From 8c7fb5f13cb167740b7b228c7fab40f2980d1978 Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Tue, 31 Mar 2015 11:13:54 -0400
Subject: [PATCH 1/1] 4253: Merge Repository permission requirements of #4253
 and #5416.

---
 services/api/app/models/arvados_model.rb  |  9 +++++++--
 services/api/app/models/repository.rb     | 17 +++++++++--------
 services/api/test/unit/repository_test.rb | 13 -------------
 3 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 1fe5808848..02e9386bfe 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -308,8 +308,13 @@ class ArvadosModel < ActiveRecord::Base
     # Verify "write" permission on new owner
     # default fail unless one of:
     # current_user is this object
-    # current user can_write new owner
-    unless current_user == self or current_user.can? write: owner_uuid
+    # current user can_write new owner, or this object if owner unchanged
+    if new_record? or owner_uuid_changed? or is_a?(ApiClientAuthorization)
+      write_target = owner_uuid
+    else
+      write_target = uuid
+    end
+    unless current_user == self or current_user.can? write: write_target
       logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{uuid} but does not have permission to write new owner_uuid #{owner_uuid}"
       errors.add :owner_uuid, "cannot be changed without write permission on new owner"
       raise PermissionDeniedError
diff --git a/services/api/app/models/repository.rb b/services/api/app/models/repository.rb
index 5bc467c920..0cab4dcf87 100644
--- a/services/api/app/models/repository.rb
+++ b/services/api/app/models/repository.rb
@@ -47,14 +47,15 @@ class Repository < ArvadosModel
   protected
 
   def permission_to_update
-    return false if not current_user
-    return true if current_user.is_admin
-    # For normal objects, this is a way to check whether you have
-    # write permission. Repositories should be brought closer to the
-    # normal permission model during #4253. Meanwhile, we'll
-    # special-case this so arv-git-httpd can detect write permission:
-    return super if changed_attributes.keys - ['modified_at', 'updated_at'] == []
-    false
+    if not super
+      false
+    elsif current_user.is_admin
+      true
+    elsif name_changed?
+      current_user.uuid == owner_uuid
+    else
+      true
+    end
   end
 
   def owner
diff --git a/services/api/test/unit/repository_test.rb b/services/api/test/unit/repository_test.rb
index a6b0be5f0a..5acef1bb1e 100644
--- a/services/api/test/unit/repository_test.rb
+++ b/services/api/test/unit/repository_test.rb
@@ -238,19 +238,6 @@ class RepositoryTest < ActiveSupport::TestCase
     end
   end
 
-  test 'write permission not sufficient for changing name' do
-    act_as_user users(:active) do
-      r = repositories(:foo)
-      name_was = r.name
-      r.name = 'newname'
-      assert_raises ArvadosModel::PermissionDeniedError do
-        r.save!
-      end
-      r.reload
-      assert_equal name_was, r.name
-    end
-  end
-
   test 'write permission necessary for changing modified_at' do
     act_as_user users(:spectator) do
       r = repositories(:foo)
-- 
2.30.2