5b81db5d17db4366ff..7aaf9f22aa646077b4b7fd961d6b731185b88137:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 6f30b27a95..2e862d3ae6 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -161,6 +161,10 @@ SELECT 1 FROM #{PERMISSION_VIEW} MaterializedPermission.where("user_uuid = ? and target_uuid != ?", uuid, uuid).delete_all end + def forget_cached_group_perms + @group_perms = nil + end + def remove_self_from_permissions MaterializedPermission.where("target_uuid = ?", uuid).delete_all check_permissions_against_full_refresh @@ -191,25 +195,35 @@ SELECT user_uuid, target_uuid, perm_level # and perm_hash[:write] are true if this user can read and write # objects owned by group_uuid. def group_permissions(level=1) - group_perms = {} - - user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$2"} + @group_perms ||= {} + if @group_perms.empty? + user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: 1} - ActiveRecord::Base.connection. - exec_query(%{ + ActiveRecord::Base.connection. + exec_query(%{ SELECT target_uuid, perm_level FROM #{PERMISSION_VIEW} - WHERE user_uuid in (#{user_uuids_subquery}) and perm_level >= $2 + WHERE user_uuid in (#{user_uuids_subquery}) and perm_level >= 1 }, - # "name" arg is a query label that appears in logs: - "User.group_permissions", - # "binds" arg is an array of [col_id, value] for '$1' vars: - [[nil, uuid], - [nil, level]]). - rows.each do |group_uuid, max_p_val| - group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i] + # "name" arg is a query label that appears in logs: + "User.group_permissions", + # "binds" arg is an array of [col_id, value] for '$1' vars: + [[nil, uuid]]). + rows.each do |group_uuid, max_p_val| + @group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i] + end + end + + case level + when 1 + @group_perms + when 2 + @group_perms.select {|k,v| v[:write] } + when 3 + @group_perms.select {|k,v| v[:manage] } + else + raise "level must be 1, 2 or 3" end - group_perms end # create links @@ -251,6 +265,8 @@ SELECT target_uuid, perm_level end end + forget_cached_group_perms + return [repo_perm, vm_login_perm, group_perm, self].compact end @@ -290,6 +306,7 @@ SELECT target_uuid, perm_level # mark the user as inactive self.is_admin = false # can't be admin and inactive self.is_active = false + forget_cached_group_perms self.save! end @@ -345,37 +362,6 @@ SELECT target_uuid, perm_level end end - def update_uuid(new_uuid:) - if !current_user.andand.is_admin - raise PermissionDeniedError - end - if uuid == system_user_uuid || uuid == anonymous_user_uuid - raise "update_uuid cannot update system accounts" - end - if self.class != self.class.resource_class_for_uuid(new_uuid) - raise "invalid new_uuid #{new_uuid.inspect}" - end - transaction(requires_new: true) do - reload - old_uuid = self.uuid - self.uuid = new_uuid - save!(validate: false) - change_all_uuid_refs(old_uuid: old_uuid, new_uuid: new_uuid) - ActiveRecord::Base.connection.exec_update %{ -update #{PERMISSION_VIEW} set user_uuid=$1 where user_uuid = $2 -}, - 'User.update_uuid.update_permissions_user_uuid', - [[nil, new_uuid], - [nil, old_uuid]] - ActiveRecord::Base.connection.exec_update %{ -update #{PERMISSION_VIEW} set target_uuid=$1 where target_uuid = $2 -}, - 'User.update_uuid.update_permissions_target_uuid', - [[nil, new_uuid], - [nil, old_uuid]] - end - end - # Move this user's (i.e., self's) owned items to new_owner_uuid and # new_user_uuid (for things normally owned directly by the user). #