3 class PermissionsTest < ActionDispatch::IntegrationTest
4 fixtures :users, :groups, :api_client_authorizations, :collections
7 {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(auth_fixture).api_token}"}
10 test "adding and removing direct can_read links" do
11 # try to read collection as spectator
12 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
15 # try to add permission as spectator
16 post "/arvados/v1/links", {
19 tail_kind: 'arvados#user',
20 tail_uuid: users(:spectator).uuid,
21 link_class: 'permission',
23 head_kind: 'arvados#collection',
24 head_uuid: collections(:foo_file).uuid,
30 # add permission as admin
31 post "/arvados/v1/links", {
34 tail_kind: 'arvados#user',
35 tail_uuid: users(:spectator).uuid,
36 link_class: 'permission',
38 head_kind: 'arvados#collection',
39 head_uuid: collections(:foo_file).uuid,
44 assert_response :success
46 # read collection as spectator
47 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
48 assert_response :success
50 # try to delete permission as spectator
51 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator)
54 # delete permission as admin
55 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
56 assert_response :success
58 # try to read collection as spectator
59 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
64 test "adding can_read links from user to group, group to collection" do
65 # try to read collection as spectator
66 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
69 # add permission for spectator to read group
70 post "/arvados/v1/links", {
73 tail_kind: 'arvados#user',
74 tail_uuid: users(:spectator).uuid,
75 link_class: 'permission',
77 head_kind: 'arvados#group',
78 head_uuid: groups(:private).uuid,
82 assert_response :success
84 # try to read collection as spectator
85 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
88 # add permission for group to read collection
89 post "/arvados/v1/links", {
92 tail_kind: 'arvados#group',
93 tail_uuid: groups(:private).uuid,
94 link_class: 'permission',
96 head_kind: 'arvados#collection',
97 head_uuid: collections(:foo_file).uuid,
101 u = jresponse['uuid']
102 assert_response :success
104 # try to read collection as spectator
105 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
106 assert_response :success
108 # delete permission for group to read collection
109 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
110 assert_response :success
112 # try to read collection as spectator
113 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
119 test "adding can_read links from group to collection, user to group" do
120 # try to read collection as spectator
121 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
124 # add permission for group to read collection
125 post "/arvados/v1/links", {
128 tail_kind: 'arvados#group',
129 tail_uuid: groups(:private).uuid,
130 link_class: 'permission',
132 head_kind: 'arvados#collection',
133 head_uuid: collections(:foo_file).uuid,
137 assert_response :success
139 # try to read collection as spectator
140 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
143 # add permission for spectator to read group
144 post "/arvados/v1/links", {
147 tail_kind: 'arvados#user',
148 tail_uuid: users(:spectator).uuid,
149 link_class: 'permission',
151 head_kind: 'arvados#group',
152 head_uuid: groups(:private).uuid,
156 u = jresponse['uuid']
157 assert_response :success
159 # try to read collection as spectator
160 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
161 assert_response :success
163 # delete permission for spectator to read group
164 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
165 assert_response :success
167 # try to read collection as spectator
168 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
173 test "adding can_read links from user to group, group to group, group to collection" do
174 # try to read collection as spectator
175 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
178 # add permission for user to read group
179 post "/arvados/v1/links", {
182 tail_kind: 'arvados#user',
183 tail_uuid: users(:spectator).uuid,
184 link_class: 'permission',
186 head_kind: 'arvados#group',
187 head_uuid: groups(:private).uuid,
191 assert_response :success
193 # add permission for group to read group
194 post "/arvados/v1/links", {
197 tail_kind: 'arvados#group',
198 tail_uuid: groups(:private).uuid,
199 link_class: 'permission',
201 head_kind: 'arvados#group',
202 head_uuid: groups(:empty_lonely_group).uuid,
206 assert_response :success
208 # add permission for group to read collection
209 post "/arvados/v1/links", {
212 tail_kind: 'arvados#group',
213 tail_uuid: groups(:empty_lonely_group).uuid,
214 link_class: 'permission',
216 head_kind: 'arvados#collection',
217 head_uuid: collections(:foo_file).uuid,
221 u = jresponse['uuid']
222 assert_response :success
224 # try to read collection as spectator
225 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
226 assert_response :success
228 # delete permission for group to read collection
229 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
230 assert_response :success
232 # try to read collection as spectator
233 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
237 test "read-only group-admin sees correct subset of user list" do
238 get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
239 assert_response :success
240 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
241 [[true, users(:rominiadmin).uuid],
242 [true, users(:active).uuid],
243 [false, users(:miniadmin).uuid],
244 [false, users(:spectator).uuid]].each do |should_find, uuid|
245 assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
249 test "read-only group-admin cannot modify administered user" do
250 put "/arvados/v1/users/#{users(:active).uuid}", {
252 first_name: 'KilroyWasHere'
255 }, auth(:rominiadmin)
259 test "read-only group-admin cannot read or update non-administered user" do
260 get "/arvados/v1/users/#{users(:spectator).uuid}", {
262 }, auth(:rominiadmin)
265 put "/arvados/v1/users/#{users(:spectator).uuid}", {
267 first_name: 'KilroyWasHere'
270 }, auth(:rominiadmin)
274 test "RO group-admin finds user's specimens, RW group-admin can update" do
275 [[:rominiadmin, false],
276 [:miniadmin, true]].each do |which_user, update_should_succeed|
277 get "/arvados/v1/specimens", {:format => :json}, auth(which_user)
278 assert_response :success
279 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
280 [[true, specimens(:owned_by_active_user).uuid],
281 [true, specimens(:owned_by_private_group).uuid],
282 [false, specimens(:owned_by_spectator).uuid],
283 ].each do |should_find, uuid|
284 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
285 "%s should%s see %s in specimen list" %
287 should_find ? '' : 'not ',
289 put "/arvados/v1/specimens/#{uuid}", {
292 miniadmin_was_here: true
299 elsif !update_should_succeed
302 assert_response :success