19513: Rename flag to CanCreateRoleGroups, add test case.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid
index d7d5eabd08fb02c8e24960052a80d58bdbe045fd..2d589e2709e9b2fdd66e1fade52c747cc8752340 100644 (file)
--- a/doc/api/permission-model.html.textile.liquid
+++ b/doc/api/permission-model.html.textile.liquid
@@ -78,7 +78,7 @@ A "role" is a subtype of Group that is treated in Workbench as a group of users
 * The name of a role is unique across a single Arvados cluster.
 * Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links.
 * By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins.
-* By default, any user can create a new role. However, if the configuration entry @Users.CreateRoleGroups@ is @false@, only admins can create roles.
+* By default, any user can create a new role. However, if the configuration entry @Users.CanCreateRoleGroups@ is @false@, only admins can create roles.
 
 h3. Access through Roles
 

diff --git a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
index d84995d5bd3a34b46aa3700d580ffd7579c61586..53a79ea23eb6e2d4cf032d306702220176170260 100644 (file)
--- a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
+++ b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
@@ -65,7 +65,7 @@ Users can be identified by their email address or username: the tool will check
 
 Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
 
-When using @arvados-sync-groups@, consider setting @Users.CreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
+When using @arvados-sync-groups@, consider setting @Users.CanCreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
 
 h2. Options
 

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 1a0191797ad925b95b228b8211a703476bc8cc02..47d5ce22092ec3b54c61f28c18f1931c91597d73 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -373,11 +373,11 @@ Clusters:
       # cluster.
       RoleGroupsVisibleToAll: true
 
-      # If CreateRoleGroups is true, regular (non-admin) users can
+      # If CanCreateRoleGroups is true, regular (non-admin) users can
       # create new role groups.
       #
       # If false, only admins can create new role groups.
-      CreateRoleGroups: true
+      CanCreateRoleGroups: true
 
       # During each period, a log entry with event_type="activity"
       # will be recorded for each user who is active during that

diff --git a/lib/config/export.go b/lib/config/export.go
index 14139e85044fb354884004906b0e3b674762e00d..069e300c5b4d0f6eb72175a6d311670ab5fa9fd4 100644 (file)
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -236,7 +236,7 @@ var whitelist = map[string]bool{
        "Users.AutoSetupNewUsersWithRepository":               false,
        "Users.AutoSetupNewUsersWithVmUUID":                   false,
        "Users.AutoSetupUsernameBlacklist":                    false,
-       "Users.CreateRoleGroups":                              true,
+       "Users.CanCreateRoleGroups":                           true,
        "Users.EmailSubjectPrefix":                            false,
        "Users.NewInactiveUserNotificationRecipients":         false,
        "Users.NewUserNotificationRecipients":                 false,

diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 1257d7a838d9b5774d50dcd72dd8df3a1c4b5035..fbbcb78ec2991b00aca4f4b2f4e94fb7ac209760 100644 (file)
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -249,7 +249,7 @@ type Cluster struct {
                PreferDomainForUsername               string
                UserSetupMailText                     string
                RoleGroupsVisibleToAll                bool
-               CreateRoleGroups                      bool
+               CanCreateRoleGroups                   bool
                ActivityLoggingPeriod                 Duration
        }
        StorageClasses map[string]StorageClassConfig

diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb
index 81161e24dab7bfc9f6525afd6d94dbe56c391281..85855fda97271a2cbfc855fef5d0862fa2a7122e 100644 (file)
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -272,7 +272,7 @@ class Group < ArvadosModel
     if !super
       return false
     elsif group_class == "role" &&
-       !Rails.configuration.Users.CreateRoleGroups &&
+       !Rails.configuration.Users.CanCreateRoleGroups &&
        !current_user.andand.is_admin
       raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
     else

diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index a7abf819cbed666f425e39584bcfc7900656c42d..c47eeb55146221d0c9a06ce7fcfd006e0dcee626 100644 (file)
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -106,7 +106,7 @@ arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_emai
 arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
-arvcfg.declare_config "Users.CreateRoleGroups", Boolean
+arvcfg.declare_config "Users.CanCreateRoleGroups", Boolean
 arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
 arvcfg.declare_config "Login.LoginCluster", String
 arvcfg.declare_config "Login.TrustedClients", Hash

diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index 33ad0ecdf62cc5c1e4b60dfde3ceed27777334bb..a0c375a6f93c431dfe26c27e75a3deeff850cd90 100644 (file)
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -538,9 +538,10 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
     [false, :active, false],
     [true, :admin, true],
     [true, :active, true],
+    [true, :inactive, false],
   ].each do |conf, user, allowed|
-    test "config.Users.CreateRoleGroups conf=#{conf}, user=#{user}" do
-      Rails.configuration.Users.CreateRoleGroups = conf
+    test "config.Users.CanCreateRoleGroups conf=#{conf}, user=#{user}" do
+      Rails.configuration.Users.CanCreateRoleGroups = conf
       act_as_user users(user) do
         if allowed
           Group.create!(name: 'admin-created', group_class: 'role')