X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f965ac6ef1176c985fcc278d6501c4c72f58029c..f15c51d123da2db1deeeb0e76685cf17eb56e039:/services/api/app/models/arvados_model.rb diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index 5a9d43f82d..0828d01687 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -254,65 +254,50 @@ class ArvadosModel < ActiveRecord::Base # Collect the UUIDs of the authorized users. sql_table = kwargs.fetch(:table_name, table_name) - include_trashed = kwargs.fetch(:include_trashed, false) + include_trash = kwargs.fetch(:include_trash, false) + query_on = kwargs.fetch(:query_on, self) sql_conds = [] user_uuids = users_list.map { |u| u.uuid } - User.install_view('permission') - - # Check if any of the users are admin. if users_list.select { |u| u.is_admin }.any? - if !include_trashed - # exclude rows that are trashed. - if self.column_names.include? "owner_uuid" - sql_conds += ["NOT EXISTS(SELECT target_uuid - FROM permission_view pv - WHERE trashed = 1 AND - (#{sql_table}.uuid = pv.target_uuid OR #{sql_table}.owner_uuid = pv.target_uuid))"] - else - sql_conds += ["NOT EXISTS(SELECT target_uuid - FROM permission_view pv + if !include_trash + # exclude rows that are explicitly trashed. + if sql_table != "api_client_authorizations" + sql_conds.push "NOT EXISTS(SELECT 1 + FROM #{PERMISSION_VIEW} WHERE trashed = 1 AND - (#{sql_table}.uuid = pv.target_uuid))"] + (#{sql_table}.uuid = target_uuid OR #{sql_table}.owner_uuid = target_uuid))" end end else - # Match objects which appear in the permission view - trash_clause = if !include_trashed then "trashed = 0 AND" else "" end - - # Match any object (evidently a group or user) whose UUID is - # listed explicitly in user_uuids. - sql_conds += ["#{sql_table}.uuid IN (:user_uuids)"] - - if self.column_names.include? "owner_uuid" - sql_conds += ["EXISTS(SELECT target_uuid - FROM permission_view pv - WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND #{trash_clause} - (#{sql_table}.uuid = pv.target_uuid OR - (#{sql_table}.owner_uuid = pv.target_uuid AND pv.target_owner_uuid is NOT NULL)))"] - # Match any object whose owner is listed explicitly in - # user_uuids. - sql_conds += ["#{sql_table}.owner_uuid IN (:user_uuids)"] + if include_trash + trashed_check = "" + else + trashed_check = "AND trashed = 0" + end + + if sql_table != "api_client_authorizations" and sql_table != "groups" + owner_check = "OR (target_uuid = #{sql_table}.owner_uuid AND target_owner_uuid IS NOT NULL)" else - sql_conds += ["EXISTS(SELECT target_uuid - FROM permission_view pv - WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND #{trash_clause} - (#{sql_table}.uuid = pv.target_uuid))"] + owner_check = "" end + sql_conds.push "EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} "+ + "WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 #{trashed_check} AND (target_uuid = #{sql_table}.uuid #{owner_check}))" + if sql_table == "links" # Match any permission link that gives one of the authorized # users some permission _or_ gives anyone else permission to # view one of the authorized users. - sql_conds += ["(#{sql_table}.link_class IN (:permission_link_classes) AND "+ - "(#{sql_table}.head_uuid IN (:user_uuids) OR #{sql_table}.tail_uuid IN (:user_uuids)))"] + sql_conds.push "(#{sql_table}.link_class IN (:permission_link_classes) AND "+ + "(#{sql_table}.head_uuid IN (:user_uuids) OR #{sql_table}.tail_uuid IN (:user_uuids)))" end end - where(sql_conds.join(' OR '), - user_uuids: user_uuids, - permission_link_classes: ['permission', 'resources']) + query_on.where(sql_conds.join(' OR '), + user_uuids: user_uuids, + permission_link_classes: ['permission', 'resources']) end def save_with_unique_name!