fix permissions to accommodate nodes#ping and user_sessions#create exemptions

diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb
index 31f691d333dbb951d1547d3b447a0a54b892f824..f941cb065329e293de2de7351118b5f71cbed57a 100644 (file)
--- a/app/controllers/user_sessions_controller.rb
+++ b/app/controllers/user_sessions_controller.rb
@@ -25,10 +25,13 @@ class UserSessionsController < ApplicationController
     user = User.find_by_identity_url(omniauth['info']['identity_url'])
     if not user
       # New user registration
-      user = User.create!(:email => omniauth['info']['email'],
-                          :first_name => omniauth['info']['first_name'],
-                          :last_name => omniauth['info']['last_name'],
-                          :identity_url => omniauth['info']['identity_url'])
+      user = User.new(:email => omniauth['info']['email'],
+                      :first_name => omniauth['info']['first_name'],
+                      :last_name => omniauth['info']['last_name'],
+                      :identity_url => omniauth['info']['identity_url'])
+      Thread.current[:user] = user # prevents OrvosModel#before_create
+                                   # from throwing "unauthorized"
+      user.save!
     else
       user.email = omniauth['info']['email']
       user.first_name = omniauth['info']['first_name']

diff --git a/app/models/node.rb b/app/models/node.rb
index 2333d80544607cfe015fcdd7023aac123b2a2127..c10e076ef0fbcb64fde69cf3bf13378d14ceebca 100644 (file)
--- a/app/models/node.rb
+++ b/app/models/node.rb
@@ -61,6 +61,8 @@ class Node < OrvosModel
     end
     self.last_ping_at = Time.now
 
+    @bypass_orvos_authorization = true
+
     # Record IP address
     if self.ip_address.nil?
       logger.info "#{self.uuid} ip_address= #{o[:ip]}"
@@ -97,6 +99,7 @@ class Node < OrvosModel
   end
 
   def start!(ping_url_method)
+    ensure_permission_to_update
     ping_url = ping_url_method.call({ uuid: self.uuid, ping_secret: self.info[:ping_secret] })
     cmd = ["ec2-run-instances",
            "--user-data '#{ping_url}'",
@@ -162,4 +165,12 @@ class Node < OrvosModel
       end
     end
   end
+
+  def permission_to_update
+    @bypass_orvos_authorization or super
+  end
+
+  def permission_to_create
+    current_user and current_user.is_admin
+  end
 end

diff --git a/app/models/orvos_model.rb b/app/models/orvos_model.rb
index 411296c127a25764ae3f931793ffd384678df112..7ed6e4e5bfa145383caaa1e69665f81e3390034e 100644 (file)
--- a/app/models/orvos_model.rb
+++ b/app/models/orvos_model.rb
@@ -7,7 +7,8 @@ class OrvosModel < ActiveRecord::Base
   attr_protected :modified_by_user
   attr_protected :modified_by_client
   attr_protected :modified_at
-  before_update :permission_to_update
+  before_create :ensure_permission_to_create
+  before_update :ensure_permission_to_update
   before_create :update_modified_by_fields
   before_update :update_modified_by_fields
 
@@ -30,6 +31,18 @@ class OrvosModel < ActiveRecord::Base
 
   protected
 
+  def ensure_permission_to_create
+    raise "Permission denied" unless permission_to_create
+  end
+
+  def permission_to_create
+    current_user
+  end
+
+  def ensure_permission_to_update
+    raise "Permission denied" unless permission_to_update
+  end
+
   def permission_to_update
     if !current_user
       logger.warn "Anonymous user tried to update #{self.class.to_s} #{self.uuid_was}"

diff --git a/app/models/user.rb b/app/models/user.rb
index 08663f61d5701fae0dd28cd994c3a2dedbe9ccaa..de9ed57bc2668d95ddb8c55aa547004fa57b977e 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -22,6 +22,11 @@ class User < OrvosModel
 
   protected
 
+  def permission_to_create
+    Thread.current[:user] == self or
+      (Thread.current[:user] and Thread.current[:user].is_admin)
+  end
+
   def prevent_privilege_escalation
     if self.is_admin_changed? and !current_user.is_admin
       if current_user.uuid == self.uuid