def index
@objects ||= model_class.
joins("LEFT JOIN metadata permissions ON permissions.tail=#{table_name}.uuid AND permissions.head=#{model_class.sanitize current_user.uuid} AND permissions.metadata_class='permission' AND permissions.name='visible_to'").
- where("#{table_name}.created_by_user=? OR permissions.head IS NOT NULL",
- current_user.uuid)
+ where("#{table_name}.created_by_user=? OR #{table_name}.uuid=? OR permissions.head IS NOT NULL",
+ current_user.uuid, current_user.uuid)
if params[:where]
where = params[:where]
where = JSON.parse(where) if where.is_a?(String)
--- /dev/null
+class UsersController < ApplicationController
+end
-class Log < ActiveRecord::Base
+class Log < OrvosModel
include AssignUuid
include KindAndEtag
include CommonApiTemplate
include KindAndEtag
include CommonApiTemplate
serialize :info, Hash
+ before_create :permission_to_attach_to_objects
+ before_update :permission_to_attach_to_objects
api_accessible :superuser, :extend => :common do |t|
t.add :tail_kind
@info ||= Hash.new
super
end
+
+ protected
+
+ def permission_to_attach_to_objects
+ # Anonymous users cannot write metadata
+ return false if !current_user
+
+ # All users can write metadata that doesn't affect permissions
+ return true if self.metadata_class != 'permission'
+
+ # Administrators can grant permissions
+ return true if current_user.is_admin
+
+ # All users can grant permissions on objects they created themselves
+ head_obj = self.class.
+ kind_class(self.head_kind).
+ where('uuid=?',head_uuid).
+ first
+ if head_obj
+ return true if head_obj.created_by_user == current_user.uuid
+ end
+
+ # Users with "can_manage" permission on an object can grant
+ # permissions on that object
+ has_manage_permission = self.class.
+ where('metadata_class=? AND name=? AND tail=? AND head=?',
+ 'permission', 'can_manage', current_user.uuid, self.head).
+ count > 0
+ return true if has_manage_permission
+
+ # Default = deny.
+ false
+ end
end
attr_protected :modified_by_client
attr_protected :modified_at
before_create :initialize_created_by_fields
+ before_update :permission_to_update
before_update :update_modified_by_fields
def self.kind_class(kind)
protected
+ def permission_to_update
+ return false unless current_user
+ self.created_by_user == current_user.uuid or
+ current_user.is_admin or
+ current_user.uuid == self.uuid or
+ Metadatum.where(metadata_class: 'permission',
+ name: 'can_write',
+ tail: self.uuid,
+ head: current_user.uuid).count > 0
+ end
+
def update_modified_by_fields
if self.changed?
self.modified_at = Time.now
-class User < ActiveRecord::Base
+class User < OrvosModel
include AssignUuid
include KindAndEtag
include CommonApiTemplate
serialize :prefs, Hash
has_many :api_client_authorizations
+ before_update :prevent_privilege_escalation
api_accessible :superuser, :extend => :common do |t|
t.add :email
"#{first_name} #{last_name}"
end
+ protected
+
+ def prevent_privilege_escalation
+ if self.is_admin_changed?
+ if current_user.uuid == self.uuid
+ if self.is_admin != self.is_admin_was
+ self.is_admin = self.is_admin_was
+ end
+ end
+ end
+ true
+ end
end
Server::Application.routes.draw do
resources :api_client_authorizations
-
resources :api_clients
-
resources :logs
resources :projects
resources :specimens
resources :specimens
resources :projects
resources :logs
+ resources :users
match '/schema' => 'schema#show'
match '/nodes/:uuid/ping' => 'nodes#ping', :as => :ping_node
match '/metadata/:tail_kind/:tail' => 'metadata#index'