From: Tom Clegg <tom@curii.com>
Date: Thu, 3 Mar 2022 16:29:25 +0000 (-0500)
Subject: 18691: Return empty writable_by for items inside frozen projects.
X-Git-Tag: 2.4.0~36^2~23
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/f73b71e88b15214683a5483e76254a9795c8b915?hp=823c4953e20d8408c203e554913a7852bbc60a65

18691: Return empty writable_by for items inside frozen projects.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 029034d8bd..a979338e43 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -246,6 +246,15 @@ class ArvadosModel < ApplicationRecord
   # If current user cannot write this object, just return
   # [self.owner_uuid].
   def writable_by
+    # Return [] if this is a frozen project and the current user can't
+    # unfreeze
+    return [] if respond_to?(:frozen_by_uuid) && frozen_by_uuid &&
+                 !(Rails.configuration.API.UnfreezeProjectRequiresAdmin ?
+                     current_user.andand.is_admin :
+                     current_user.can?(manage: uuid))
+    # Return [] if nobody can write because this object is inside a
+    # frozen project
+    return [] if FrozenGroup.where(uuid: owner_uuid).any?
     return [owner_uuid] if not current_user
     unless (owner_uuid == current_user.uuid or
             current_user.is_admin or
diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index 513c1dae66..ff079e1b54 100644
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -425,6 +425,9 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
           frozen.destroy
         end
         frozen.reload
+        if frozen != proj
+          assert_equal [], frozen.writable_by
+        end
       end
 
       # User with manage permission can unfreeze, then create items