Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
VAL_FOR_PERM =
{:read => 1,
:write => 2,
VAL_FOR_PERM =
{:read => 1,
:write => 2,
return false
end
elsif action == :unfreeze
return false
end
elsif action == :unfreeze
- # "unfreeze" permission means "could write if target weren't
- # frozen", which is relevant when a user is un-freezing a
- # project. If the permission query above allows :write, and
- # the parent isn't also frozen, then un-freeze is allowed.
+ # "unfreeze" permission means "can write, but only if
+ # explicitly un-freezing at the same time" (see
+ # ArvadosModel#ensure_owner_uuid_is_permitted). If the
+ # permission query above passed the permission level of
+ # :unfreeze (which is the same as :manage), and the parent
+ # isn't also frozen, then un-freeze is allowed.
if FrozenGroup.where(uuid: target_owner_uuid).any?
return false
end
if FrozenGroup.where(uuid: target_owner_uuid).any?
return false
end