projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 36e1f63)
14807: Fix admin permissions for containers.
authorTom Clegg <tclegg@veritasgenetics.com>
Tue, 19 Feb 2019 22:28:26 +0000 (17:28 -0500)
committerTom Clegg <tclegg@veritasgenetics.com>
Tue, 19 Feb 2019 22:28:26 +0000 (17:28 -0500)
Admins are allowed to see all containers, even ones that aren't
associated with any container request.

Otherwise, when a container request retries, even the dispatcher can't
see the previously assigned container, and therefore never learns that
the container is supposed to be cancelled.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

services/api/app/models/container.rb patch | blob | history
services/api/test/unit/container_test.rb patch | blob | history

diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index bd586907ee2eaf205616251be126bc7cf9c94b09..0682676c5ccc2d7f7f738c2f99971447f1456be9 100644 (file)
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -375,6 +375,9 @@ class Container < ArvadosModel
     else
       kwargs = {}
     end
+    if users_list.select { |u| u.is_admin }.any?
+      return super
+    end
     Container.where(ContainerRequest.readable_by(*users_list).where("containers.uuid = container_requests.container_uuid").exists)
   end
 
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 2a9ff5bf4cc6985a413f62a03d7b9555e9c0f938..dac08d4b69bdbf32b58e9a416cf4a83aa3a4fe7a 100644 (file)
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -677,6 +677,14 @@ class ContainerTest < ActiveSupport::TestCase
     assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
   end
 
+  test "Containers with no matching request are readable by admin" do
+    uuids = Container.includes('container_requests').where(container_requests: {uuid: nil}).collect(&:uuid)
+    assert_not_empty uuids
+    assert_empty Container.readable_by(users(:active)).where(uuid: uuids)
+    assert_not_empty Container.readable_by(users(:admin)).where(uuid: uuids)
+    assert_equal uuids.count, Container.readable_by(users(:admin)).where(uuid: uuids).count
+  end
+
   test "Container locked cancel" do
     set_user_from_auth :active
     c, _ = minimal_new