X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cc8174aca759773fa661bd9172f877b2d639576b..07dbd859d0b05d79680570c00c43a722102d7ea3:/services/api/app/models/user.rb diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 564274bc99..dd447ca51a 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -21,6 +21,7 @@ class User < ArvadosModel }, uniqueness: true, allow_nil: true) + validate :must_unsetup_to_deactivate before_update :prevent_privilege_escalation before_update :prevent_inactive_admin before_update :verify_repositories_empty, :if => Proc.new { |user| @@ -187,18 +188,20 @@ class User < ArvadosModel end # create links - def setup(openid_prefix:, repo_name: nil, vm_uuid: nil) - oid_login_perm = create_oid_login_perm openid_prefix + def setup(repo_name: nil, vm_uuid: nil) repo_perm = create_user_repo_link repo_name vm_login_perm = create_vm_login_permission_link(vm_uuid, username) if vm_uuid group_perm = create_user_group_link - return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact + return [repo_perm, vm_login_perm, group_perm, self].compact end # delete user signatures, login, repo, and vm perms, and mark as inactive def unsetup # delete oid_login_perms for this user + # + # note: these permission links are obsolete, they have no effect + # on anything and they are not created for new users. Link.where(tail_uuid: self.email, link_class: 'permission', name: 'can_login').destroy_all @@ -234,6 +237,37 @@ class User < ArvadosModel self.save! end + def must_unsetup_to_deactivate + if self.is_active_changed? && + self.is_active_was == true && + !self.is_active + + group = Group.where(name: 'All users').select do |g| + g[:uuid].match(/-f+$/) + end.first + + # When a user is set up, they are added to the "All users" + # group. A user that is part of the "All users" group is + # allowed to self-activate. + # + # It doesn't make sense to deactivate a user (set is_active = + # false) without first removing them from the "All users" group, + # because they would be able to immediately reactivate + # themselves. + # + # The 'unsetup' method removes the user from the "All users" + # group (and also sets is_active = false) so send a message + # explaining the correct way to deactivate a user. + # + if Link.where(tail_uuid: self.uuid, + head_uuid: group[:uuid], + link_class: 'permission', + name: 'can_read').any? + errors.add :is_active, "cannot be set to false directly, use the 'Deactivate' button on Workbench, or the 'unsetup' API call" + end + end + end + def set_initial_username(requested: false) if !requested.is_a?(String) || requested.empty? email_parts = email.partition("@") @@ -376,10 +410,12 @@ class User < ArvadosModel user = self redirects = 0 while (uuid = user.redirect_to_user_uuid) - user = User.unscoped.find_by_uuid(uuid) - if !user - raise Exception.new("user uuid #{user.uuid} redirects to nonexistent uuid #{uuid}") + break if uuid.empty? + nextuser = User.unscoped.find_by_uuid(uuid) + if !nextuser + raise Exception.new("user uuid #{user.uuid} redirects to nonexistent uuid '#{uuid}'") end + user = nextuser redirects += 1 if redirects > 15 raise "Starting from #{self.uuid} redirect_to_user_uuid exceeded maximum number of redirects" @@ -399,8 +435,6 @@ class User < ArvadosModel # alternate_emails # identity_url - info = info.with_indifferent_access - primary_user = nil # local database @@ -426,7 +460,7 @@ class User < ArvadosModel if !primary_user primary_user = user.redirects_to elsif primary_user.uuid != user.redirects_to.uuid - raise "Ambigious email address, directs to both #{primary_user.uuid} and #{user.redirects_to.uuid}" + raise "Ambiguous email address, directs to both #{primary_user.uuid} and #{user.redirects_to.uuid}" end end end @@ -437,7 +471,7 @@ class User < ArvadosModel :is_admin => false, :is_active => Rails.configuration.Users.NewUsersAreActive) - primary_user.set_initial_username(requested: info['username']) if info['username'] + primary_user.set_initial_username(requested: info['username']) if info['username'] && !info['username'].blank? primary_user.identity_url = info['identity_url'] if identity_url end @@ -579,30 +613,6 @@ class User < ArvadosModel merged end - def create_oid_login_perm(openid_prefix) - # Check oid_login_perm - oid_login_perms = Link.where(tail_uuid: self.email, - head_uuid: self.uuid, - link_class: 'permission', - name: 'can_login') - - if !oid_login_perms.any? - # create openid login permission - oid_login_perm = Link.create!(link_class: 'permission', - name: 'can_login', - tail_uuid: self.email, - head_uuid: self.uuid, - properties: { - "identity_url_prefix" => openid_prefix, - }) - logger.info { "openid login permission: " + oid_login_perm[:uuid] } - else - oid_login_perm = oid_login_perms.first - end - - return oid_login_perm - end - def create_user_repo_link(repo_name) # repo_name is optional if not repo_name @@ -684,13 +694,13 @@ class User < ArvadosModel def setup_on_activate return if [system_user_uuid, anonymous_user_uuid].include?(self.uuid) if is_active && (new_record? || is_active_changed?) - setup(openid_prefix: Rails.configuration.default_openid_prefix) + setup end end # Automatically setup new user during creation def auto_setup_new_user - setup(openid_prefix: Rails.configuration.default_openid_prefix) + setup if username create_vm_login_permission_link(Rails.configuration.Users.AutoSetupNewUsersWithVmUUID, username)