[ARVADOS] updated: 1.3.0-364-g5d8ebb8d0

Git user git at public.curoverse.com
Wed Feb 20 00:22:23 EST 2019 

Summary of changes:
 services/api/app/models/container.rb     | 3 +++
 services/api/test/unit/container_test.rb | 8 ++++++++
 2 files changed, 11 insertions(+)

       via  5d8ebb8d00de8c3afa59045fa929536ff8973881 (commit)
      from  36e1f63fde4005f38a8d9825abc8244057d9bb58 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 5d8ebb8d00de8c3afa59045fa929536ff8973881
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Tue Feb 19 17:28:26 2019 -0500

    14807: Fix admin permissions for containers.
    
    Admins are allowed to see all containers, even ones that aren't
    associated with any container request.
    
    Otherwise, when a container request retries, even the dispatcher can't
    see the previously assigned container, and therefore never learns that
    the container is supposed to be cancelled.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index bd586907e..0682676c5 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -375,6 +375,9 @@ class Container < ArvadosModel
     else
       kwargs = {}
     end
+    if users_list.select { |u| u.is_admin }.any?
+      return super
+    end
     Container.where(ContainerRequest.readable_by(*users_list).where("containers.uuid = container_requests.container_uuid").exists)
   end
 
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 2a9ff5bf4..dac08d4b6 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -677,6 +677,14 @@ class ContainerTest < ActiveSupport::TestCase
     assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
   end
 
+  test "Containers with no matching request are readable by admin" do
+    uuids = Container.includes('container_requests').where(container_requests: {uuid: nil}).collect(&:uuid)
+    assert_not_empty uuids
+    assert_empty Container.readable_by(users(:active)).where(uuid: uuids)
+    assert_not_empty Container.readable_by(users(:admin)).where(uuid: uuids)
+    assert_equal uuids.count, Container.readable_by(users(:admin)).where(uuid: uuids).count
+  end
+
   test "Container locked cancel" do
     set_user_from_auth :active
     c, _ = minimal_new

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list