Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
def can_write
if respond_to?(:frozen_by_uuid) && frozen_by_uuid
def can_write
if respond_to?(:frozen_by_uuid) && frozen_by_uuid
+ # This special case is needed to return the correct value from a
+ # "freeze project" API, during which writable status changes
+ # from true to false.
+ #
+ # current_user.can?(write: self) returns true (which is correct
+ # in the context of permission-checking hooks) but the can_write
+ # value we're returning to the caller here represents the state
+ # _after_ the update, i.e., false.
- return owner_uuid == current_user.uuid ||
- current_user.is_admin ||
- current_user.can?(write: uuid)
+ return current_user.can?(write: self)
- return owner_uuid == current_user.uuid ||
- current_user.is_admin ||
- current_user.can?(manage: uuid)
+ return current_user.can?(manage: self)
end
# Return a query with read permissions restricted to the union of the
end
# Return a query with read permissions restricted to the union of the
end
next if target_uuid == self.uuid
end
next if target_uuid == self.uuid
+ if action == :write && target && !target.new_record? &&
+ target.respond_to?(:frozen_by_uuid) &&
+ target.frozen_by_uuid_was
+ # Just an optimization to skip the PERMISSION_VIEW and
+ # FrozenGroup queries below
+ return false
+ end
+
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}
target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}