From 335f28908c61409ee12cbce0d4225d5a35d5c9b5 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Fri, 24 Nov 2017 10:21:28 -0500 Subject: [PATCH] 11453: Only update safe fields from remote user record. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- .../api/app/models/api_client_authorization.rb | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index fa4d1bebd0..7efd8eaf52 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -142,8 +142,24 @@ class ApiClientAuthorization < ArvadosModel act_as_system_user do # Add/update user and token in our database so we can # validate subsequent requests faster. + user = User.find_or_create_by(uuid: remote_user[:uuid]) - user.update_attributes!(remote_user.merge(is_admin: false)) + + updates = {} + [:first_name, :last_name, :email, :prefs].each do |attr| + updates[attr] = remote_user[attr] + end + + if Rails.configuration.new_users_are_active + # Update is_active to whatever it is at the remote end + updates[:is_active] = remote_user[:is_active] + elsif !updates[:is_active] + # Remote user is inactive; our mirror should be, too. + updates[:is_active] = false + end + + user.update_attributes!(updates) + auth = ApiClientAuthorization. includes(:user). find_or_create_by(uuid: uuid, -- 2.30.2