3 class PermissionsTest < ActionDispatch::IntegrationTest
4 fixtures :users, :groups, :api_client_authorizations, :collections
7 {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(auth_fixture).api_token}"}
10 test "adding and removing direct can_read links" do
11 # try to read collection as spectator
12 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
15 # try to add permission as spectator
16 post "/arvados/v1/links", {
19 tail_uuid: users(:spectator).uuid,
20 link_class: 'permission',
22 head_uuid: collections(:foo_file).uuid,
28 # add permission as admin
29 post "/arvados/v1/links", {
32 tail_uuid: users(:spectator).uuid,
33 link_class: 'permission',
35 head_uuid: collections(:foo_file).uuid,
40 assert_response :success
42 # read collection as spectator
43 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
44 assert_response :success
46 # try to delete permission as spectator
47 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator)
50 # delete permission as admin
51 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
52 assert_response :success
54 # try to read collection as spectator
55 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
60 test "adding can_read links from user to group, group to collection" do
61 # try to read collection as spectator
62 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
65 # add permission for spectator to read group
66 post "/arvados/v1/links", {
69 tail_uuid: users(:spectator).uuid,
70 link_class: 'permission',
72 head_uuid: groups(:private).uuid,
76 assert_response :success
78 # try to read collection as spectator
79 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
82 # add permission for group to read collection
83 post "/arvados/v1/links", {
86 tail_uuid: groups(:private).uuid,
87 link_class: 'permission',
89 head_uuid: collections(:foo_file).uuid,
94 assert_response :success
96 # try to read collection as spectator
97 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
98 assert_response :success
100 # delete permission for group to read collection
101 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
102 assert_response :success
104 # try to read collection as spectator
105 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
111 test "adding can_read links from group to collection, user to group" do
112 # try to read collection as spectator
113 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
116 # add permission for group to read collection
117 post "/arvados/v1/links", {
120 tail_uuid: groups(:private).uuid,
121 link_class: 'permission',
123 head_uuid: collections(:foo_file).uuid,
127 assert_response :success
129 # try to read collection as spectator
130 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
133 # add permission for spectator to read group
134 post "/arvados/v1/links", {
137 tail_uuid: users(:spectator).uuid,
138 link_class: 'permission',
140 head_uuid: groups(:private).uuid,
144 u = jresponse['uuid']
145 assert_response :success
147 # try to read collection as spectator
148 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
149 assert_response :success
151 # delete permission for spectator to read group
152 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
153 assert_response :success
155 # try to read collection as spectator
156 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
161 test "adding can_read links from user to group, group to group, group to collection" do
162 # try to read collection as spectator
163 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
166 # add permission for user to read group
167 post "/arvados/v1/links", {
170 tail_uuid: users(:spectator).uuid,
171 link_class: 'permission',
173 head_uuid: groups(:private).uuid,
177 assert_response :success
179 # add permission for group to read group
180 post "/arvados/v1/links", {
183 tail_uuid: groups(:private).uuid,
184 link_class: 'permission',
186 head_uuid: groups(:empty_lonely_group).uuid,
190 assert_response :success
192 # add permission for group to read collection
193 post "/arvados/v1/links", {
196 tail_uuid: groups(:empty_lonely_group).uuid,
197 link_class: 'permission',
199 head_uuid: collections(:foo_file).uuid,
203 u = jresponse['uuid']
204 assert_response :success
206 # try to read collection as spectator
207 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
208 assert_response :success
210 # delete permission for group to read collection
211 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
212 assert_response :success
214 # try to read collection as spectator
215 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
219 test "read-only group-admin sees correct subset of user list" do
220 get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
221 assert_response :success
222 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
223 [[true, users(:rominiadmin).uuid],
224 [true, users(:active).uuid],
225 [false, users(:miniadmin).uuid],
226 [false, users(:spectator).uuid]].each do |should_find, uuid|
227 assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
231 test "read-only group-admin cannot modify administered user" do
232 put "/arvados/v1/users/#{users(:active).uuid}", {
234 first_name: 'KilroyWasHere'
237 }, auth(:rominiadmin)
241 test "read-only group-admin cannot read or update non-administered user" do
242 get "/arvados/v1/users/#{users(:spectator).uuid}", {
244 }, auth(:rominiadmin)
247 put "/arvados/v1/users/#{users(:spectator).uuid}", {
249 first_name: 'KilroyWasHere'
252 }, auth(:rominiadmin)
256 test "RO group-admin finds user's specimens, RW group-admin can update" do
257 [[:rominiadmin, false],
258 [:miniadmin, true]].each do |which_user, update_should_succeed|
259 get "/arvados/v1/specimens", {:format => :json}, auth(which_user)
260 assert_response :success
261 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
262 [[true, specimens(:owned_by_active_user).uuid],
263 [true, specimens(:owned_by_private_group).uuid],
264 [false, specimens(:owned_by_spectator).uuid],
265 ].each do |should_find, uuid|
266 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
267 "%s should%s see %s in specimen list" %
269 should_find ? '' : 'not ',
271 put "/arvados/v1/specimens/#{uuid}", {
274 miniadmin_was_here: true
281 elsif !update_should_succeed
284 assert_response :success