16683: Check that remote cluster id is presumed valid

author Peter Amstutz <peter.amstutz@curii.com>

Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)

committer Peter Amstutz <peter.amstutz@curii.com>

Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)
author Peter Amstutz <peter.amstutz@curii.com>
Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)
committer Peter Amstutz <peter.amstutz@curii.com>
Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)
diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb

index 7f4433dd703861bf7f6e5a231d6021b95cd3f883..0d7334e44e85440d37a530e6316d338f125b92aa 100644 (file)
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -48,6 +48,7 @@ class Link < ArvadosModel
         !attr_value.nil? &&
         self.link_class == 'permission' &&
         attr_value[0..4] != Rails.configuration.ClusterID &&
+       ApiClientAuthorization.remote_host(uuid_prefix: attr_value[0..4]) &&
         ArvadosModel::resource_class_for_uuid(attr_value) == User
        # Permission link tail is a remote user (the user permissions
        # are being granted to), so bypass the standard check that a
author	Peter Amstutz <peter.amstutz@curii.com>
	Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)
committer	Peter Amstutz <peter.amstutz@curii.com>
	Fri, 14 Aug 2020 13:57:53 +0000 (09:57 -0400)