3 class PermissionsTest < ActionDispatch::IntegrationTest
4 fixtures :users, :groups, :api_client_authorizations, :collections
6 test "adding and removing direct can_read links" do
7 # try to read collection as spectator
8 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
11 # try to add permission as spectator
12 post "/arvados/v1/links", {
15 tail_kind: 'arvados#user',
16 tail_uuid: users(:spectator).uuid,
17 link_class: 'permission',
19 head_kind: 'arvados#collection',
20 head_uuid: collections(:foo_file).uuid,
26 # add permission as admin
27 post "/arvados/v1/links", {
30 tail_kind: 'arvados#user',
31 tail_uuid: users(:spectator).uuid,
32 link_class: 'permission',
34 head_kind: 'arvados#collection',
35 head_uuid: collections(:foo_file).uuid,
40 assert_response :success
42 # read collection as spectator
43 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
44 assert_response :success
46 # try to delete permission as spectator
47 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator)
50 # delete permission as admin
51 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
52 assert_response :success
54 # try to read collection as spectator
55 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
60 test "adding can_read links from user to group, group to collection" do
61 # try to read collection as spectator
62 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
65 # add permission for spectator to read group
66 post "/arvados/v1/links", {
69 tail_kind: 'arvados#user',
70 tail_uuid: users(:spectator).uuid,
71 link_class: 'permission',
73 head_kind: 'arvados#group',
74 head_uuid: groups(:private).uuid,
78 assert_response :success
80 # try to read collection as spectator
81 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
84 # add permission for group to read collection
85 post "/arvados/v1/links", {
88 tail_kind: 'arvados#group',
89 tail_uuid: groups(:private).uuid,
90 link_class: 'permission',
92 head_kind: 'arvados#collection',
93 head_uuid: collections(:foo_file).uuid,
98 assert_response :success
100 # try to read collection as spectator
101 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
102 assert_response :success
104 # delete permission for group to read collection
105 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
106 assert_response :success
108 # try to read collection as spectator
109 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
115 test "adding can_read links from group to collection, user to group" do
116 # try to read collection as spectator
117 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
120 # add permission for group to read collection
121 post "/arvados/v1/links", {
124 tail_kind: 'arvados#group',
125 tail_uuid: groups(:private).uuid,
126 link_class: 'permission',
128 head_kind: 'arvados#collection',
129 head_uuid: collections(:foo_file).uuid,
133 assert_response :success
135 # try to read collection as spectator
136 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
139 # add permission for spectator to read group
140 post "/arvados/v1/links", {
143 tail_kind: 'arvados#user',
144 tail_uuid: users(:spectator).uuid,
145 link_class: 'permission',
147 head_kind: 'arvados#group',
148 head_uuid: groups(:private).uuid,
152 u = jresponse['uuid']
153 assert_response :success
155 # try to read collection as spectator
156 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
157 assert_response :success
159 # delete permission for spectator to read group
160 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
161 assert_response :success
163 # try to read collection as spectator
164 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
169 test "adding can_read links from user to group, group to group, group to collection" do
170 # try to read collection as spectator
171 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
174 # add permission for user to read group
175 post "/arvados/v1/links", {
178 tail_kind: 'arvados#user',
179 tail_uuid: users(:spectator).uuid,
180 link_class: 'permission',
182 head_kind: 'arvados#group',
183 head_uuid: groups(:private).uuid,
187 assert_response :success
189 # add permission for group to read group
190 post "/arvados/v1/links", {
193 tail_kind: 'arvados#group',
194 tail_uuid: groups(:private).uuid,
195 link_class: 'permission',
197 head_kind: 'arvados#group',
198 head_uuid: groups(:empty_lonely_group).uuid,
202 assert_response :success
204 # add permission for group to read collection
205 post "/arvados/v1/links", {
208 tail_kind: 'arvados#group',
209 tail_uuid: groups(:empty_lonely_group).uuid,
210 link_class: 'permission',
212 head_kind: 'arvados#collection',
213 head_uuid: collections(:foo_file).uuid,
217 u = jresponse['uuid']
218 assert_response :success
220 # try to read collection as spectator
221 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
222 assert_response :success
224 # delete permission for group to read collection
225 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
226 assert_response :success
228 # try to read collection as spectator
229 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
233 test "read-only group-admin sees correct subset of user list" do
234 get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
235 assert_response :success
236 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
237 [[true, users(:rominiadmin).uuid],
238 [true, users(:active).uuid],
239 [false, users(:miniadmin).uuid],
240 [false, users(:spectator).uuid]].each do |should_find, uuid|
241 assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
245 test "read-only group-admin cannot modify administered user" do
246 put "/arvados/v1/users/#{users(:active).uuid}", {
248 first_name: 'KilroyWasHere'
251 }, auth(:rominiadmin)
255 test "read-only group-admin cannot read or update non-administered user" do
256 get "/arvados/v1/users/#{users(:spectator).uuid}", {
258 }, auth(:rominiadmin)
261 put "/arvados/v1/users/#{users(:spectator).uuid}", {
263 first_name: 'KilroyWasHere'
266 }, auth(:rominiadmin)
270 test "RO group-admin finds user's specimens, RW group-admin can update" do
271 [[:rominiadmin, false],
272 [:miniadmin, true]].each do |which_user, update_should_succeed|
273 get "/arvados/v1/specimens", {:format => :json}, auth(which_user)
274 assert_response :success
275 resp_uuids = jresponse['items'].collect { |i| i['uuid'] }
276 [[true, specimens(:owned_by_active_user).uuid],
277 [true, specimens(:owned_by_private_group).uuid],
278 [false, specimens(:owned_by_spectator).uuid],
279 ].each do |should_find, uuid|
280 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
281 "%s should%s see %s in specimen list" %
283 should_find ? '' : 'not ',
285 put "/arvados/v1/specimens/#{uuid}", {
288 miniadmin_was_here: true
295 elsif !update_should_succeed
298 assert_response :success