[arvados] updated: 2.1.0-2591-g2e727c5d2

git repository hosting git at public.arvados.org
Fri Jun 10 15:46:08 UTC 2022 

Summary of changes:
 services/api/app/models/arvados_model.rb | 16 ++++++++++------
 services/api/app/models/user.rb          |  8 ++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

       via  2e727c5d2d000faa6f1d9a566dc59568f1b276fe (commit)
      from  9551b59d3aab67f77240b90bbb550faec6b2a7d9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 2e727c5d2d000faa6f1d9a566dc59568f1b276fe
Author: Tom Clegg <tom at curii.com>
Date:   Fri Jun 10 11:44:33 2022 -0400

    19146: Remove unneeded special case checks, explain the needed one.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index e7ffe740b..c2725506c 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -275,18 +275,22 @@ class ArvadosModel < ApplicationRecord
 
   def can_write
     if respond_to?(:frozen_by_uuid) && frozen_by_uuid
+      # This special case is needed to return the correct value from a
+      # "freeze project" API, during which writable status changes
+      # from true to false.
+      #
+      # current_user.can?(write: self) returns true (which is correct
+      # in the context of permission-checking hooks) but the can_write
+      # value we're returning to the caller here represents the state
+      # _after_ the update, i.e., false.
       return false
     else
-      return owner_uuid == current_user.uuid ||
-             current_user.is_admin ||
-             current_user.can?(write: uuid)
+      return current_user.can?(write: self)
     end
   end
 
   def can_manage
-    return owner_uuid == current_user.uuid ||
-           current_user.is_admin ||
-           current_user.can?(manage: uuid)
+    return current_user.can?(manage: self)
   end
 
   # Return a query with read permissions restricted to the union of the
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 444946613..141bccef2 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -124,6 +124,14 @@ class User < ArvadosModel
       end
       next if target_uuid == self.uuid
 
+      if action == :write && target && !target.new_record? &&
+         target.respond_to?(:frozen_by_uuid) &&
+         target.frozen_by_uuid_was
+        # Just an optimization to skip the PERMISSION_VIEW and
+        # FrozenGroup queries below
+        return false
+      end
+
       target_owner_uuid = target.owner_uuid if target.respond_to? :owner_uuid
 
       user_uuids_subquery = USER_UUIDS_SUBQUERY_TEMPLATE % {user: "$1", perm_level: "$3"}

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list