[ARVADOS] updated: af27f8b8031eb8335e04a775642b4c46b30b79f6
git at public.curoverse.com
git at public.curoverse.com
Mon Feb 3 19:26:29 EST 2014
Summary of changes:
.../arvados/v1/collections_controller.rb | 1 +
services/api/app/models/user.rb | 20 +++++--
services/api/test/fixtures/groups.yml | 14 +++++-
services/api/test/fixtures/links.yml | 16 ++++++
.../arvados/v1/collections_controller_test.rb | 56 ++++++++++++++++++++
.../arvados/v1/groups_controller_test.rb | 2 +-
6 files changed, 101 insertions(+), 8 deletions(-)
via af27f8b8031eb8335e04a775642b4c46b30b79f6 (commit)
from d8c56aa6534d87105201372cd5f9f965a8246ea4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit af27f8b8031eb8335e04a775642b4c46b30b79f6
Author: Tom Clegg <tom at curoverse.com>
Date: Mon Feb 3 16:24:06 2014 -0800
Ensure permissions can be propagated via group owner_uuid attribute.
Closes #1945
Closes #2022
diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb
index 9198f58..517e84b 100644
--- a/services/api/app/controllers/arvados/v1/collections_controller.rb
+++ b/services/api/app/controllers/arvados/v1/collections_controller.rb
@@ -12,6 +12,7 @@ class Arvados::V1::CollectionsController < ApplicationController
'arvados#group'
end
unless current_user.can? write: owner_uuid
+ logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}"
raise ArvadosModel::PermissionDeniedError
end
act_as_system_user do
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 0364c08..ccf8ac4 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -40,6 +40,7 @@ class User < ArvadosModel
end
def can?(actions)
+ return true if is_admin
actions.each do |action, target|
target_uuid = target
if target.respond_to? :uuid
@@ -74,15 +75,22 @@ class User < ArvadosModel
lookup_uuids = todo.keys
lookup_uuids.each do |uuid| done[uuid] = true end
todo = {}
+ newgroups = []
+ Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
+ newgroups << [group.owner_uuid, group.uuid, 'can_manage']
+ end
Link.where('tail_uuid in (?) and link_class = ? and head_kind = ?',
lookup_uuids,
'permission',
'arvados#group').each do |link|
- unless done.has_key? link.head_uuid
- todo[link.head_uuid] = true
+ newgroups << [link.tail_uuid, link.head_uuid, link.name]
+ end
+ newgroups.each do |tail_uuid, head_uuid, perm_name|
+ unless done.has_key? head_uuid
+ todo[head_uuid] = true
end
link_permissions = {}
- case link.name
+ case perm_name
when 'can_read'
link_permissions = {read:true}
when 'can_write'
@@ -90,10 +98,10 @@ class User < ArvadosModel
when 'can_manage'
link_permissions = ALL_PERMISSIONS
end
- permissions_from[link.tail_uuid] ||= {}
- permissions_from[link.tail_uuid][link.head_uuid] ||= {}
+ permissions_from[tail_uuid] ||= {}
+ permissions_from[tail_uuid][head_uuid] ||= {}
link_permissions.each do |k,v|
- permissions_from[link.tail_uuid][link.head_uuid][k] ||= v
+ permissions_from[tail_uuid][head_uuid][k] ||= v
end
end
end
diff --git a/services/api/test/fixtures/groups.yml b/services/api/test/fixtures/groups.yml
index 1a5125a..5810259 100644
--- a/services/api/test/fixtures/groups.yml
+++ b/services/api/test/fixtures/groups.yml
@@ -6,10 +6,22 @@ public:
private:
uuid: zzzzz-j7d0g-rew6elm53kancon
- owner_uuid: zzzzz-tpzed-d9tiejq69daie8f
+ owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
name: Private
description: Private Group
+system_owned_group:
+ uuid: zzzzz-j7d0g-8ulrifv67tve5sx
+ owner_uuid: zzzzz-tpzed-000000000000000
+ name: System Private
+ description: System-owned Group
+
+empty_lonely_group:
+ uuid: zzzzz-j7d0g-jtp06ulmvsezgyu
+ owner_uuid: zzzzz-tpzed-000000000000000
+ name: Empty
+ description: Empty Group
+
all_users:
uuid: zzzzz-j7d0g-fffffffffffffff
owner_uuid: zzzzz-tpzed-d9tiejq69daie8f
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 24b76c6..e571272 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -46,6 +46,22 @@ active_user_member_of_all_users_group:
head_uuid: zzzzz-j7d0g-fffffffffffffff
properties: {}
+active_user_can_manage_system_owned_group:
+ uuid: zzzzz-o0j2j-3sa30nd3bqn1msh
+ owner_uuid: zzzzz-tpzed-000000000000000
+ created_at: 2014-02-03 15:42:26 -0800
+ modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+ modified_by_user_uuid: zzzzz-tpzed-000000000000000
+ modified_at: 2014-02-03 15:42:26 -0800
+ updated_at: 2014-02-03 15:42:26 -0800
+ tail_kind: arvados#user
+ tail_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+ link_class: permission
+ name: can_manage
+ head_kind: arvados#group
+ head_uuid: zzzzz-j7d0g-8ulrifv67tve5sx
+ properties: {}
+
user_agreement_signed_by_active:
uuid: zzzzz-o0j2j-4x85a69tqlrud1z
owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/functional/arvados/v1/collections_controller_test.rb b/services/api/test/functional/arvados/v1/collections_controller_test.rb
index 4f33d0b..9cafc72 100644
--- a/services/api/test/functional/arvados/v1/collections_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/collections_controller_test.rb
@@ -21,6 +21,62 @@ class Arvados::V1::CollectionsControllerTest < ActionController::TestCase
assert_nil assigns(:objects)
end
+ test "create with owner_uuid set to owned group" do
+ authorize_with :active
+ manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
+ post :create, {
+ collection: {
+ owner_uuid: 'zzzzz-j7d0g-rew6elm53kancon',
+ manifest_text: manifest_text,
+ uuid: "d30fe8ae534397864cb96c544f4cf102"
+ }
+ }
+ assert_response :success
+ resp = JSON.parse(@response.body)
+ assert_equal 'zzzzz-tpzed-000000000000000', resp['owner_uuid']
+ end
+
+ test "create with owner_uuid set to group i can_manage" do
+ authorize_with :active
+ manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
+ post :create, {
+ collection: {
+ owner_uuid: 'zzzzz-j7d0g-8ulrifv67tve5sx',
+ manifest_text: manifest_text,
+ uuid: "d30fe8ae534397864cb96c544f4cf102"
+ }
+ }
+ assert_response :success
+ resp = JSON.parse(@response.body)
+ assert_equal 'zzzzz-tpzed-000000000000000', resp['owner_uuid']
+ end
+
+ test "create with owner_uuid set to group with no can_manage permission" do
+ authorize_with :active
+ manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
+ post :create, {
+ collection: {
+ owner_uuid: 'zzzzz-j7d0g-it30l961gq3t0oi',
+ manifest_text: manifest_text,
+ uuid: "d30fe8ae534397864cb96c544f4cf102"
+ }
+ }
+ assert_response 403
+ end
+
+ test "admin create with owner_uuid set to group with no permission" do
+ authorize_with :admin
+ manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
+ post :create, {
+ collection: {
+ owner_uuid: 'zzzzz-j7d0g-it30l961gq3t0oi',
+ manifest_text: manifest_text,
+ uuid: "d30fe8ae534397864cb96c544f4cf102"
+ }
+ }
+ assert_response :success
+ end
+
test "should create with collection passed as json" do
authorize_with :active
post :create, {
diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index 15bdd7e..2e3d6b8 100644
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -4,7 +4,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
test "attempt to delete group without read or write access" do
authorize_with :active
- post :destroy, id: groups(:private).uuid
+ post :destroy, id: groups(:empty_lonely_group).uuid
assert_response 404
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list