user = User.find_by_identity_url(omniauth['info']['identity_url'])
if not user
# New user registration
- user = User.create!(:email => omniauth['info']['email'],
- :first_name => omniauth['info']['first_name'],
- :last_name => omniauth['info']['last_name'],
- :identity_url => omniauth['info']['identity_url'])
+ user = User.new(:email => omniauth['info']['email'],
+ :first_name => omniauth['info']['first_name'],
+ :last_name => omniauth['info']['last_name'],
+ :identity_url => omniauth['info']['identity_url'])
+ Thread.current[:user] = user # prevents OrvosModel#before_create
+ # from throwing "unauthorized"
+ user.save!
else
user.email = omniauth['info']['email']
user.first_name = omniauth['info']['first_name']
end
self.last_ping_at = Time.now
+ @bypass_orvos_authorization = true
+
# Record IP address
if self.ip_address.nil?
logger.info "#{self.uuid} ip_address= #{o[:ip]}"
end
def start!(ping_url_method)
+ ensure_permission_to_update
ping_url = ping_url_method.call({ uuid: self.uuid, ping_secret: self.info[:ping_secret] })
cmd = ["ec2-run-instances",
"--user-data '#{ping_url}'",
end
end
end
+
+ def permission_to_update
+ @bypass_orvos_authorization or super
+ end
+
+ def permission_to_create
+ current_user and current_user.is_admin
+ end
end
attr_protected :modified_by_user
attr_protected :modified_by_client
attr_protected :modified_at
- before_update :permission_to_update
+ before_create :ensure_permission_to_create
+ before_update :ensure_permission_to_update
before_create :update_modified_by_fields
before_update :update_modified_by_fields
protected
+ def ensure_permission_to_create
+ raise "Permission denied" unless permission_to_create
+ end
+
+ def permission_to_create
+ current_user
+ end
+
+ def ensure_permission_to_update
+ raise "Permission denied" unless permission_to_update
+ end
+
def permission_to_update
if !current_user
logger.warn "Anonymous user tried to update #{self.class.to_s} #{self.uuid_was}"
protected
+ def permission_to_create
+ Thread.current[:user] == self or
+ (Thread.current[:user] and Thread.current[:user].is_admin)
+ end
+
def prevent_privilege_escalation
if self.is_admin_changed? and !current_user.is_admin
if current_user.uuid == self.uuid