X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cdff1d7e5eadb611578090585e1e54aae41e7e66..948c4e583b89e28730f8a0d2ae3f94e459351b30:/services/api/app/models/arvados_model.rb diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index 518d4c8ff3..05deba7bc1 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -255,74 +255,55 @@ class ArvadosModel < ActiveRecord::Base # Collect the UUIDs of the authorized users. sql_table = kwargs.fetch(:table_name, table_name) include_trash = kwargs.fetch(:include_trash, false) - query_on = kwargs.fetch(:query_on, self) sql_conds = [] user_uuids = users_list.map { |u| u.uuid } - User.install_view('permission') + exclude_trashed_records = if !include_trash and (sql_table == "groups" or sql_table == "collections") then + # Only include records that are not explicitly trashed + "AND #{sql_table}.is_trashed = false" + else + "" + end - # Check if any of the users are admin. if users_list.select { |u| u.is_admin }.any? if !include_trash - # exclude rows that are trashed. - if self.column_names.include? "owner_uuid" - sql_conds += ["NOT EXISTS(SELECT target_uuid - FROM permission_view - WHERE trashed = 1 AND - (#{sql_table}.uuid = target_uuid OR #{sql_table}.owner_uuid = target_uuid))"] - else - sql_conds += ["NOT EXISTS(SELECT target_uuid - FROM permission_view - WHERE trashed = 1 AND - (#{sql_table}.uuid = target_uuid))"] + if sql_table != "api_client_authorizations" + # Exclude rows where the owner is trashed + sql_conds.push "NOT EXISTS(SELECT 1 "+ + "FROM #{PERMISSION_VIEW} "+ + "WHERE trashed = 1 AND "+ + "(#{sql_table}.owner_uuid = target_uuid)) "+ + exclude_trashed_records end end else - trash_clause = if !include_trash then "trashed = 0 AND" else "" end - - # Can read object (evidently a group or user) whose UUID is listed - # explicitly in user_uuids. - sql_conds += ["#{sql_table}.uuid IN (:user_uuids)"] - - direct_permission_check = "EXISTS(SELECT 1 FROM permission_view - WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND #{trash_clause} - (#{sql_table}.uuid = target_uuid))" - - if self.column_names.include? "owner_uuid" - # if an explicit permission row exists for the uuid in question, apply - # the "direct_permission_check" - # if not, check for permission to read the owner instead - sql_conds += ["CASE - WHEN EXISTS(select 1 FROM permission_view where target_uuid = #{sql_table}.uuid) - THEN #{direct_permission_check} - ELSE EXISTS(SELECT 1 FROM permission_view - WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND #{trash_clause} - (#{sql_table}.owner_uuid = target_uuid AND target_owner_uuid is NOT NULL)) - END"] - # Can also read if one of the users is the owner of the object. - trash_clause = if !include_trash - "1 NOT IN (SELECT trashed - FROM permission_view - WHERE #{sql_table}.uuid = target_uuid) AND" - else - "" - end - sql_conds += ["(#{trash_clause} #{sql_table}.owner_uuid IN (:user_uuids))"] - else - sql_conds += [direct_permission_check] - end + trashed_check = if !include_trash then + "AND trashed = 0" + else + "" + end + + owner_check = if sql_table != "api_client_authorizations" and sql_table != "groups" then + "OR (target_uuid = #{sql_table}.owner_uuid AND target_owner_uuid IS NOT NULL)" + else + "" + end + + sql_conds.push "EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} "+ + "WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 #{trashed_check} AND (target_uuid = #{sql_table}.uuid #{owner_check})) "+ + exclude_trashed_records if sql_table == "links" # Match any permission link that gives one of the authorized # users some permission _or_ gives anyone else permission to # view one of the authorized users. - sql_conds += ["(#{sql_table}.link_class IN (:permission_link_classes) AND "+ - "(#{sql_table}.head_uuid IN (:user_uuids) OR #{sql_table}.tail_uuid IN (:user_uuids)))"] + sql_conds.push "(#{sql_table}.link_class IN (:permission_link_classes) AND "+ + "(#{sql_table}.head_uuid IN (:user_uuids) OR #{sql_table}.tail_uuid IN (:user_uuids)))" end end - query_on.where(sql_conds.join(' OR '), + self.where(sql_conds.join(' OR '), user_uuids: user_uuids, permission_link_classes: ['permission', 'resources']) end @@ -384,13 +365,14 @@ class ArvadosModel < ActiveRecord::Base def self.full_text_searchable_columns self.columns.select do |col| - col.type == :string or col.type == :text + [:string, :text, :jsonb].include?(col.type) end.map(&:name) end def self.full_text_tsvector parts = full_text_searchable_columns.collect do |column| - "coalesce(#{column},'')" + cast = serialized_attributes[column] ? '::text' : '' + "coalesce(#{column}#{cast},'')" end "to_tsvector('english', #{parts.join(" || ' ' || ")})" end @@ -760,7 +742,7 @@ class ArvadosModel < ActiveRecord::Base if self == ArvadosModel # If called directly as ArvadosModel.find_by_uuid rather than via subclass, # delegate to the appropriate subclass based on the given uuid. - self.resource_class_for_uuid(uuid).unscoped.find_by_uuid(uuid) + self.resource_class_for_uuid(uuid).find_by_uuid(uuid) else super end