# Verify "write" permission on new owner
# default fail unless one of:
# current_user is this object
- # current user can_write new owner
- unless current_user == self or current_user.can? write: owner_uuid
+ # current user can_write new owner, or this object if owner unchanged
+ if new_record? or owner_uuid_changed? or is_a?(ApiClientAuthorization)
+ write_target = owner_uuid
+ else
+ write_target = uuid
+ end
+ unless current_user == self or current_user.can? write: write_target
logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{uuid} but does not have permission to write new owner_uuid #{owner_uuid}"
errors.add :owner_uuid, "cannot be changed without write permission on new owner"
raise PermissionDeniedError
protected
def permission_to_update
- return false if not current_user
- return true if current_user.is_admin
- # For normal objects, this is a way to check whether you have
- # write permission. Repositories should be brought closer to the
- # normal permission model during #4253. Meanwhile, we'll
- # special-case this so arv-git-httpd can detect write permission:
- return super if changed_attributes.keys - ['modified_at', 'updated_at'] == []
- false
+ if not super
+ false
+ elsif current_user.is_admin
+ true
+ elsif name_changed?
+ current_user.uuid == owner_uuid
+ else
+ true
+ end
end
def owner
end
end
- test 'write permission not sufficient for changing name' do
- act_as_user users(:active) do
- r = repositories(:foo)
- name_was = r.name
- r.name = 'newname'
- assert_raises ArvadosModel::PermissionDeniedError do
- r.save!
- end
- r.reload
- assert_equal name_was, r.name
- end
- end
-
test 'write permission necessary for changing modified_at' do
act_as_user users(:spectator) do
r = repositories(:foo)