18691: Return empty writable_by for items inside frozen projects.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 029034d8bdfdf5d8f222170f2bb8e35d0b32e99c..a979338e4313a8f7a091e8ffd6cee9b0d112b199 100644 (file)
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -246,6 +246,15 @@ class ArvadosModel < ApplicationRecord
   # If current user cannot write this object, just return
   # [self.owner_uuid].
   def writable_by
+    # Return [] if this is a frozen project and the current user can't
+    # unfreeze
+    return [] if respond_to?(:frozen_by_uuid) && frozen_by_uuid &&
+                 !(Rails.configuration.API.UnfreezeProjectRequiresAdmin ?
+                     current_user.andand.is_admin :
+                     current_user.can?(manage: uuid))
+    # Return [] if nobody can write because this object is inside a
+    # frozen project
+    return [] if FrozenGroup.where(uuid: owner_uuid).any?
     return [owner_uuid] if not current_user
     unless (owner_uuid == current_user.uuid or
             current_user.is_admin or

diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index 513c1dae66bbdfa2dedf208b984e6f59ae079105..ff079e1b544048eed2f1aede80dd87388506c53b 100644 (file)
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -425,6 +425,9 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
           frozen.destroy
         end
         frozen.reload
+        if frozen != proj
+          assert_equal [], frozen.writable_by
+        end
       end
 
       # User with manage permission can unfreeze, then create items