next if (group_permissions[target.owner_uuid] and
group_permissions[target.owner_uuid][action])
end
+ sufficient_perms = case action
+ when :manage
+ ['can_manage']
+ when :write
+ ['can_manage', 'can_write']
+ when :read
+ ['can_manage', 'can_write', 'can_read']
+ else
+ # (Skip this kind of permission opportunity
+ # if action is an unknown permission type)
+ end
+ if sufficient_perms
+ # Check permission links with head_uuid pointing directly at
+ # the target object. If target is a Group, this is redundant
+ # and will fail except [a] if permission caching is broken or
+ # [b] during a race condition, where a permission link has
+ # *just* been added.
+ if Link.where(link_class: 'permission',
+ name: sufficient_perms,
+ tail_uuid: groups_i_can(action) + [self.uuid],
+ head_uuid: target_uuid).any?
+ next
+ end
+ end
return false
end
true
user: active_no_prefs_profile
api_token: 3kg612cdc0f3415c242856758f33bdfb07bc3561b00e86qdmi
expires_at: 2038-01-01 00:00:00
+
+user_foo_in_sharing_group:
+ api_client: untrusted
+ user: user_foo_in_sharing_group
+ api_token: 2p1pou8p4ls208mcbedeewlotghppenobcyrmyhq8pyf51xd8u
+ expires_at: 2038-01-01 00:00:00
updated_at: 2014-02-03T17:22:54Z
manifest_text: ". 73feffa4b7f6bb68e44cf984c85f6e88+3 0:3:baz\n"
name: collection_with_same_name_in_aproject_and_home_project
+
+collection_owned_by_foo:
+ uuid: zzzzz-4zz18-50surkhkbhsp31b
+ portable_data_hash: ea10d51bcf88862dbcc36eb292017dfd+45
+ manifest_text: ". 73feffa4b7f6bb68e44cf984c85f6e88+3 0:3:baz\n"
+ owner_uuid: zzzzz-tpzed-81hsbo6mk8nl05c
+ created_at: 2014-02-03T17:22:54Z
+ name: collection_owned_by_foo
uuid: zzzzz-j7d0g-ptt1ou6a9lxrv07
owner_uuid: zzzzz-tpzed-d9tiejq69daie8f
name: Active user has can_manage
+
+# Group for testing granting permission between users who share a group.
+#
+group_for_sharing_tests:
+ uuid: zzzzz-j7d0g-t4ucgncwteul7zt
+ owner_uuid: zzzzz-tpzed-000000000000000
+ name: Group for sharing tests
+ description: Users who can share objects with each other
+ group_class: role
head_uuid: zzzzz-2x53u-382brsig8rp3064
properties: {username: 'auto_setup_vm_login'}
updated_at: 2014-08-06 22:11:51.242010312 Z
+
+user_foo_can_read_sharing_group:
+ uuid: zzzzz-o0j2j-gdpvwvpj9kjs5in
+ owner_uuid: zzzzz-tpzed-000000000000000
+ tail_uuid: zzzzz-tpzed-81hsbo6mk8nl05c
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-j7d0g-t4ucgncwteul7zt
+
+user_foo_is_in_sharing_group:
+ uuid: zzzzz-o0j2j-bwmcf9nqwomvtny
+ owner_uuid: zzzzz-tpzed-000000000000000
+ tail_uuid: zzzzz-j7d0g-t4ucgncwteul7zt
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-tpzed-81hsbo6mk8nl05c
+
+user_bar_can_read_sharing_group:
+ uuid: zzzzz-o0j2j-23djaoza9g2zvjx
+ owner_uuid: zzzzz-tpzed-000000000000000
+ tail_uuid: zzzzz-tpzed-n3oaj4sm5fcnwib
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-j7d0g-t4ucgncwteul7zt
+
+user_bar_is_in_sharing_group:
+ uuid: zzzzz-o0j2j-ga7fgy3xsz4hu28
+ owner_uuid: zzzzz-tpzed-000000000000000
+ tail_uuid: zzzzz-j7d0g-t4ucgncwteul7zt
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-tpzed-n3oaj4sm5fcnwib
+
is_admin: false
prefs:
test: abc
+
+# Fixtures to test granting and removing permissions.
+
+user_foo_in_sharing_group:
+ owner_uuid: zzzzz-tpzed-000000000000000
+ uuid: zzzzz-tpzed-81hsbo6mk8nl05c
+ email: user_foo_in_sharing_group@arvados.local
+ first_name: Foo
+ last_name: Sharing
+ identity_url: https://user_foo_in_sharing_group.openid.local
+ is_active: true
+ is_admin: false
+
+user_bar_in_sharing_group:
+ owner_uuid: zzzzz-tpzed-000000000000000
+ uuid: zzzzz-tpzed-n3oaj4sm5fcnwib
+ email: user_bar_in_sharing_group@arvados.local
+ first_name: Bar
+ last_name: Sharing
+ identity_url: https://user_bar_in_sharing_group.openid.local
+ is_active: true
+ is_admin: false
assert_not_nil assigns(:objects)
assert_empty assigns(:objects)
end
+
+ # Granting permissions.
+ test "grant can_read on project to other users in group" do
+ authorize_with :user_foo_in_sharing_group
+
+ refute users(:user_bar_in_sharing_group).can?(read: collections(:collection_owned_by_foo).uuid)
+
+ post :create, {
+ link: {
+ tail_uuid: users(:user_bar_in_sharing_group).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: collections(:collection_owned_by_foo).uuid,
+ }
+ }
+ assert_response :success
+ assert users(:user_bar_in_sharing_group).can?(read: collections(:collection_owned_by_foo).uuid)
+ end
end