[ARVADOS] updated: 0215bf7b8c61d59462a476d850af999105856177
git at public.curoverse.com
git at public.curoverse.com
Tue Feb 10 14:15:21 EST 2015
Summary of changes:
.../app/views/application/_show_sharing.html.erb | 9 +++++++
apps/workbench/config/application.default.yml | 4 ++--
apps/workbench/test/integration/projects_test.rb | 28 ++++++++++++++++++++++
services/api/app/models/database_seeds.rb | 1 +
...206210804_all_users_can_read_anonymous_group.rb | 12 ++++++++++
services/api/db/structure.sql | 4 +++-
services/api/lib/current_api_client.rb | 12 ++++++++++
services/api/test/fixtures/groups.yml | 5 ++--
services/api/test/fixtures/links.yml | 14 +++++++++++
services/api/test/unit/link_test.rb | 5 ++++
10 files changed, 89 insertions(+), 5 deletions(-)
create mode 100644 services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
via 0215bf7b8c61d59462a476d850af999105856177 (commit)
via 34d6dc1f56b59b7c7cc3e6dc7d54053149c49bc6 (commit)
via 045bce46ede1995ed17747c48611f22c478cc82d (commit)
via d9e2de2e142fe1a79bd83064d8d9135ba44fd807 (commit)
via 710b03568da92458279db56608cba84cb5151847 (commit)
from 9b6b5f0bd2ad96deeea2070a4eba56795bb28c1a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 0215bf7b8c61d59462a476d850af999105856177
Merge: 9b6b5f0 34d6dc1
Author: Brett Smith <brett at curoverse.com>
Date: Tue Feb 10 14:14:51 2015 -0500
Merge branch '5160-share-with-anonymous-group-wip'
Closes #5160, #5163.
commit 34d6dc1f56b59b7c7cc3e6dc7d54053149c49bc6
Author: Brett Smith <brett at curoverse.com>
Date: Tue Feb 10 11:33:59 2015 -0500
5160: Workbench hides anonymous sharing when browsing disabled.
This commit updates Workbench to filter out the anonymous group from
the group sharing modal when anonymous browsing is disabled. That
helps avoid situations where users think their work is publicly
sharable, but that's been disabled by the administrator.
diff --git a/apps/workbench/app/views/application/_show_sharing.html.erb b/apps/workbench/app/views/application/_show_sharing.html.erb
index 23795d3..4b7beb3 100644
--- a/apps/workbench/app/views/application/_show_sharing.html.erb
+++ b/apps/workbench/app/views/application/_show_sharing.html.erb
@@ -22,6 +22,15 @@
choose_filters = {
"groups" => [["group_class", "=", "role"]],
}
+ if not Rails.configuration.anonymous_user_token
+ # It would be ideal to filter out the anonymous group by UUID,
+ # but that's not readily doable. Workbench can't generate the
+ # UUID for a != filter, because it can't introspect the API
+ # server's UUID prefix. And we can't say "uuid not like
+ # %-anonymouspublic", because the API server doesn't support a
+ # "not like" filter.
+ choose_filters["groups"] << ["name", "!=", "Anonymous users"]
+ end
choose_filters.default = []
owner_icon = fa_icon_class_for_uuid(@object.owner_uuid)
if owner_icon == "fa-users"
diff --git a/apps/workbench/test/integration/projects_test.rb b/apps/workbench/test/integration/projects_test.rb
index 7f051f6..73a23d6 100644
--- a/apps/workbench/test/integration/projects_test.rb
+++ b/apps/workbench/test/integration/projects_test.rb
@@ -172,6 +172,34 @@ class ProjectsTest < ActionDispatch::IntegrationTest
"Project 5678 should now be inside project 1234")
end
+ def open_groups_sharing(project_name="aproject", token_name="active")
+ project = api_fixture("groups", project_name)
+ visit(page_with_token(token_name, "/projects/#{project['uuid']}"))
+ click_on "Sharing"
+ click_on "Share with groups"
+ end
+
+ def group_name(group_key)
+ api_fixture("groups", group_key, "name")
+ end
+
+ test "projects not publicly sharable when anonymous browsing disabled" do
+ Rails.configuration.anonymous_user_token = false
+ open_groups_sharing
+ # Check for a group we do expect first, to make sure the modal's loaded.
+ assert_selector(".modal-container .selectable",
+ text: group_name("all_users"))
+ assert_no_selector(".modal-container .selectable",
+ text: group_name("anonymous_group"))
+ end
+
+ test "projects publicly sharable when anonymous browsing enabled" do
+ Rails.configuration.anonymous_user_token = "testonlytoken"
+ open_groups_sharing
+ assert_selector(".modal-container .selectable",
+ text: group_name("anonymous_group"))
+ end
+
test "project viewer can't see project sharing tab" do
show_object_using('project_viewer', 'groups', 'aproject', 'A Project')
assert(page.has_no_link?("Sharing"),
commit 045bce46ede1995ed17747c48611f22c478cc82d
Author: Brett Smith <brett at curoverse.com>
Date: Tue Feb 10 11:25:16 2015 -0500
5160: Make anonymous group fixture match database seed.
Refer to /services/api/app/models/database_seeds.rb.
diff --git a/services/api/test/fixtures/groups.yml b/services/api/test/fixtures/groups.yml
index 86815c0..fb23c8c 100644
--- a/services/api/test/fixtures/groups.yml
+++ b/services/api/test/fixtures/groups.yml
@@ -116,8 +116,9 @@ bad_group_has_ownership_cycle_b:
anonymous_group:
uuid: zzzzz-j7d0g-anonymouspublic
owner_uuid: zzzzz-tpzed-000000000000000
- name: Anonymous group
- description: Anonymous group
+ name: Anonymous users
+ group_class: role
+ description: Anonymous users
anonymously_accessible_project:
uuid: zzzzz-j7d0g-zhxawtyetzwc5f0
commit d9e2de2e142fe1a79bd83064d8d9135ba44fd807
Author: Brett Smith <brett at curoverse.com>
Date: Tue Feb 10 09:00:01 2015 -0500
5160: Fix typo in Workbench default config comments.
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index f43e8c6..54a1f2e 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -191,7 +191,7 @@ common:
# the maximum number of bytes to load in the log viewer
log_viewer_max_bytes: 1000000
- # Set anonymous user token to enable anonymous user access. You can get
+ # Set anonymous_user_token to enable anonymous user access. You can get
# the token by running "bundle exec ./script/get_anonymous_user_token.rb"
- # in the directory where you API server is running.
+ # in the directory where your API server is running.
anonymous_user_token: false
commit 710b03568da92458279db56608cba84cb5151847
Author: Brett Smith <brett at curoverse.com>
Date: Tue Feb 10 14:11:55 2015 -0500
5160: All users have API read permission to anonymous group.
Workbench makes public data available to everyone by including the
anonymous user API token as a reader token for every request.
However, model-level validations do not respect reader tokens. As a
consequence, users cannot make their project public by sharing it with
the anonymous group. They can't create the necessary link, because
the validation can't confirm that the creator can see the anonymous
group.
There are a few ways we could've tackled this, but granting all users
permission to see the anonymous group seems like the most reliable,
since it works within our existing permissions infrastructure as much
as possible.
diff --git a/services/api/app/models/database_seeds.rb b/services/api/app/models/database_seeds.rb
index bc68283..cd97349 100644
--- a/services/api/app/models/database_seeds.rb
+++ b/services/api/app/models/database_seeds.rb
@@ -5,6 +5,7 @@ class DatabaseSeeds
system_group
all_users_group
anonymous_group
+ anonymous_group_read_permission
anonymous_user
empty_collection
end
diff --git a/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
new file mode 100644
index 0000000..848fe36
--- /dev/null
+++ b/services/api/db/migrate/20150206210804_all_users_can_read_anonymous_group.rb
@@ -0,0 +1,12 @@
+class AllUsersCanReadAnonymousGroup < ActiveRecord::Migration
+ include CurrentApiClient
+
+ def up
+ anonymous_group_read_permission
+ end
+
+ def down
+ # Do nothing - it's too dangerous to try to figure out whether or not
+ # the permission was created by the migration.
+ end
+end
diff --git a/services/api/db/structure.sql b/services/api/db/structure.sql
index b7d2ea5..e2c6b66 100644
--- a/services/api/db/structure.sql
+++ b/services/api/db/structure.sql
@@ -2355,4 +2355,6 @@ INSERT INTO schema_migrations (version) VALUES ('20150122175935');
INSERT INTO schema_migrations (version) VALUES ('20150123142953');
-INSERT INTO schema_migrations (version) VALUES ('20150203180223');
\ No newline at end of file
+INSERT INTO schema_migrations (version) VALUES ('20150203180223');
+
+INSERT INTO schema_migrations (version) VALUES ('20150206210804');
\ No newline at end of file
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 6c1ff28..2e78612 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -146,6 +146,18 @@ module CurrentApiClient
end
end
+ def anonymous_group_read_permission
+ $anonymous_group_read_permission =
+ check_cache $anonymous_group_read_permission do
+ act_as_system_user do
+ Link.where(tail_uuid: all_users_group.uuid,
+ head_uuid: anonymous_group.uuid,
+ link_class: "permission",
+ name: "can_read").first_or_create!
+ end
+ end
+ end
+
def anonymous_user
$anonymous_user = check_cache $anonymous_user do
act_as_system_user do
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 1b34868..b8856ef 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -26,6 +26,20 @@ user_agreement_readable:
head_uuid: zzzzz-4zz18-t68oksiu9m80s4y
properties: {}
+all_users_can_read_anonymous_group:
+ uuid: zzzzz-o0j2j-0lhbqyjab4g0bwp
+ owner_uuid: zzzzz-tpzed-000000000000000
+ created_at: 2015-01-24 20:42:26 -0800
+ modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+ modified_by_user_uuid: zzzzz-tpzed-d9tiejq69daie8f
+ modified_at: 2015-01-24 20:42:26 -0800
+ updated_at: 2015-01-24 20:42:26 -0800
+ tail_uuid: zzzzz-j7d0g-fffffffffffffff
+ link_class: permission
+ name: can_read
+ head_uuid: zzzzz-j7d0g-anonymouspublic
+ properties: {}
+
active_user_member_of_all_users_group:
uuid: zzzzz-o0j2j-ctbysaduejxfrs5
owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb
index 028f403..16ce54b 100644
--- a/services/api/test/unit/link_test.rb
+++ b/services/api/test/unit/link_test.rb
@@ -34,6 +34,11 @@ class LinkTest < ActiveSupport::TestCase
end
end
+ test "non-admin project owner can make it public" do
+ assert(new_active_link_valid?(tail_uuid: groups(:anonymous_group).uuid),
+ "non-admin project owner can't make their project public")
+ end
+
test "link granting permission to nonexistent user is invalid" do
refute new_active_link_valid?(tail_uuid:
users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}"))
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list