From f73b71e88b15214683a5483e76254a9795c8b915 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Thu, 3 Mar 2022 11:29:25 -0500 Subject: [PATCH] 18691: Return empty writable_by for items inside frozen projects. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- services/api/app/models/arvados_model.rb | 9 +++++++++ services/api/test/unit/group_test.rb | 3 +++ 2 files changed, 12 insertions(+) diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index 029034d8bd..a979338e43 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -246,6 +246,15 @@ class ArvadosModel < ApplicationRecord # If current user cannot write this object, just return # [self.owner_uuid]. def writable_by + # Return [] if this is a frozen project and the current user can't + # unfreeze + return [] if respond_to?(:frozen_by_uuid) && frozen_by_uuid && + !(Rails.configuration.API.UnfreezeProjectRequiresAdmin ? + current_user.andand.is_admin : + current_user.can?(manage: uuid)) + # Return [] if nobody can write because this object is inside a + # frozen project + return [] if FrozenGroup.where(uuid: owner_uuid).any? return [owner_uuid] if not current_user unless (owner_uuid == current_user.uuid or current_user.is_admin or diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb index 513c1dae66..ff079e1b54 100644 --- a/services/api/test/unit/group_test.rb +++ b/services/api/test/unit/group_test.rb @@ -425,6 +425,9 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}' frozen.destroy end frozen.reload + if frozen != proj + assert_equal [], frozen.writable_by + end end # User with manage permission can unfreeze, then create items -- 2.30.2