X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e346e5d3bd09f4b9fe66538a825cf866faeb308b..73e1bfac301b9285f734374abe84d8146897c585:/services/api/app/controllers/application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 9dd23e8d9a..434b09572b 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -2,11 +2,10 @@ class ApplicationController < ActionController::Base
   include CurrentApiClient
 
   protect_from_forgery
-  before_filter :uncamelcase_params_hash_keys
   around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
 
   before_filter :remote_ip
-  before_filter :login_required, :except => :render_not_found
+  before_filter :require_auth_scope_all, :except => :render_not_found
   before_filter :catch_redirect_hint
 
   before_filter :load_where_param, :only => :index
@@ -25,7 +24,7 @@ class ApplicationController < ActionController::Base
 
   def show
     if @object
-      render json: @object.as_api_response(:superuser)
+      render json: @object.as_api_response
     else
       render_not_found("object not found")
     end
@@ -38,7 +37,9 @@ class ApplicationController < ActionController::Base
   end
 
   def update
-    attrs_to_update = resource_attrs.reject { |k,v| [:kind,:etag].index k }
+    attrs_to_update = resource_attrs.reject { |k,v|
+      [:kind, :etag, :href].index k
+    }
     if @object.update_attributes attrs_to_update
       show
     else
@@ -68,7 +69,7 @@ class ApplicationController < ActionController::Base
     :with => :render_not_found
     rescue_from ActionController::UnknownController,
     :with => :render_not_found
-    rescue_from ActionController::UnknownAction,
+    rescue_from AbstractController::ActionNotFound,
     :with => :render_not_found
     rescue_from ArvadosModel::PermissionDeniedError,
     :with => :render_error
@@ -82,7 +83,8 @@ class ApplicationController < ActionController::Base
     else
       errors = [e.inspect]
     end
-    render json: { errors: errors }, status: 422
+    status = e.respond_to?(:http_status) ? e.http_status : 422
+    render json: { errors: errors }, status: status
   end
 
   def render_not_found(e=ActionController::RoutingError.new("Path not found"))
@@ -189,7 +191,7 @@ class ApplicationController < ActionController::Base
     return @attrs if @attrs
     @attrs = params[resource_name]
     if @attrs.is_a? String
-      @attrs = uncamelcase_hash_keys(Oj.load @attrs)
+      @attrs = Oj.load @attrs
     end
     unless @attrs.is_a? Hash
       message = "No #{resource_name}"
@@ -206,8 +208,10 @@ class ApplicationController < ActionController::Base
   end
 
   # Authentication
-  def login_required
-    if !current_user
+  def require_login
+    if current_user
+      true
+    else
       respond_to do |format|
         format.json {
           render :json => { errors: ['Not logged in'] }.to_json, status: 401
@@ -216,6 +220,7 @@ class ApplicationController < ActionController::Base
           redirect_to '/auth/joshid'
         }
       end
+      false
     end
   end
 
@@ -225,7 +230,18 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def require_auth_scope_all
+    require_login and require_auth_scope(['all'])
+  end
+
+  def require_auth_scope(ok_scopes)
+    unless current_api_client_auth_has_scope(ok_scopes)
+      render :json => { errors: ['Forbidden'] }.to_json, status: 403
+    end
+  end
+
   def thread_with_auth_info
+    Thread.current[:api_url_base] = root_url.sub(/\/$/,'') + '/arvados/v1'
     begin
       user = nil
       api_client = nil
@@ -239,7 +255,7 @@ class ApplicationController < ActionController::Base
           includes(:api_client, :user).
           where('api_token=? and (expires_at is null or expires_at > now())', supplied_token).
           first
-        if api_client_auth
+        if api_client_auth.andand.user
           session[:user_id] = api_client_auth.user.id
           session[:api_client_uuid] = api_client_auth.api_client.andand.uuid
           session[:api_client_authorization_id] = api_client_auth.id
@@ -310,27 +326,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def uncamelcase_params_hash_keys
-    self.params = uncamelcase_hash_keys(params)
-  end
-  def uncamelcase_hash_keys(h, max_depth=-1)
-    if h.is_a? Hash and max_depth != 0
-      nh = Hash.new
-      h.each do |k,v|
-        if k.class == String
-          nk = k.underscore
-        elsif k.class == Symbol
-          nk = k.to_s.underscore.to_sym
-        else
-          nk = k
-        end
-        nh[nk] = uncamelcase_hash_keys(v, max_depth-1)
-      end
-      h.replace(nh)
-    end
-    h
-  end
-
   def render_list
     @object_list = {
       :kind  => "arvados##{resource_name}List",
@@ -338,7 +333,7 @@ class ApplicationController < ActionController::Base
       :self_link => "",
       :next_page_token => "",
       :next_link => "",
-      :items => @objects.as_api_response(:superuser)
+      :items => @objects.as_api_response(nil)
     }
     render json: @object_list
   end
@@ -360,4 +355,9 @@ class ApplicationController < ActionController::Base
       order: { type: 'string', required: false }
     }
   end
+  
+  def client_accepts_plain_text_stream
+    (request.headers['Accept'].split(' ') &
+     ['text/plain', '*/*']).count > 0
+  end
 end