[ARVADOS] created: 488846259a3a8a3a5f9845279a73b569d998a199

git at public.curoverse.com git at public.curoverse.com
Fri Feb 6 16:53:05 EST 2015 

        at  488846259a3a8a3a5f9845279a73b569d998a199 (commit)


commit 488846259a3a8a3a5f9845279a73b569d998a199
Author: Brett Smith <brett at curoverse.com>
Date:   Fri Feb 6 16:52:38 2015 -0500

    5160: All users have API read permission to anonymous group.
    
    Workbench makes public data available to everyone by including the
    anonymous user API token as a reader token for every request.
    However, model-level validations do not respect reader tokens.  As a
    consequence, users cannot make their project public by sharing it with
    the anonymous group.  They can't create the necessary link, because
    the validation can't confirm that the creator can see the anonymous
    group.
    
    There are a few ways we could've tackled this, but granting all users
    permission to see the anonymous group seems like the most reliable,
    since it works within our existing permissions infrastructure as much
    as possible.

diff --git a/services/api/app/models/database_seeds.rb b/services/api/app/models/database_seeds.rb
index bc68283..cd97349 100644
--- a/services/api/app/models/database_seeds.rb
+++ b/services/api/app/models/database_seeds.rb
@@ -5,6 +5,7 @@ class DatabaseSeeds
     system_group
     all_users_group
     anonymous_group
+    anonymous_group_read_permission
     anonymous_user
     empty_collection
   end
diff --git a/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
new file mode 100644
index 0000000..848fe36
--- /dev/null
+++ b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
@@ -0,0 +1,12 @@
+class AllUsersCanReadAnonymousGroup < ActiveRecord::Migration
+  include CurrentApiClient
+
+  def up
+    anonymous_group_read_permission
+  end
+
+  def down
+    # Do nothing - it's too dangerous to try to figure out whether or not
+    # the permission was created by the migration.
+  end
+end
diff --git a/services/api/db/structure.sql b/services/api/db/structure.sql
index 5d9e3e5..0461388 100644
--- a/services/api/db/structure.sql
+++ b/services/api/db/structure.sql
@@ -2318,4 +2318,6 @@ INSERT INTO schema_migrations (version) VALUES ('20141208185217');
 
 INSERT INTO schema_migrations (version) VALUES ('20150122175935');
 
-INSERT INTO schema_migrations (version) VALUES ('20150203180223');
\ No newline at end of file
+INSERT INTO schema_migrations (version) VALUES ('20150203180223');
+
+INSERT INTO schema_migrations (version) VALUES ('20150206210804');
\ No newline at end of file
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 6c1ff28..2e78612 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -146,6 +146,18 @@ module CurrentApiClient
     end
   end
 
+  def anonymous_group_read_permission
+    $anonymous_group_read_permission =
+        check_cache $anonymous_group_read_permission do
+      act_as_system_user do
+        Link.where(tail_uuid: all_users_group.uuid,
+                   head_uuid: anonymous_group.uuid,
+                   link_class: "permission",
+                   name: "can_read").first_or_create!
+      end
+    end
+  end
+
   def anonymous_user
     $anonymous_user = check_cache $anonymous_user do
       act_as_system_user do
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 1b34868..b8856ef 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -26,6 +26,20 @@ user_agreement_readable:
   head_uuid: zzzzz-4zz18-t68oksiu9m80s4y
   properties: {}
 
+all_users_can_read_anonymous_group:
+  uuid: zzzzz-o0j2j-0lhbqyjab4g0bwp
+  owner_uuid: zzzzz-tpzed-000000000000000
+  created_at: 2015-01-24 20:42:26 -0800
+  modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+  modified_by_user_uuid: zzzzz-tpzed-d9tiejq69daie8f
+  modified_at: 2015-01-24 20:42:26 -0800
+  updated_at: 2015-01-24 20:42:26 -0800
+  tail_uuid: zzzzz-j7d0g-fffffffffffffff
+  link_class: permission
+  name: can_read
+  head_uuid: zzzzz-j7d0g-anonymouspublic
+  properties: {}
+
 active_user_member_of_all_users_group:
   uuid: zzzzz-o0j2j-ctbysaduejxfrs5
   owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb
index 028f403..16ce54b 100644
--- a/services/api/test/unit/link_test.rb
+++ b/services/api/test/unit/link_test.rb
@@ -34,6 +34,11 @@ class LinkTest < ActiveSupport::TestCase
     end
   end
 
+  test "non-admin project owner can make it public" do
+    assert(new_active_link_valid?(tail_uuid: groups(:anonymous_group).uuid),
+           "non-admin project owner can't make their project public")
+  end
+
   test "link granting permission to nonexistent user is invalid" do
     refute new_active_link_valid?(tail_uuid:
                                   users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}"))

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list