3 class PermissionTest < ActiveSupport::TestCase
4 include CurrentApiClient
6 test "Grant permissions on an object I own" do
7 set_user_from_auth :active_trustedclient
12 # Ensure I have permission to manage this group even when its owner changes
13 perm_link = Link.create(tail_uuid: users(:active).uuid,
15 link_class: 'permission',
17 assert perm_link.save, "should give myself permission on my own object"
20 test "Delete permission links when deleting an object" do
21 set_user_from_auth :active_trustedclient
24 Link.create!(tail_uuid: users(:active).uuid,
26 link_class: 'permission',
29 assert ob.destroy, "Could not destroy object with 1 permission link"
30 assert_empty(Link.where(head_uuid: ob_uuid),
31 "Permission link was not deleted when object was deleted")
34 test "permission links owned by root" do
35 set_user_from_auth :active_trustedclient
37 perm_link = Link.create!(tail_uuid: users(:active).uuid,
39 link_class: 'permission',
41 assert_equal system_user_uuid, perm_link.owner_uuid
45 set_user_from_auth :active_trustedclient
48 Link.create!(tail_uuid: users(:active).uuid,
50 link_class: 'permission',
52 assert Specimen.readable_by(users(:active)).where(uuid: ob.uuid).any?, "user does not have read permission"
56 set_user_from_auth :active_trustedclient
59 Link.create!(tail_uuid: users(:active).uuid,
61 link_class: 'permission',
63 assert ob.writable_by.include?(users(:active).uuid), "user does not have write permission"
66 test "writable_by reports requesting user's own uuid for a writable project" do
67 invited_to_write = users(:project_viewer)
68 group = groups(:asubproject)
70 # project_view can read, but cannot see write or see writers list
71 set_user_from_auth :project_viewer
72 assert_equal([group.owner_uuid],
74 "writers list should just have owner_uuid")
76 # allow project_viewer to write for the remainder of the test
77 set_user_from_auth :admin
78 Link.create!(tail_uuid: invited_to_write.uuid,
79 head_uuid: group.uuid,
80 link_class: 'permission',
82 group.permissions.reload
84 # project_viewer should see self in writers list (but not all writers)
85 set_user_from_auth :project_viewer
86 assert_not_nil(group.writable_by,
87 "can write but cannot see writers list")
88 assert_includes(group.writable_by, invited_to_write.uuid,
89 "self missing from writers list")
90 assert_includes(group.writable_by, group.owner_uuid,
91 "project owner missing from writers list")
92 refute_includes(group.writable_by, users(:active).uuid,
93 "saw :active user in writers list")
95 # active user should see full writers list
96 set_user_from_auth :active
97 assert_includes(group.writable_by, invited_to_write.uuid,
98 "permission just added, but missing from writers list")
100 # allow project_viewer to manage for the remainder of the test
101 set_user_from_auth :admin
102 Link.create!(tail_uuid: invited_to_write.uuid,
103 head_uuid: group.uuid,
104 link_class: 'permission',
106 # invite another writer we can test for
107 Link.create!(tail_uuid: users(:spectator).uuid,
108 head_uuid: group.uuid,
109 link_class: 'permission',
111 group.permissions.reload
113 set_user_from_auth :project_viewer
114 assert_not_nil(group.writable_by,
115 "can manage but cannot see writers list")
116 assert_includes(group.writable_by, users(:spectator).uuid,
117 ":spectator missing from writers list")
120 test "user owns group, group can_manage object's group, user can add permissions" do
121 set_user_from_auth :admin
123 owner_grp = Group.create!(owner_uuid: users(:active).uuid)
125 sp_grp = Group.create!
126 sp = Specimen.create!(owner_uuid: sp_grp.uuid)
128 manage_perm = Link.create!(link_class: 'permission',
130 tail_uuid: owner_grp.uuid,
131 head_uuid: sp_grp.uuid)
133 # active user owns owner_grp, which has can_manage permission on sp_grp
134 # user should be able to add permissions on sp.
135 set_user_from_auth :active_trustedclient
136 test_perm = Link.create(tail_uuid: users(:active).uuid,
138 link_class: 'permission',
140 test_uuid = test_perm.uuid
141 assert test_perm.save, "could not save new permission on target object"
142 assert test_perm.destroy, "could not delete new permission on target object"
145 # TODO(twp): fix bug #3091, which should fix this test.
146 test "can_manage permission on a non-group object" do
148 set_user_from_auth :admin
150 ob = Specimen.create!
151 # grant can_manage permission to active
152 perm_link = Link.create!(tail_uuid: users(:active).uuid,
154 link_class: 'permission',
156 # ob is owned by :admin, the link is owned by root
157 assert_equal users(:admin).uuid, ob.owner_uuid
158 assert_equal system_user_uuid, perm_link.owner_uuid
160 # user "active" can modify the permission link
161 set_user_from_auth :active_trustedclient
162 perm_link.properties["foo"] = 'bar'
163 assert perm_link.save, "could not save modified link"
165 assert_equal 'bar', perm_link.properties['foo'], "link properties do not include foo = bar"
168 test "user without can_manage permission may not modify permission link" do
169 set_user_from_auth :admin
171 ob = Specimen.create!
172 # grant can_manage permission to active
173 perm_link = Link.create!(tail_uuid: users(:active).uuid,
175 link_class: 'permission',
177 # ob is owned by :admin, the link is owned by root
178 assert_equal ob.owner_uuid, users(:admin).uuid
179 assert_equal perm_link.owner_uuid, system_user_uuid
181 # user "active" may not modify the permission link
182 set_user_from_auth :active_trustedclient
183 perm_link.name = 'can_manage'
184 assert_raises ArvadosModel::PermissionDeniedError do
189 test "cannot create with owner = unwritable user" do
190 set_user_from_auth :rominiadmin
191 assert_raises ArvadosModel::PermissionDeniedError, "created with owner = unwritable user" do
192 Specimen.create!(owner_uuid: users(:active).uuid)
196 test "cannot change owner to unwritable user" do
197 set_user_from_auth :rominiadmin
198 ob = Specimen.create!
199 assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable user" do
200 ob.update_attributes!(owner_uuid: users(:active).uuid)
204 test "cannot create with owner = unwritable group" do
205 set_user_from_auth :rominiadmin
206 assert_raises ArvadosModel::PermissionDeniedError, "created with owner = unwritable group" do
207 Specimen.create!(owner_uuid: groups(:aproject).uuid)
211 test "cannot change owner to unwritable group" do
212 set_user_from_auth :rominiadmin
213 ob = Specimen.create!
214 assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable group" do
215 ob.update_attributes!(owner_uuid: groups(:aproject).uuid)