From 9ede4c0a5cdadd5f1b5664950146626b794a6921 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@curii.com>
Date: Thu, 17 Mar 2022 14:26:58 -0400
Subject: [PATCH] 18691: Make it more obvious that unfreeze requires :manage.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---
 services/api/app/models/user.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 096f5a86a4..44e6ca7578 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -86,7 +86,7 @@ class User < ArvadosModel
   VAL_FOR_PERM =
     {:read => 1,
      :write => 2,
-     :unfreeze => 2,
+     :unfreeze => 3,
      :manage => 3}
 
 
@@ -148,10 +148,12 @@ SELECT 1 FROM #{PERMISSION_VIEW}
           return false
         end
       elsif action == :unfreeze
-        # "unfreeze" permission means "could write if target weren't
-        # frozen", which is relevant when a user is un-freezing a
-        # project. If the permission query above allows :write, and
-        # the parent isn't also frozen, then un-freeze is allowed.
+        # "unfreeze" permission means "can write, but only if
+        # explicitly un-freezing at the same time" (see
+        # ArvadosModel#ensure_owner_uuid_is_permitted). If the
+        # permission query above passed the permission level of
+        # :unfreeze (which is the same as :manage), and the parent
+        # isn't also frozen, then un-freeze is allowed.
         if FrozenGroup.where(uuid: target_owner_uuid).any?
           return false
         end
-- 
2.30.2