3 class PermissionTest < ActiveSupport::TestCase
4 include CurrentApiClient
6 test "Grant permissions on an object I own" do
7 set_user_from_auth :active_trustedclient
12 # Ensure I have permission to manage this group even when its owner changes
13 perm_link = Link.create(tail_uuid: users(:active).uuid,
15 link_class: 'permission',
17 assert perm_link.save, "should give myself permission on my own object"
20 test "Delete permission links when deleting an object" do
21 set_user_from_auth :active_trustedclient
24 Link.create!(tail_uuid: users(:active).uuid,
26 link_class: 'permission',
29 assert ob.destroy, "Could not destroy object with 1 permission link"
30 assert_empty(Link.where(head_uuid: ob_uuid),
31 "Permission link was not deleted when object was deleted")
34 test "permission links owned by root" do
35 set_user_from_auth :active_trustedclient
37 perm_link = Link.create!(tail_uuid: users(:active).uuid,
39 link_class: 'permission',
41 assert_equal system_user_uuid, perm_link.owner_uuid
45 set_user_from_auth :active_trustedclient
48 Link.create!(tail_uuid: users(:active).uuid,
50 link_class: 'permission',
52 assert Specimen.readable_by(users(:active)).where(uuid: ob.uuid).any?, "user does not have read permission"
56 set_user_from_auth :active_trustedclient
59 Link.create!(tail_uuid: users(:active).uuid,
61 link_class: 'permission',
63 assert ob.writable_by.include?(users(:active).uuid), "user does not have write permission"
66 test "user owns group, group can_manage object's group, user can add permissions" do
67 set_user_from_auth :admin
69 owner_grp = Group.create!(owner_uuid: users(:active).uuid)
71 sp_grp = Group.create!
72 sp = Specimen.create!(owner_uuid: sp_grp.uuid)
74 manage_perm = Link.create!(link_class: 'permission',
76 tail_uuid: owner_grp.uuid,
77 head_uuid: sp_grp.uuid)
79 # active user owns owner_grp, which has can_manage permission on sp_grp
80 # user should be able to add permissions on sp.
81 set_user_from_auth :active_trustedclient
82 test_perm = Link.create(tail_uuid: users(:active).uuid,
84 link_class: 'permission',
86 test_uuid = test_perm.uuid
87 assert test_perm.save, "could not save new permission on target object"
88 assert test_perm.destroy, "could not delete new permission on target object"
91 # TODO(twp): fix bug #3091, which should fix this test.
92 test "can_manage permission on a non-group object" do
94 set_user_from_auth :admin
97 # grant can_manage permission to active
98 perm_link = Link.create!(tail_uuid: users(:active).uuid,
100 link_class: 'permission',
102 # ob is owned by :admin, the link is owned by root
103 assert_equal users(:admin).uuid, ob.owner_uuid
104 assert_equal system_user_uuid, perm_link.owner_uuid
106 # user "active" can modify the permission link
107 set_user_from_auth :active_trustedclient
108 perm_link.properties["foo"] = 'bar'
109 assert perm_link.save, "could not save modified link"
111 assert_equal 'bar', perm_link.properties['foo'], "link properties do not include foo = bar"
114 test "user without can_manage permission may not modify permission link" do
115 set_user_from_auth :admin
117 ob = Specimen.create!
118 # grant can_manage permission to active
119 perm_link = Link.create!(tail_uuid: users(:active).uuid,
121 link_class: 'permission',
123 # ob is owned by :admin, the link is owned by root
124 assert_equal ob.owner_uuid, users(:admin).uuid
125 assert_equal perm_link.owner_uuid, system_user_uuid
127 # user "active" may not modify the permission link
128 set_user_from_auth :active_trustedclient
129 perm_link.name = 'can_manage'
130 assert_raises ArvadosModel::PermissionDeniedError do
135 test "cannot create with owner = unwritable user" do
136 set_user_from_auth :rominiadmin
137 assert_raises ArvadosModel::PermissionDeniedError, "created with owner = unwritable user" do
138 Specimen.create!(owner_uuid: users(:active).uuid)
142 test "cannot change owner to unwritable user" do
143 set_user_from_auth :rominiadmin
144 ob = Specimen.create!
145 assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable user" do
146 ob.update_attributes!(owner_uuid: users(:active).uuid)
150 test "cannot create with owner = unwritable group" do
151 set_user_from_auth :rominiadmin
152 assert_raises ArvadosModel::PermissionDeniedError, "created with owner = unwritable group" do
153 Specimen.create!(owner_uuid: groups(:aproject).uuid)
157 test "cannot change owner to unwritable group" do
158 set_user_from_auth :rominiadmin
159 ob = Specimen.create!
160 assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable group" do
161 ob.update_attributes!(owner_uuid: groups(:aproject).uuid)