From ff9323418d6a13da701be80aee9e3134e8aa6bab Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Tue, 15 Jul 2014 14:30:12 -0400
Subject: [PATCH] 2044: Let users read permission links for groups they're in.

This lets everyone in a project see basic information about who has
access to a project.
---
 services/api/app/models/arvados_model.rb        |  8 ++++----
 services/api/test/fixtures/links.yml            | 17 +++++++++++++++++
 .../arvados/v1/links_controller_test.rb         | 11 +++++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 1ea9332484..9a806d3428 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -130,11 +130,11 @@ class ArvadosModel < ActiveRecord::Base
       sql_params += [uuid_list, user_uuids]
 
       if sql_table == "links" and users_list.any?
-        # This row is a 'permission' or 'resources' link class
-        # The uuid for a member of users_list is referenced in either the head
-        # or tail of the link
+        # This row is a 'permission' or 'resources' link class that
+        # references a member of users_list or a group readable by
+        # those users.
         sql_conds += ["(#{sql_table}.link_class in (#{sanitize 'permission'}, #{sanitize 'resources'}) AND (#{sql_table}.head_uuid IN (?) OR #{sql_table}.tail_uuid IN (?)))"]
-        sql_params += [user_uuids, user_uuids]
+        sql_params += [uuid_list, uuid_list]
       end
 
       if sql_table == "logs" and users_list.any?
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 313db7f206..1227618257 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -318,6 +318,23 @@ test_timestamps:
   name: test
   properties: {}
 
+admin_can_write_aproject:
+  # Yes, this permission is effectively redundant.
+  # We use it to test that other project admins can see
+  # all the project's sharing.
+  uuid: zzzzz-o0j2j-adminmgsproject
+  owner_uuid: zzzzz-tpzed-000000000000000
+  created_at: 2014-01-24 20:42:26 -0800
+  modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+  modified_by_user_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  modified_at: 2014-01-24 20:42:26 -0800
+  updated_at: 2014-01-24 20:42:26 -0800
+  tail_uuid: zzzzz-tpzed-d9tiejq69daie8f
+  link_class: permission
+  name: can_write
+  head_uuid: zzzzz-j7d0g-v955i6s2oi1cbso
+  properties: {}
+
 project_viewer_can_read_project:
   uuid: zzzzz-o0j2j-projviewerreadp
   owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/functional/arvados/v1/links_controller_test.rb b/services/api/test/functional/arvados/v1/links_controller_test.rb
index d5b42665c3..9dfc3507cc 100644
--- a/services/api/test/functional/arvados/v1/links_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/links_controller_test.rb
@@ -283,4 +283,15 @@ class Arvados::V1::LinksControllerTest < ActionController::TestCase
     }
     assert_response 422
   end
+
+  test "project owner sees project's permission links" do
+    authorize_with :active
+    get :index, filters: [['head_uuid', '=', groups(:aproject).uuid]]
+    uuid_list = assigns(:objects).andand.map(&:uuid)
+    assert_not_nil(uuid_list, "no index objects assigned")
+    [:admin_can_write_aproject, :project_viewer_can_read_project].each do |lsym|
+      assert_includes(uuid_list, links(lsym).uuid,
+                      "#{lsym} missing from project permission index")
+    end
+  end
 end
-- 
2.30.2