YDA-5442: check if vault is empty when removing a group

Co-authored-by: Harm de Raaff <[email protected]>
UtrechtUniversity · Oct 3, 2023 · c1fd4a0 · c1fd4a0
1 parent e03035c
commit c1fd4a0
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/uuGroupPolicies.r b/uuGroupPolicies.r
@@ -130,6 +130,28 @@ uuGroupPreSudoGroupRemove(*groupName, *policyKv) {
 	fail;
 }
 
+# Specific handling for rodsadmin when removing a group
+uuGroupPreSudoGroupRemoveForAdmin(*groupName, *policyKv) {
+    *prefix = "";
+    *base = "";
+
+    uuChop(*groupName, *prefix, *base, "-", true);
+    *vaultName = "vault-*base";
+    *zoneName = $rodsZoneClient;
+    *vaultIsEmpty = true;
+
+    # Check whether vault still holds data
+    msiMakeGenQuery("COLL_NAME","COLL_NAME like '/*zoneName/home/*vaultName/%'", *genQIn);
+    msiExecGenQuery(*genQIn, *genQOut);
+    foreach(*genQOut){
+        *vaultIsEmpty = false; break;
+    }
+    if (*vaultIsEmpty) {
+        succeed;
+    }
+    fail;
+}
+
 uuGroupPreSudoGroupMemberAdd(*groupName, *userName, *policyKv) {
 
 	*groupToCheck = *groupName

diff --git a/uuGroupPolicyChecks.r b/uuGroupPolicyChecks.r
@@ -203,7 +203,7 @@ uuGroupPolicyCanGroupAdd(*actor, *groupName, *category, *subcategory, *expiratio
 							} else {
 							    *reason = "Invalid expiration date when adding group: '*expiration_date'";
 							}
-							
+
 						} else {
 							# schema not valid -> report error
 							*reason = "Invalid schema-id used when adding group: '*schema_id'";
@@ -377,7 +377,28 @@ uuGroupPolicyCanGroupRemove(*actor, *groupName, *allowed, *reason) {
 			}
 
 			if (*homeCollectionIsEmpty) {
-				*allowed = 1;
+          if (*groupName like regex "(research)-.*") {
+              # Research groups can only be removed when no vault packages exist
+              uuChop(*groupName, *prefix, *base, "-", true);
+              *vaultName = "vault-*base";
+              *zoneName = $rodsZoneClient;
+              *vaultIsEmpty = true;
+
+              # Check whether vault still holds data
+              msiMakeGenQuery("COLL_NAME", "COLL_NAME like '/*zoneName/home/*vaultName/%'", *genQIn);
+              msiExecGenQuery(*genQIn, *genQOut);
+              foreach(*genQOut){
+                  *vaultIsEmpty = false;
+									break;
+              }
+              if (*vaultIsEmpty) {
+                  *allowed = 1;
+              } else {
+                  *reason = "There are still datapackages in the vault for group: *groupName. Please remove these first before removing this group.";
+              }
+          } else {
+              *allowed = 1;
+          }
 			} else {
 				*reason = "The group's directory is not empty. Please remove all of its files and subdirectories before removing this group.";
 			}

diff --git a/uuSudoPolicies.r b/uuSudoPolicies.r
@@ -59,6 +59,8 @@ acPreSudoGroupRemove(*groupName, *policyKv) {
 	writeLine("serverLog", "In acPreSudoGroupRemove, group is <*groupName>, actor is <$userNameClient#$rodsZoneClient>");
 	uuGetUserType(uuClientFullName, *userType);
 	if (*userType != "rodsadmin") { fail; }
+  # User is admin, check whether the vault has no datapackages.
+  uuGroupPreSudoGroupRemoveForAdmin(*groupName, *policyKv);
 }
 
 acPreSudoGroupMemberAdd(*groupName, *userName, *policyKv) {