[ARVADOS] updated: 1fc1bc4348ea3a1168f6d7bd3391f2449e30d181

git at public.curoverse.com git at public.curoverse.com
Thu Aug 14 22:55:23 EDT 2014 

Summary of changes:
 services/api/app/models/arvados_model.rb | 28 +++++++++++++++++++++++-----
 services/api/app/models/collection.rb    | 19 +++++++++++++++++++
 2 files changed, 42 insertions(+), 5 deletions(-)

       via  1fc1bc4348ea3a1168f6d7bd3391f2449e30d181 (commit)
       via  317952f20cb0d979d35b66bc735d02c2ea69050e (commit)
      from  a2ef5d0f32746fe06e89737ea5744622fc43e012 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 1fc1bc4348ea3a1168f6d7bd3391f2449e30d181
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Aug 14 22:55:11 2014 -0400

    3036: Adding pre-validation callback to set the portable_data_hash if necessay.
    Added validation callback to check that portable_data_hash matches manifest_text.

diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb
index b451ad0..72cd0b6 100644
--- a/services/api/app/models/collection.rb
+++ b/services/api/app/models/collection.rb
@@ -3,6 +3,9 @@ class Collection < ArvadosModel
   include KindAndEtag
   include CommonApiTemplate
 
+  before_validation :set_portable_data_hash
+  validate :ensure_manifest_matches_hash
+
   api_accessible :user, extend: :common do |t|
     t.add :data_size
     t.add :files
@@ -15,6 +18,22 @@ class Collection < ArvadosModel
     t.add :manifest_text
   end
 
+  def set_portable_data_hash
+    if portable_data_hash.nil? or portable_data_hash == "" or
+        (manifest_text_changed? and !portable_data_hash_changed?)
+      portable_data_hash = "#{Digest::MD5.hexdigest(manifest_text)}+#{manifest_text.length}"
+    end
+    true
+  end
+
+  def ensure_manifest_matches_hash
+    unless Digest::MD5.hexdigest(manifest_text) == portable_data_hash
+      errors.add(:portable_data_hash, "does not match hash of manifest_text")
+      return false
+    end
+    true
+  end
+
   def redundancy_status
     if redundancy_confirmed_as.nil?
       'unconfirmed'

commit 317952f20cb0d979d35b66bc735d02c2ea69050e
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Aug 14 22:53:24 2014 -0400

    3036: ensure_owner_uuid_is_permitted checks that owner_uuid is a User or Group.
    Added comments on permission logic.

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 7f1f1e1..52fe56d 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -175,7 +175,7 @@ class ArvadosModel < ActiveRecord::Base
     if new_record? or owner_uuid_changed?
       uuid_in_path = {owner_uuid => true, uuid => true}
       x = owner_uuid
-      while (owner_class = self.class.resource_class_for_uuid(x)) != User
+      while (owner_class = ArvadosModel::resource_class_for_uuid(x)) != User
         begin
           if x == uuid
             # Test for cycles with the new version, not the DB contents
@@ -205,12 +205,24 @@ class ArvadosModel < ActiveRecord::Base
 
   def ensure_owner_uuid_is_permitted
     raise PermissionDeniedError if !current_user
+
     if new_record? and respond_to? :owner_uuid=
       self.owner_uuid ||= current_user.uuid
     end
-    # Verify permission to write to old owner (unless owner_uuid was
-    # nil -- or hasn't changed, in which case the following
-    # "permission to write to new owner" block will take care of us)
+
+    rsc_class = ArvadosModel::resource_class_for_uuid owner_uuid
+    unless rsc_class == User or rsc_class == Group
+      errors.add :owner_uuid, "can only be set to User or Group"
+      raise PermissionDeniedError
+    end
+
+    # Verify "write" permission on old owner
+    # default fail unless one of:
+    # owner_uuid did not change
+    # previous owner_uuid is nil
+    # current user is the old owner
+    # current user is this object
+    # current user can_write old owner
     unless !owner_uuid_changed? or
         owner_uuid_was.nil? or
         current_user.uuid == self.owner_uuid_was or
@@ -220,12 +232,18 @@ class ArvadosModel < ActiveRecord::Base
       errors.add :owner_uuid, "cannot be changed without write permission on old owner"
       raise PermissionDeniedError
     end
-    # Verify permission to write to new owner
+
+    # Verify "write" permission on new owner
+    # default fail unless one of:
+    # current_user is this object
+    # current user can_write new owner
     unless current_user == self or current_user.can? write: owner_uuid
       logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{uuid} but does not have permission to write new owner_uuid #{owner_uuid}"
       errors.add :owner_uuid, "cannot be changed without write permission on new owner"
       raise PermissionDeniedError
     end
+
+    true
   end
 
   def ensure_permission_to_save

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list