Remove illegal characters (currently just '/') from output collection names

[arvados.git] / services / api / test / unit / permission_test.rb
diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb

index cb5ae7ba2f2367462229927e364e640913727141..efc43dfde54f6f9b3274c765465a067226a3de27 100644 (file)
--- a/services/api/test/unit/permission_test.rb
+++ b/services/api/test/unit/permission_test.rb
@@ -46,7 +46,7 @@ class PermissionTest < ActiveSupport::TestCase
    end
  
    test "readable_by" do
    end
  
    test "readable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
  
      ob = Collection.create!
      Link.create!(tail_uuid: users(:active).uuid,
  
      ob = Collection.create!
      Link.create!(tail_uuid: users(:active).uuid,
@@ -57,7 +57,7 @@ class PermissionTest < ActiveSupport::TestCase
    end
  
    test "writable_by" do
    end
  
    test "writable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
  
      ob = Collection.create!
      Link.create!(tail_uuid: users(:active).uuid,
  
      ob = Collection.create!
      Link.create!(tail_uuid: users(:active).uuid,
@@ -153,6 +153,7 @@ class PermissionTest < ActiveSupport::TestCase
      set_user_from_auth :admin
  
      owner_grp = Group.create!(owner_uuid: users(:active).uuid, group_class: "role")
      set_user_from_auth :admin
  
      owner_grp = Group.create!(owner_uuid: users(:active).uuid, group_class: "role")
+
      sp_grp = Group.create!(group_class: "project")
  
      Link.create!(link_class: 'permission',
      sp_grp = Group.create!(group_class: "project")
  
      Link.create!(link_class: 'permission',
@@ -217,6 +218,8 @@ class PermissionTest < ActiveSupport::TestCase
    end
  
    test "manager user gets permission to minions' articles via can_manage link" do
    end
  
    test "manager user gets permission to minions' articles via can_manage link" do
+    Rails.configuration.Users.RoleGroupsVisibleToAll = false
+    Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false
      manager = create :active_user, first_name: "Manage", last_name: "Er"
      minion = create :active_user, first_name: "Min", last_name: "Ion"
      minions_specimen = act_as_user minion do
      manager = create :active_user, first_name: "Manage", last_name: "Er"
      minion = create :active_user, first_name: "Min", last_name: "Ion"
      minions_specimen = act_as_user minion do
@@ -227,7 +230,7 @@ class PermissionTest < ActiveSupport::TestCase
      # anyone any additional permissions.)
      g = nil
      act_as_user manager do
      # anyone any additional permissions.)
      g = nil
      act_as_user manager do
-      g = create :group, name: "NoBigSecret Lab"
+      g = create :group, name: "NoBigSecret Lab", group_class: "role"
        assert_empty(User.readable_by(manager).where(uuid: minion.uuid),
                     "saw a user I shouldn't see")
        assert_raises(ArvadosModel::PermissionDeniedError,
        assert_empty(User.readable_by(manager).where(uuid: minion.uuid),
                     "saw a user I shouldn't see")
        assert_raises(ArvadosModel::PermissionDeniedError,
@@ -313,6 +316,7 @@ class PermissionTest < ActiveSupport::TestCase
    end
  
    test "users with bidirectional read permission in group can see each other, but cannot see each other's private articles" do
    end
  
    test "users with bidirectional read permission in group can see each other, but cannot see each other's private articles" do
+    Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false
      a = create :active_user, first_name: "A"
      b = create :active_user, first_name: "B"
      other = create :active_user, first_name: "OTHER"
      a = create :active_user, first_name: "A"
      b = create :active_user, first_name: "B"
      other = create :active_user, first_name: "OTHER"
@@ -323,7 +327,7 @@ class PermissionTest < ActiveSupport::TestCase
                       "#{a.first_name} should not be able to see 'b' in the user list")
  
      act_as_system_user do
                       "#{a.first_name} should not be able to see 'b' in the user list")
  
      act_as_system_user do
-      g = create :group
+      g = create :group, group_class: "role"
        [a,b].each do |u|
          create(:permission_link,
                 name: 'can_read', tail_uuid: u.uuid, head_uuid: g.uuid)
        [a,b].each do |u|
          create(:permission_link,
                 name: 'can_read', tail_uuid: u.uuid, head_uuid: g.uuid)
@@ -423,7 +427,13 @@ class PermissionTest < ActiveSupport::TestCase
    test "add user to group, then remove them" do
      set_user_from_auth :admin
      grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
    test "add user to group, then remove them" do
      set_user_from_auth :admin
      grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
-    col = Collection.create!(owner_uuid: grp.uuid)
+    col = Collection.create!(owner_uuid: system_user_uuid)
+
+    l0 = Link.create!(tail_uuid: grp.uuid,
+                 head_uuid: col.uuid,
+                 link_class: 'permission',
+                 name: 'can_read')
+
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
  
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
  
@@ -459,7 +469,7 @@ class PermissionTest < ActiveSupport::TestCase
  
    test "add user to group, then change permission level" do
      set_user_from_auth :admin
  
    test "add user to group, then change permission level" do
      set_user_from_auth :admin
-    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
      col = Collection.create!(owner_uuid: grp.uuid)
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
      col = Collection.create!(owner_uuid: grp.uuid)
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
@@ -468,10 +478,6 @@ class PermissionTest < ActiveSupport::TestCase
                   head_uuid: grp.uuid,
                   link_class: 'permission',
                   name: 'can_manage')
                   head_uuid: grp.uuid,
                   link_class: 'permission',
                   name: 'can_manage')
-    l2 = Link.create!(tail_uuid: grp.uuid,
-                 head_uuid: users(:active).uuid,
-                 link_class: 'permission',
-                 name: 'can_read')
  
      assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
      assert users(:active).can?(read: col.uuid)
  
      assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
      assert users(:active).can?(read: col.uuid)
@@ -498,7 +504,7 @@ class PermissionTest < ActiveSupport::TestCase
  
    test "add user to group, then add overlapping permission link to group" do
      set_user_from_auth :admin
  
    test "add user to group, then add overlapping permission link to group" do
      set_user_from_auth :admin
-    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
      col = Collection.create!(owner_uuid: grp.uuid)
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
      col = Collection.create!(owner_uuid: grp.uuid)
      assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
@@ -507,10 +513,6 @@ class PermissionTest < ActiveSupport::TestCase
                   head_uuid: grp.uuid,
                   link_class: 'permission',
                   name: 'can_manage')
                   head_uuid: grp.uuid,
                   link_class: 'permission',
                   name: 'can_manage')
-    l2 = Link.create!(tail_uuid: grp.uuid,
-                 head_uuid: users(:active).uuid,
-                 link_class: 'permission',
-                 name: 'can_read')
  
      assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
      assert users(:active).can?(read: col.uuid)
  
      assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
      assert users(:active).can?(read: col.uuid)
@@ -538,8 +540,14 @@ class PermissionTest < ActiveSupport::TestCase
  
    test "add user to group, then add overlapping permission link to subproject" do
      set_user_from_auth :admin
  
    test "add user to group, then add overlapping permission link to subproject" do
      set_user_from_auth :admin
-    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
-    prj = Group.create!(owner_uuid: grp.uuid, group_class: "project")
+    grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+    prj = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
+
+    l0 = Link.create!(tail_uuid: grp.uuid,
+                 head_uuid: prj.uuid,
+                 link_class: 'permission',
+                 name: 'can_manage')
+
      assert_empty Group.readable_by(users(:active)).where(uuid: prj.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
  
      assert_empty Group.readable_by(users(:active)).where(uuid: prj.uuid)
      assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
  
@@ -574,4 +582,37 @@ class PermissionTest < ActiveSupport::TestCase
      assert users(:active).can?(write: prj.uuid)
      assert users(:active).can?(manage: prj.uuid)
    end
      assert users(:active).can?(write: prj.uuid)
      assert users(:active).can?(manage: prj.uuid)
    end
+
+  [system_user_uuid, anonymous_user_uuid].each do |u|
+    test "cannot delete system user #{u}" do
+      act_as_system_user do
+        assert_raises ArvadosModel::PermissionDeniedError do
+          User.find_by_uuid(u).destroy
+        end
+      end
+    end
+  end
+
+  [system_group_uuid, anonymous_group_uuid, public_project_uuid].each do |g|
+    test "cannot delete system group #{g}" do
+      act_as_system_user do
+        assert_raises ArvadosModel::PermissionDeniedError do
+          Group.find_by_uuid(g).destroy
+        end
+      end
+    end
+  end
+
+  # Show query plan for readable_by query. The plan for a test db
+  # might not resemble the plan for a production db, but it doesn't
+  # hurt to show the test db plan in test logs, and the .
+  [false, true].each do |include_trash|
+    test "query plan, include_trash=#{include_trash}" do
+      sql = Collection.readable_by(users(:active), include_trash: include_trash).to_sql
+      sql = "explain analyze #{sql}"
+      STDERR.puts sql
+      q = ActiveRecord::Base.connection.exec_query(sql)
+      q.rows.each do |row| STDERR.puts(row) end
+    end
+  end
  end
  end