links_cond = ""
if sql_table == "links"
- # Match any permission link that gives one of the authorized
- # users some permission _or_ gives anyone else permission to
- # view one of the authorized users.
+ # 1) Match permission links incoming or outgoing on the
+ # user, i.e. granting permission on the user, or granting
+ # permission to the user.
+ #
+ # 2) Match permission links which grant permission on an
+ # object that this user can_manage.
+ #
links_cond = "OR (#{sql_table}.link_class IN (:permission_link_classes) AND "+
- "(#{sql_table}.head_uuid IN (#{user_uuids_subquery}) OR #{sql_table}.tail_uuid IN (#{user_uuids_subquery})))"
+ " ((#{sql_table}.head_uuid IN (#{user_uuids_subquery}) OR #{sql_table}.tail_uuid IN (#{user_uuids_subquery})) OR " +
+ " #{sql_table}.head_uuid IN (SELECT target_uuid FROM #{PERMISSION_VIEW} "+
+ " WHERE user_uuid IN (#{user_uuids_subquery}) AND perm_level >= 3))) "
end
sql_conds = "(#{owner_check} #{direct_check} #{links_cond}) #{trashed_check.empty? ? "" : "AND"} #{trashed_check}"
self.where(sql_conds,
user_uuids: all_user_uuids.collect{|c| c["target_uuid"]},
- permission_link_classes: ['permission', 'resources'])
+ permission_link_classes: ['permission'])
end
def save_with_unique_name!
assert_response :success
assert_equal [], json_response['items']
- # add some permissions, including can_manage
- # permission for user :active
+ ### add some permissions, including can_manage
+ ### permission for user :active
post "/arvados/v1/links",
params: {
:format => :json,
assert_response :success
assert_equal [], json_response['items']
- # Now add a can_manage link
+ # Shouldn't be able to read links directly either
+ get "/arvados/v1/links/#{can_read_uuid}",
+ params: {},
+ headers: auth(:active)
+ assert_response 404
+
+ ### Now add a can_manage link
post "/arvados/v1/links",
params: {
:format => :json,
assert_response :success
can_manage_uuid = json_response['uuid']
- # Now user :active should be able to retrieve permissions
- # on group :public.
+ # user :active should be able to retrieve permissions
+ # on group :public using get_permissions
get("/arvados/v1/permissions/#{groups(:public).uuid}",
params: { :format => :json },
headers: auth(:active))
assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
- # Now user :active should be able to retrieve permissions
- # on group :public.
+ # user :active should be able to retrieve permissions
+ # on group :public using link list
get "/arvados/v1/links",
params: {
:filters => [["link_class", "=", "permission"], ["head_uuid", "=", groups(:public).uuid]].to_json
assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
- # Now delete the can_manage link
+ # Should be able to read links directly too
+ get "/arvados/v1/links/#{can_read_uuid}",
+ params: {},
+ headers: auth(:active)
+ assert_response :success
+
+ ### Now delete the can_manage link
delete "/arvados/v1/links/#{can_manage_uuid}",
params: nil,
headers: auth(:active)
headers: auth(:active)
assert_response :success
assert_equal [], json_response['items']
+
+ # Should not be able to read links directly either
+ get "/arvados/v1/links/#{can_read_uuid}",
+ params: {},
+ headers: auth(:active)
+ assert_response 404
end
test "get_permissions returns 404 for nonexistent uuid" do