[ARVADOS] created: 488846259a3a8a3a5f9845279a73b569d998a199
git at public.curoverse.com
git at public.curoverse.com
Fri Feb 6 16:53:05 EST 2015
at 488846259a3a8a3a5f9845279a73b569d998a199 (commit)
commit 488846259a3a8a3a5f9845279a73b569d998a199
Author: Brett Smith <brett at curoverse.com>
Date: Fri Feb 6 16:52:38 2015 -0500
5160: All users have API read permission to anonymous group.
Workbench makes public data available to everyone by including the
anonymous user API token as a reader token for every request.
However, model-level validations do not respect reader tokens. As a
consequence, users cannot make their project public by sharing it with
the anonymous group. They can't create the necessary link, because
the validation can't confirm that the creator can see the anonymous
group.
There are a few ways we could've tackled this, but granting all users
permission to see the anonymous group seems like the most reliable,
since it works within our existing permissions infrastructure as much
as possible.
diff --git a/services/api/app/models/database_seeds.rb b/services/api/app/models/database_seeds.rb
index bc68283..cd97349 100644
--- a/services/api/app/models/database_seeds.rb
+++ b/services/api/app/models/database_seeds.rb
@@ -5,6 +5,7 @@ class DatabaseSeeds
system_group
all_users_group
anonymous_group
+ anonymous_group_read_permission
anonymous_user
empty_collection
end
diff --git a/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
new file mode 100644
index 0000000..848fe36
--- /dev/null
+++ b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
@@ -0,0 +1,12 @@
+class AllUsersCanReadAnonymousGroup < ActiveRecord::Migration
+ include CurrentApiClient
+
+ def up
+ anonymous_group_read_permission
+ end
+
+ def down
+ # Do nothing - it's too dangerous to try to figure out whether or not
+ # the permission was created by the migration.
+ end
+end
diff --git a/services/api/db/structure.sql b/services/api/db/structure.sql
index 5d9e3e5..0461388 100644
--- a/services/api/db/structure.sql
+++ b/services/api/db/structure.sql
@@ -2318,4 +2318,6 @@ INSERT INTO schema_migrations (version) VALUES ('20141208185217');
INSERT INTO schema_migrations (version) VALUES ('20150122175935');
-INSERT INTO schema_migrations (version) VALUES ('20150203180223');
\ No newline at end of file
+INSERT INTO schema_migrations (version) VALUES ('20150203180223');
+
+INSERT INTO schema_migrations (version) VALUES ('20150206210804');
\ No newline at end of file
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 6c1ff28..2e78612 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -146,6 +146,18 @@ module CurrentApiClient
end
end
+ def anonymous_group_read_permission
+ $anonymous_group_read_permission =
+ check_cache $anonymous_group_read_permission do
+ act_as_system_user do
+ Link.where(tail_uuid: all_users_group.uuid,
+ head_uuid: anonymous_group.uuid,
+ link_class: "permission",
+ name: "can_read").first_or_create!
+ end
+ end
+ end
+
def anonymous_user
$anonymous_user = check_cache $anonymous_user do
act_as_system_user do
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 1b34868..b8856ef 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -26,6 +26,20 @@ user_agreement_readable:
head_uuid: zzzzz-4zz18-t68oksiu9m80s4y
properties: {}
+all_users_can_read_anonymous_group:
+ uuid: zzzzz-o0j2j-0lhbqyjab4g0bwp
+ owner_uuid: zzzzz-tpzed-000000000000000
+ created_at: 2015-01-24 20:42:26 -0800
+ modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+ modified_by_user_uuid: zzzzz-tpzed-d9tiejq69daie8f
+ modified_at: 2015-01-24 20:42:26 -0800
+ updated_at: 2015-01-24 20:42:26 -0800
+ tail_uuid: zzzzz-j7d0g-fffffffffffffff
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-j7d0g-anonymouspublic
+ properties: {}
+
active_user_member_of_all_users_group:
uuid: zzzzz-o0j2j-ctbysaduejxfrs5
owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb
index 028f403..16ce54b 100644
--- a/services/api/test/unit/link_test.rb
+++ b/services/api/test/unit/link_test.rb
@@ -34,6 +34,11 @@ class LinkTest < ActiveSupport::TestCase
end
end
+ test "non-admin project owner can make it public" do
+ assert(new_active_link_valid?(tail_uuid: groups(:anonymous_group).uuid),
+ "non-admin project owner can't make their project public")
+ end
+
test "link granting permission to nonexistent user is invalid" do
refute new_active_link_valid?(tail_uuid:
users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}"))
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list