return false
end
return true if current_user.is_admin
- if self.owner_changed? and
- self.owner_was != current_user.uuid and
- 0 == Link.where(link_class: 'permission',
- name: 'can_pillage',
- tail_uuid: self.owner_was,
- head_uuid: current_user.uuid).count
- logger.warn "User #{current_user.uuid} tried to change owner of #{self.class.to_s} #{self.uuid} to #{self.owner}"
- return false
+ if self.owner_changed?
+ if current_user.uuid == self.owner or
+ current_user.can? write: self.owner
+ # current_user is, or has :write permission on, the new owner
+ else
+ logger.warn "User #{current_user.uuid} tried to change owner of #{self.class.to_s} #{self.uuid} to #{self.owner} but does not have permission to write to #{self.owner}"
+ return false
+ end
end
- if self.owner_was == current_user.uuid or
- current_user.is_admin or
- current_user.uuid == self.uuid or
- Link.where(link_class: 'permission',
- name: 'can_write',
- tail_uuid: self.owner_was,
- head_uuid: current_user.uuid).count > 0
+ if current_user.uuid == self.owner_was or
+ current_user.uuid == self.uuid or
+ current_user.can? write: self.owner_was
+ # current user is, or has :write permission on, the previous owner
return true
else
- logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not have can_write permission and owner is #{self.owner_was}"
+ logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not have permission to write #{self.owner_was}"
return false
end
end
self.group_permissions.select { |uuid, mask| mask[verb] }.keys
end
+ def can?(actions)
+ actions.each do |action, target|
+ target_uuid = target
+ if target.respond_to? :uuid
+ target_uuid = target.uuid
+ end
+ next if target_uuid == self.uuid
+ next if (group_permissions[target_uuid] and
+ group_permissions[target_uuid][action])
+ if target.respond_to? :owner
+ next if target.owner == self.uuid
+ next if (group_permissions[target.owner] and
+ group_permissions[target.owner][action])
+ end
+ return false
+ end
+ true
+ end
+
def self.invalidate_permissions_cache
Rails.cache.delete_matched(/^groups_for_user_/)
end
end
def group_permissions
- Rails.cache.fetch "groups_for_user_#{current_user.uuid}" do
+ Rails.cache.fetch "groups_for_user_#{self.uuid}" do
permissions_from = {}
todo = {self.uuid => true}
done = {}
def current_default_owner
# owner uuid for newly created objects
((current_api_client_authorization &&
- current_api_client_authorization.default_owner)
- ||
- (current_user && current_user.default_owner)
- ||
- (current_user && current_user.uuid)
- ||
+ current_api_client_authorization.default_owner) ||
+ (current_user && current_user.default_owner) ||
+ (current_user && current_user.uuid) ||
nil)
end
projects / arvados.git / commitdiff