[ARVADOS] created: 1.3.0-2122-g4e450b7c2

Git user git at public.arvados.org
Sun Feb 2 18:04:57 UTC 2020 

        at  4e450b7c2ec9563dd6d670238d096d1bc9fd158f (commit)


commit 4e450b7c2ec9563dd6d670238d096d1bc9fd158f
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Sun Feb 2 12:58:16 2020 -0500

    16108: Change wb1 'favorites' to filter on user_uuid instead of tail_uuid
    
    Fixes potential exploit by which a malicious user could inject
    favorites into another user's favorites list.
    
    Public favorites owned by "All Users" will now appear in wb1.
    
    Move documentation about 'star' links from admin section to API
    documentation.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/apps/workbench/app/controllers/actions_controller.rb b/apps/workbench/app/controllers/actions_controller.rb
index 376465ee1..885f53936 100644
--- a/apps/workbench/app/controllers/actions_controller.rb
+++ b/apps/workbench/app/controllers/actions_controller.rb
@@ -210,7 +210,7 @@ You can try recreating the collection to get a copy with full provenance data."
 
   # star / unstar the current project
   def star
-    links = Link.where(tail_uuid: current_user.uuid,
+    links = Link.where(owner_uuid: current_user.uuid,
                        head_uuid: @object.uuid,
                        link_class: 'star')
 
diff --git a/apps/workbench/app/controllers/application_controller.rb b/apps/workbench/app/controllers/application_controller.rb
index 63112984c..540770061 100644
--- a/apps/workbench/app/controllers/application_controller.rb
+++ b/apps/workbench/app/controllers/application_controller.rb
@@ -927,7 +927,7 @@ class ApplicationController < ActionController::Base
   helper_method :my_starred_projects
   def my_starred_projects user
     return if defined?(@starred_projects) && @starred_projects
-    links = Link.filter([['tail_uuid', '=', user.uuid],
+    links = Link.filter([['owner_uuid', 'in', ["#{Rails.configuration.ClusterID}-j7d0g-fffffffffffffff", user.uuid]],
                          ['link_class', '=', 'star'],
                          ['head_uuid', 'is_a', 'arvados#group']]).with_count("none").select(%w(head_uuid))
     uuids = links.collect { |x| x.head_uuid }
diff --git a/doc/_config.yml b/doc/_config.yml
index 814852fcc..01a19c16b 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -166,7 +166,6 @@ navbar:
       - admin/health-checks.html.textile.liquid
       - admin/management-token.html.textile.liquid
     - Data Management:
-      - admin/favorites.html.textile.liquid
       - admin/collection-versioning.html.textile.liquid
       - admin/collection-managed-properties.html.textile.liquid
       - admin/keep-balance.html.textile.liquid
diff --git a/doc/admin/favorites.html.textile.liquid b/doc/admin/favorites.html.textile.liquid
deleted file mode 100644
index 623cb114b..000000000
--- a/doc/admin/favorites.html.textile.liquid
+++ /dev/null
@@ -1,57 +0,0 @@
----
-layout: default
-navsection: admin
-title: Setting favorites for users
-...
-
-A "favorite" is a shortcut to a project that is displayed in the user interface (Workbench).  Users can mark their own favorites, but it is also possible to have favorites that are displayed for all members of a group (including the "All Users" group).
-
-The schema for a "favorite" link is:
-
-table(table table-bordered table-condensed).
-|_. Field|_. Value|_. Description|
-|owner_uuid|user or group uuid|The user or group that "owns" the favorite|
-|head_uuid|project uuid|The project being favorited|
-|link_class|string of value "star"|Indicates this represents a link to a user favorite|
-
-h2. Cluster wide favorites
-
-The "All Users" group for a given cluster has the uuid @{prefix}-j7d0g-ffffffffffffff at .  Cluster-wide favorites that will show up for all users should belong to the "All Users" group.
-
-Favorites can be owned by other groups, in which case they will only be visibile to members of that group.
-
-h2. Creating a favorite
-
- at owner_uuid@ controls who will see the favorite, @head_uuid@ is the project being favorited, and @link_class@ indicates this record is a favorite.  Set "tail_uuid" to the same value as "owner_uuid".
-
-<pre>
-$ arv link create --link '{
-    "owner_uuid": "c97qk-j7d0g-fffffffffffffff",
-    "tail_uuid":  "c97qk-j7d0g-fffffffffffffff",
-    "head_uuid":  "c97qk-j7d0g-khm44br99mz40hk",
-    "link_class": "star"}'
-</pre>
-
-h2. Deleting a favorite
-
-<pre>
-$ arv link delete --uuid c97qk-o0j2j-haadun4x0vmpvnd
-</pre>
-
-h2. Listing favorites
-
-To list all 'star' links readable by the current user
-
-<pre>
-$ arv link list --filters '[["link_class", "=", "star"]]' --order owner_uuid
-</pre>
-
-This will include favorites belonging any group or project that is readable by the user.
-
-Alternately, the query can be restricted to only show favorites associated with the "All Users" group (or some other group) by filtering on owner_uuid:
-
-<pre>
-$ arv link list --filters '[
-  ["link_class", "=", "star"],
-  ["owner_uuid", "=", "c97qk-j7d0g-fffffffffffffff"]]'
-</pre>
diff --git a/doc/api/methods/links.html.textile.liquid b/doc/api/methods/links.html.textile.liquid
index 04643443e..a8eda5f03 100644
--- a/doc/api/methods/links.html.textile.liquid
+++ b/doc/api/methods/links.html.textile.liquid
@@ -39,9 +39,50 @@ h3. permission
 
 See "permission links":{{site.baseurl}}/api/permission-model.html#links section of the permission model.
 
+h3. star
+
+A **star** link is a shortcut to a project that is displayed in the user interface (Workbench) as "favorites".  Users can mark their own favorites (implemented by creating or deleting **star** links).
+
+An admin can also create **star** links owned by the "All Users" group, these will be displayed to all users that have permission to read the project that has been favorited.
+
+The schema for a star link is:
+
+table(table table-bordered table-condensed).
+|_. Field|_. Value|_. Description|
+|owner_uuid|user or group uuid|Either the user that owns the favorite, or the "All Users" group for public favorites.|
+|head_uuid|project uuid|The project being favorited|
+|link_class|string of value "star"|Indicates this represents a link to a user favorite|
+
+h4. Creating a favorite
+
+ at owner_uuid@ is either an individual user, or the "All Users" group.  The @head_uuid@ is the project being favorited.
+
+<pre>
+$ arv link create --link '{
+    "owner_uuid": "c97qk-j7d0g-fffffffffffffff",
+    "head_uuid":  "c97qk-j7d0g-theprojectuuid",
+    "link_class": "star"}'
+</pre>
+
+h4. Deleting a favorite
+
+<pre>
+$ arv link delete --uuid c97qk-o0j2j-thestarlinkuuid
+</pre>
+
+h4. Listing favorites
+
+To list all 'star' links that will be displayed for a user:
+
+<pre>
+$ arv link list --filters '[
+  ["link_class", "=", "star"],
+  ["owner_uuid", "in", ["c97qk-j7d0g-fffffffffffffff", "c97qk-tpzed-currentuseruuid"]]]'
+</pre>
+
 h3. tag
 
-A **tag** link describes an object using an unparsed plain text string. Tags can be used to annotate objects that are not editable, like collections and objects shared as read-only.
+A **tag** link describes an object using an unparsed plain text string.  Tags can be used to annotate objects that are not directly editable by the user, like collections and objects shared as read-only.
 
 table(table table-bordered table-condensed).
 |_. tail_type→head_type|_. name→head_uuid {properties}|

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list