Merge branch '18691-freeze-project'

refs #18691

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --combined lib/config/config.default.yml
index 0a8f55244b905cb48a56a4b994733534e8a5fd53,656385cc1c0e75ff61230e8725c3b2c33cfa3192..8bbc33ba08493b2147148e1fcdb8538a4a991c52
--- 1/lib/config/config.default.yml
--- 2/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@@ -240,6 -240,18 +240,18 @@@ Clusters
        # https://doc.arvados.org/admin/metadata-vocabulary.html
        VocabularyPath: ""
  
+       # If true, a project must have a non-empty description field in
+       # order to be frozen.
+       FreezeProjectRequiresDescription: false
+ 
+       # Project properties that must have non-empty values in order to
+       # freeze a project. Example: {"property_name": true}
+       FreezeProjectRequiresProperties: {}
+ 
+       # If true, only an admin user can un-freeze a project. If false,
+       # any user with "manage" permission can un-freeze.
+       UnfreezeProjectRequiresAdmin: false
+ 
      Users:
        # Config parameters to automatically setup new users.  If enabled,
        # this users will be able to self-activate.  Enable this if you want
@@@ -903,6 -915,11 +915,6 @@@
        # If false, containers are scheduled on preemptible instances
        # only when requested by the submitter.
        #
 -      # Note that arvados-cwl-runner does not currently offer a
 -      # feature to request preemptible instances, so this value
 -      # effectively acts as a cluster-wide decision about whether to
 -      # use preemptible instances.
 -      #
        # This flag is ignored if no preemptible instance types are
        # configured, and has no effect on top-level containers.
        AlwaysUsePreemptibleInstances: true

diff --combined services/api/app/models/user.rb
index 811cd89758d9ef8642be5382c9bac54b4f649134,44e6ca7578b0efa630070296fb114ba33d82e676..bbb2378f5c56becac22646212beb343549da5170
--- 1/services/api/app/models/user.rb
--- 2/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@@ -21,7 -21,6 +21,7 @@@ class User < ArvadosMode
              uniqueness: true,
              allow_nil: true)
    validate :must_unsetup_to_deactivate
 +  validate :identity_url_nil_if_empty
    before_update :prevent_privilege_escalation
    before_update :prevent_inactive_admin
    before_update :verify_repositories_empty, :if => Proc.new {
@@@ -87,6 -86,7 +87,7 @@@
    VAL_FOR_PERM =
      {:read => 1,
       :write => 2,
+      :unfreeze => 3,
       :manage => 3}
  
  
@@@ -141,6 -141,23 +142,23 @@@ SELECT 1 FROM #{PERMISSION_VIEW
                    ).any?
          return false
        end
+ 
+       if action == :write
+         if FrozenGroup.where(uuid: [target_uuid, target_owner_uuid]).any?
+           # self or parent is frozen
+           return false
+         end
+       elsif action == :unfreeze
+         # "unfreeze" permission means "can write, but only if
+         # explicitly un-freezing at the same time" (see
+         # ArvadosModel#ensure_owner_uuid_is_permitted). If the
+         # permission query above passed the permission level of
+         # :unfreeze (which is the same as :manage), and the parent
+         # isn't also frozen, then un-freeze is allowed.
+         if FrozenGroup.where(uuid: target_owner_uuid).any?
+           return false
+         end
+       end
      end
      true
    end
@@@ -811,10 -828,4 +829,10 @@@ SELECT target_uuid, perm_leve
        repo.save!
      end
    end
 +
 +  def identity_url_nil_if_empty
 +    if identity_url == ""
 +      self.identity_url = nil
 +    end
 +  end
  end