From a18fe628853e2042bb104088dd586cb8f41adcef Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Thu, 4 Oct 2018 15:54:18 -0300 Subject: [PATCH] 13561: Avoid permission links to be attached to past collection versions. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- services/api/app/models/link.rb | 6 +++++- services/api/test/fixtures/collections.yml | 15 +++++++++++++++ services/api/test/unit/link_test.rb | 5 +++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb index dc961667b0..bf21cf4b67 100644 --- a/services/api/app/models/link.rb +++ b/services/api/app/models/link.rb @@ -48,8 +48,12 @@ class Link < ArvadosModel # Administrators can grant permissions return true if current_user.is_admin - # All users can grant permissions on objects they own or can manage head_obj = ArvadosModel.find_by_uuid(head_uuid) + + # No permission links can be pointed to past collection versions + return false if head_obj.is_a?(Collection) && head_obj.current_version_uuid != head_uuid + + # All users can grant permissions on objects they own or can manage return true if current_user.can?(manage: head_obj) # Default = deny. diff --git a/services/api/test/fixtures/collections.yml b/services/api/test/fixtures/collections.yml index 2bc362a4c8..62bb644c0d 100644 --- a/services/api/test/fixtures/collections.yml +++ b/services/api/test/fixtures/collections.yml @@ -94,6 +94,21 @@ w_a_z_file: updated_at: 2015-02-09T10:53:38Z manifest_text: ". 4c6c2c0ac8aa0696edd7316a3be5ca3c+5 0:5:w\\040\\141\\040z\n" name: "\"w a z\" file" + version: 2 + +w_a_z_file_version_1: + uuid: zzzzz-4zz18-25k12570yk1ver1 + current_version_uuid: zzzzz-4zz18-25k12570yk134b3 + portable_data_hash: 8706aadd12a0ebc07d74cae88762ba9e+56 + owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz + created_at: 2015-02-09T10:53:38Z + modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr + modified_by_user_uuid: zzzzz-tpzed-d9tiejq69daie8f + modified_at: 2015-02-09T10:53:38Z + updated_at: 2015-02-09T10:53:38Z + manifest_text: ". 4c6c2c0ac8aa0696edd7316a3be5ca3c+5 0:5:w\\040\\141\\040z\n" + name: "waz file" + version: 1 multilevel_collection_1: uuid: zzzzz-4zz18-pyw8yp9g3pr7irn diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb index cba5d20cb2..00f3cc2913 100644 --- a/services/api/test/unit/link_test.rb +++ b/services/api/test/unit/link_test.rb @@ -80,4 +80,9 @@ class LinkTest < ActiveSupport::TestCase test "link granting project permissions to unreadable user is invalid" do refute new_active_link_valid?(tail_uuid: users(:admin).uuid) end + + test "permission link can't exist on past collection versions" do + refute new_active_link_valid?(tail_uuid: groups(:public).uuid, + head_uuid: collections(:w_a_z_file_version_1).uuid) + end end -- 2.30.2