[ARVADOS] updated: 37fce338b38ca92d09ab2b58fc9b0f422ef7eb9d

Wed Aug 30 13:13:55 EDT 2017

Summary of changes:
 services/api/app/models/log.rb  | 17 +++++++----------
 services/api/app/models/user.rb |  5 ++---
 2 files changed, 9 insertions(+), 13 deletions(-)

       via  37fce338b38ca92d09ab2b58fc9b0f422ef7eb9d (commit)
      from  18d29e3ea4dc7bc4009e51cf7679b97955f0a324 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 37fce338b38ca92d09ab2b58fc9b0f422ef7eb9d
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Wed Aug 30 13:13:29 2017 -0400

    12032: Log.readable_by uses permission_view
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>

diff --git a/services/api/app/models/log.rb b/services/api/app/models/log.rb
index 7f2d3ef..99d0e28 100644
--- a/services/api/app/models/log.rb
+++ b/services/api/app/models/log.rb
@@ -67,17 +67,14 @@ class Log < ArvadosModel
       return self
     end
     user_uuids = users_list.map { |u| u.uuid }
-    uuid_list = user_uuids + users_list.flat_map { |u| u.groups_i_can(:read) }
-    uuid_list.uniq!
-    permitted = "(SELECT head_uuid FROM links WHERE link_class='permission' AND tail_uuid IN (:uuids))"
+
+    User.install_view('permission')
+
     joins("LEFT JOIN container_requests ON container_requests.container_uuid=logs.object_uuid").
-      where("logs.object_uuid IN #{permitted} OR "+
-            "container_requests.uuid IN (:uuids) OR "+
-            "container_requests.owner_uuid IN (:uuids) OR "+
-            "logs.object_uuid IN (:uuids) OR "+
-            "logs.owner_uuid IN (:uuids) OR "+
-            "logs.object_owner_uuid IN (:uuids)",
-            uuids: uuid_list)
+      where("EXISTS(SELECT target_uuid FROM permission_view "+
+            "WHERE user_uuid IN (:user_uuids) AND perm_level >= 1 AND "+
+            "target_uuid IN (container_requests.uuid, container_requests.owner_uuid, logs.object_uuid, logs.owner_uuid, logs.object_owner_uuid))",
+            user_uuids: user_uuids)
   end
 
   protected
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 0e2db76..9f053c0 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -152,8 +152,8 @@ class User < ArvadosModel
 
   # Return a hash of {user_uuid: group_perms}
   def self.all_group_permissions
-    install_view('permission')
     all_perms = {}
+    User.install_view('permission')
     ActiveRecord::Base.connection.
       exec_query('SELECT user_uuid, target_owner_uuid, perm_level, trashed
                   FROM permission_view
@@ -171,9 +171,8 @@ class User < ArvadosModel
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
   def calculate_group_permissions
-    self.class.install_view('permission')
-
     group_perms = {self.uuid => {:read => true, :write => true, :manage => true}}
+    User.install_view('permission')
     ActiveRecord::Base.connection.
       exec_query('SELECT target_owner_uuid, perm_level, trashed
                   FROM permission_view

-----------------------------------------------------------------------


hooks/post-receive
-- 


