[ARVADOS] created: 1.3.0-1617-gc16a69563
Git user
git at public.curoverse.com
Thu Sep 26 14:49:01 UTC 2019
at c16a69563c2748027da857d92083d81ff3eec261 (commit)
commit c16a69563c2748027da857d92083d81ff3eec261
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Thu Sep 26 10:47:33 2019 -0400
15656: Fix missing permission check.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 8999b3e14..376be55ff 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -423,6 +423,10 @@ class Container < ArvadosModel
current_user.andand.is_admin
end
+ def permission_to_destroy
+ current_user.andand.is_admin
+ end
+
def ensure_owner_uuid_is_permitted
# validate_change ensures owner_uuid can't be changed at all --
# except during create, which requires admin privileges. Checking
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 88fd5feb6..5f17efc44 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -980,6 +980,15 @@ class ContainerTest < ActiveSupport::TestCase
end
end
+ test "user cannot delete" do
+ set_user_from_auth :active
+ c, _ = minimal_new
+ assert_raises ArvadosModel::PermissionDeniedError do
+ c.destroy
+ end
+ assert Container.find_by_uuid(c.uuid)
+ end
+
[
{state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
{state: Container::Cancelled},
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list