From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Fri, 24 Nov 2017 15:21:28 +0000 (-0500)
Subject: 11453: Only update safe fields from remote user record.
X-Git-Tag: 1.1.2~25^2~19
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/335f28908c61409ee12cbce0d4225d5a35d5c9b5

11453: Only update safe fields from remote user record.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index fa4d1bebd0..7efd8eaf52 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -142,8 +142,24 @@ class ApiClientAuthorization < ArvadosModel
       act_as_system_user do
         # Add/update user and token in our database so we can
         # validate subsequent requests faster.
+
         user = User.find_or_create_by(uuid: remote_user[:uuid])
-        user.update_attributes!(remote_user.merge(is_admin: false))
+
+        updates = {}
+        [:first_name, :last_name, :email, :prefs].each do |attr|
+          updates[attr] = remote_user[attr]
+        end
+
+        if Rails.configuration.new_users_are_active
+          # Update is_active to whatever it is at the remote end
+          updates[:is_active] = remote_user[:is_active]
+        elsif !updates[:is_active]
+          # Remote user is inactive; our mirror should be, too.
+          updates[:is_active] = false
+        end
+
+        user.update_attributes!(updates)
+
         auth = ApiClientAuthorization.
                includes(:user).
                find_or_create_by(uuid: uuid,