X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d35a53563c7f8a901f6ea435e591d3889dfe9ca5..a326799df9f652cd3bbee7956ea8a912d6acc4bd:/app/models/metadatum.rb?ds=sidebyside

diff --git a/app/models/metadatum.rb b/app/models/metadatum.rb
index 48f397f6bd..3ce96f6569 100644
--- a/app/models/metadatum.rb
+++ b/app/models/metadatum.rb
@@ -1,8 +1,10 @@
-class Metadatum < ActiveRecord::Base
+class Metadatum < OrvosModel
   include AssignUuid
   include KindAndEtag
   include CommonApiTemplate
   serialize :info, Hash
+  before_create :permission_to_attach_to_objects
+  before_update :permission_to_attach_to_objects
 
   api_accessible :superuser, :extend => :common do |t|
     t.add :tail_kind
@@ -18,4 +20,37 @@ class Metadatum < ActiveRecord::Base
     @info ||= Hash.new
     super
   end
+
+  protected
+
+  def permission_to_attach_to_objects
+    # Anonymous users cannot write metadata
+    return false if !current_user
+
+    # All users can write metadata that doesn't affect permissions
+    return true if self.metadata_class != 'permission'
+
+    # Administrators can grant permissions
+    return true if current_user.is_admin
+
+    # All users can grant permissions on objects they own
+    head_obj = self.class.
+      kind_class(self.head_kind).
+      where('uuid=?',head_uuid).
+      first
+    if head_obj
+      return true if head_obj.owner == current_user.uuid
+    end
+
+    # Users with "can_grant" permission on an object can grant
+    # permissions on that object
+    has_grant_permission = self.class.
+      where('metadata_class=? AND name=? AND tail=? AND head=?',
+            'permission', 'can_grant', current_user.uuid, self.head).
+      count > 0
+    return true if has_grant_permission
+
+    # Default = deny.
+    false
+  end
 end