[ARVADOS] updated: 1.3.0-2547-g6788fa439
Git user
git at public.arvados.org
Thu May 14 17:55:13 UTC 2020
Summary of changes:
services/api/app/models/link.rb | 6 ++--
services/api/app/models/user.rb | 14 +++++---
services/api/lib/refresh_permission_view.rb | 53 ++++++++++++++++-------------
3 files changed, 42 insertions(+), 31 deletions(-)
via 6788fa439143ef41e32f7dcc1373d1ade3d17e01 (commit)
from f559492b6bc79ded8e1ffcfd384cd23709f2b0e3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 6788fa439143ef41e32f7dcc1373d1ade3d17e01
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu May 14 12:20:42 2020 -0400
16007: Re-enable permission update checking for testing
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb
index f6210fbb5..33e18b296 100644
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -17,7 +17,7 @@ class Link < ArvadosModel
after_update :call_update_permissions
after_create :call_update_permissions
before_destroy :clear_permissions
- after_destroy :clear_permissions
+ after_destroy :check_permissions
api_accessible :user, extend: :common do |t|
t.add :tail_uuid
@@ -80,13 +80,13 @@ class Link < ArvadosModel
def clear_permissions
if self.link_class == 'permission'
- update_permissions tail_uuid, head_uuid, 0, false
+ update_permissions tail_uuid, head_uuid, 0
end
end
def check_permissions
if self.link_class == 'permission'
- update_permissions tail_uuid, head_uuid, 0, true
+ #check_permissions_against_full_refresh
end
end
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index c27b633ac..d8b18054b 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -50,7 +50,8 @@ class User < ArvadosModel
user.username_changed? and
(not user.username_was.nil?)
}
- after_destroy :clear_permissions
+ before_destroy :clear_permissions
+ after_destroy :check_permissions
has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
has_many :repositories, foreign_key: :owner_uuid, primary_key: :uuid
@@ -143,7 +144,7 @@ SELECT 1 FROM #{PERMISSION_VIEW}
def before_ownership_change
if owner_uuid_changed? and !self.owner_uuid_was.nil?
MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
- update_permissions self.owner_uuid_was, self.uuid, 0, false
+ update_permissions self.owner_uuid_was, self.uuid, 0
end
end
@@ -154,9 +155,14 @@ SELECT 1 FROM #{PERMISSION_VIEW}
end
def clear_permissions
+ update_permissions self.owner_uuid, self.uuid, 0
MaterializedPermission.where("user_uuid = ? or target_uuid = ?", uuid, uuid).delete_all
end
+ def check_permissions
+ check_permissions_against_full_refresh
+ end
+
# Return a hash of {user_uuid: group_perms}
def self.all_group_permissions
all_perms = {}
@@ -348,7 +354,7 @@ update #{PERMISSION_VIEW} set target_uuid=$1 where target_uuid = $2
raise "user does not exist" if !new_user
raise "cannot merge to an already merged user" if new_user.redirect_to_user_uuid
- update_permissions self.owner_uuid, self.uuid, 0
+ self.clear_permissions
# If 'self' is a remote user, don't transfer authorizations
# (i.e. ability to access the account) to the new user, because
@@ -424,7 +430,7 @@ update #{PERMISSION_VIEW} set target_uuid=$1 where target_uuid = $2
if redirect_to_new_user
update_attributes!(redirect_to_user_uuid: new_user.uuid, username: nil)
end
- update_permissions self.owner_uuid, self.uuid, 3
+ update_permissions self.owner_uuid, self.uuid, 3, false
update_permissions new_user.owner_uuid, new_user.uuid, 3
end
end
diff --git a/services/api/lib/refresh_permission_view.rb b/services/api/lib/refresh_permission_view.rb
index e89978d7b..77235c000 100644
--- a/services/api/lib/refresh_permission_view.rb
+++ b/services/api/lib/refresh_permission_view.rb
@@ -47,7 +47,7 @@ def refresh_permission_view(async=false)
end
-def update_permissions perm_origin_uuid, starting_uuid, perm_level, check=false
+def update_permissions perm_origin_uuid, starting_uuid, perm_level, check=true
# Update a subset of the permission graph
# perm_level is the inherited permission
# perm_level is a number from 0-3
@@ -93,41 +93,46 @@ on conflict (user_uuid, target_uuid) do update set perm_level=EXCLUDED.perm_leve
},
"update_permissions.insert"
- if check
- #
- # For validation/debugging, this checks contents of the
- # incrementally-updated 'materialized_permission' against a
- # from-scratch permission refresh.
- #
+ if check and perm_level>0
+ check_permissions_against_full_refresh
+ end
+end
+
+
+def check_permissions_against_full_refresh
+ #
+ # For debugging, this checks contents of the
+ # incrementally-updated 'materialized_permission' against a
+ # from-scratch permission refresh.
+ #
- q1 = ActiveRecord::Base.connection.exec_query %{
+ q1 = ActiveRecord::Base.connection.exec_query %{
select user_uuid, target_uuid, perm_level, traverse_owned from #{PERMISSION_VIEW}
order by user_uuid, target_uuid
}
- q2 = ActiveRecord::Base.connection.exec_query %{
+ q2 = ActiveRecord::Base.connection.exec_query %{
select users.uuid as user_uuid, g.target_uuid, g.val as perm_level, g.traverse_owned
from users, lateral search_permission_graph(users.uuid, 3) as g where g.val > 0
order by users.uuid, target_uuid
}
- if q1.count != q2.count
- puts "Didn't match incremental+: #{q1.count} != full refresh-: #{q2.count}"
- end
+ if q1.count != q2.count
+ puts "Didn't match incremental+: #{q1.count} != full refresh-: #{q2.count}"
+ end
- if q1.count > q2.count
- q1.each_with_index do |r, i|
- if r != q2[i]
- puts "+#{r}\n-#{q2[i]}"
- raise "Didn't match"
- end
+ if q1.count > q2.count
+ q1.each_with_index do |r, i|
+ if r != q2[i]
+ puts "+#{r}\n-#{q2[i]}"
+ raise "Didn't match"
end
- else
- q2.each_with_index do |r, i|
- if r != q1[i]
- puts "+#{q1[i]}\n-#{r}"
- raise "Didn't match"
- end
+ end
+ else
+ q2.each_with_index do |r, i|
+ if r != q1[i]
+ puts "+#{q1[i]}\n-#{r}"
+ raise "Didn't match"
end
end
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list