[ARVADOS] updated: d21a4bb4c979f87177e0972d6421f2d33d9273fd

Sat Mar 12 03:13:24 EST 2016

Summary of changes:
 .../v1/api_client_authorizations_controller.rb     | 45 +++++++++++++---------
 1 file changed, 26 insertions(+), 19 deletions(-)

       via  d21a4bb4c979f87177e0972d6421f2d33d9273fd (commit)
      from  afe466027816e2adf997969099ef307f0591509e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit d21a4bb4c979f87177e0972d6421f2d33d9273fd
Author: Tom Clegg <tom at curoverse.com>
Date:   Sat Mar 12 03:11:58 2016 -0500

    8079: Tidy up and document current_api_client_is_trusted.

diff --git a/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb b/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
index cb232f0..7f99864 100644
--- a/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
+++ b/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
@@ -74,30 +74,37 @@ class Arvados::V1::ApiClientAuthorizationsController < ApplicationController
   end
 
   def find_object_by_uuid
-    conditions = {
-      uuid: (params[:uuid] || params[:id]),
-      user_id: current_user.id,
-    }
+    @objects = model_class.
+      where('uuid=?', (params[:uuid] || params[:id])).
+      where('user_id=?', current_user.andand.uuid)
     unless Thread.current[:api_client].andand.is_trusted
-      conditions[:api_token] = current_api_client_authorization.andand.api_token
+      @objects = @objects.where('uuid=?', current_api_client_authorization.andand.uuid)
     end
-    @object = model_class.where(conditions).first
+    @object = @objects.first
   end
 
   def current_api_client_is_trusted
-    unless Thread.current[:api_client].andand.is_trusted
-      if %w[show update destroy].include? params['action']
-        if @object.andand['api_token'] == current_api_client_authorization.andand.api_token
-          return true
-        end
-      elsif params["action"] == "index" and @objects.andand.size == 1
-        filters = @filters.map{|f|f.first}.uniq
-        if [['uuid'], ['api_token']].include? filters
-          return true if @objects.first['api_token'] == current_api_client_authorization.andand.api_token
-        end
-      end
-      send_error('Forbidden: this API client cannot manipulate other clients\' access tokens.',
-                 status: 403)
+    if Thread.current[:api_client].andand.is_trusted
+      return true
+    end
+    # A non-trusted client can do a search for its own token if it
+    # explicitly restricts the search to its own UUID or api_token.
+    # Any other kind of query must return 403, even if it matches only
+    # the current token, because that's currently how Workbench knows
+    # (after searching on scopes) the difference between "the token
+    # I'm using now *is* the only sharing token for this collection"
+    # (403) and "my token is trusted, and there is one sharing token
+    # for this collection" (200).
+    #
+    # The @filters test here also prevents a non-trusted token from
+    # filtering on its own scopes, and discovering whether any _other_
+    # equally scoped tokens exist (403=yes, 200=no).
+    if (@objects.andand.count == 1 and
+        (@filters.map(&:first) & %w(uuid api_token)).any? and
+        @objects.first['api_token'] == current_api_client_authorization.andand.api_token)
+      return true
     end
+    send_error('Forbidden: this API client cannot manipulate other clients\' access tokens.',
+               status: 403)
   end
 end

-----------------------------------------------------------------------


hooks/post-receive
-- 


