assert g.save, "active user should be able to modify group #{g.uuid}"
# Use the group as the owner of a new object
- s = Specimen.
+ s = Collection.
create(owner_uuid: groups(:bad_group_has_ownership_cycle_b).uuid)
assert s.valid?, "ownership should pass validation #{s.errors.messages}"
assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
# Use the group as the new owner of an existing object
- s = specimens(:in_aproject)
+ s = collections(:collection_owned_by_active)
s.owner_uuid = groups(:bad_group_has_ownership_cycle_b).uuid
assert s.valid?, "ownership should pass validation"
assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
set_user_from_auth :active_trustedclient
g = Group.create!(name: "foo", group_class: "role")
assert_raises(ActiveRecord::RecordInvalid) do
- g.update_attributes!(group_class: "project")
+ g.update!(group_class: "project")
end
end
c = Collection.create!(name: "bzzz124")
assert_raises(ArvadosModel::PermissionDeniedError) do
- c.update_attributes!(owner_uuid: role.uuid)
+ c.update!(owner_uuid: role.uuid)
end
end
# Cannot set frozen_by_uuid to a different user
assert_raises do
- proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
+ proj.update!(frozen_by_uuid: users(:spectator).uuid)
end
proj.reload
# First confirm we have write permission
assert Collection.create(name: 'bar', owner_uuid: proj.uuid)
assert_raises(ArvadosModel::PermissionDeniedError) do
- proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
+ proj.update!(frozen_by_uuid: users(:spectator).uuid)
end
end
proj.reload
# Cannot set frozen_by_uuid without description (if so configured)
Rails.configuration.API.FreezeProjectRequiresDescription = true
err = assert_raises do
- proj.update_attributes!(frozen_by_uuid: users(:active).uuid)
+ proj.update!(frozen_by_uuid: users(:active).uuid)
end
assert_match /can only be set if description is non-empty/, err.inspect
proj.reload
err = assert_raises do
- proj.update_attributes!(frozen_by_uuid: users(:active).uuid, description: '')
+ proj.update!(frozen_by_uuid: users(:active).uuid, description: '')
end
assert_match /can only be set if description is non-empty/, err.inspect
proj.reload
# Cannot set frozen_by_uuid without properties (if so configured)
Rails.configuration.API.FreezeProjectRequiresProperties['frobity'] = true
err = assert_raises do
- proj.update_attributes!(
+ proj.update!(
frozen_by_uuid: users(:active).uuid,
description: 'ready to freeze')
end
# Cannot set frozen_by_uuid while project or its parent is
# trashed
[parent, proj].each do |trashed|
- trashed.update_attributes!(trash_at: db_current_time)
+ trashed.update!(trash_at: db_current_time)
err = assert_raises do
- proj.update_attributes!(
+ proj.update!(
frozen_by_uuid: users(:active).uuid,
description: 'ready to freeze',
properties: {'frobity' => 'bar baz'})
end
assert_match /cannot be set on a trashed project/, err.inspect
proj.reload
- trashed.update_attributes!(trash_at: nil)
+ trashed.update!(trash_at: nil)
end
# Can set frozen_by_uuid if all conditions are met
- ok = proj.update_attributes(
+ ok = proj.update(
frozen_by_uuid: users(:active).uuid,
description: 'ready to freeze',
properties: {'frobity' => 'bar baz'})
# its descendants
[proj, proj_inner].each do |frozen|
assert_raises do
- collections(:collection_owned_by_active).update_attributes!(owner_uuid: frozen.uuid)
+ collections(:collection_owned_by_active).update!(owner_uuid: frozen.uuid)
end
assert_raises do
Collection.create!(owner_uuid: frozen.uuid, name: 'inside-frozen-project')
# trash, or delete the project or anything beneath it
[proj, proj_inner, coll].each do |frozen|
assert_raises(StandardError, "should reject rename of #{frozen.uuid} (#{frozen.name}) with parent #{frozen.owner_uuid}") do
- frozen.update_attributes!(name: 'foo2')
+ frozen.update!(name: 'foo2')
end
frozen.reload
if frozen.is_a?(Collection)
assert_raises(StandardError, "should reject manifest change of #{frozen.uuid}") do
- frozen.update_attributes!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n")
+ frozen.update!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n")
end
else
assert_raises(StandardError, "should reject moving a project into #{frozen.uuid}") do
- groups(:private).update_attributes!(owner_uuid: frozen.uuid)
+ groups(:private).update!(owner_uuid: frozen.uuid)
end
end
frozen.reload
assert_raises(StandardError, "should reject moving #{frozen.uuid} to a different parent project") do
- frozen.update_attributes!(owner_uuid: groups(:private).uuid)
+ frozen.update!(owner_uuid: groups(:private).uuid)
end
frozen.reload
assert_raises(StandardError, "should reject setting trash_at of #{frozen.uuid}") do
- frozen.update_attributes!(trash_at: db_current_time)
+ frozen.update!(trash_at: db_current_time)
end
frozen.reload
assert_raises(StandardError, "should reject setting delete_at of #{frozen.uuid}") do
- frozen.update_attributes!(delete_at: db_current_time)
+ frozen.update!(delete_at: db_current_time)
end
frozen.reload
assert_raises(StandardError, "should reject delete of #{frozen.uuid}") do
# First confirm we have write permission on the parent project
assert Collection.create(name: 'bar', owner_uuid: parent.uuid)
assert_raises(ArvadosModel::PermissionDeniedError) do
- proj.update_attributes!(frozen_by_uuid: nil)
+ proj.update!(frozen_by_uuid: nil)
end
end
proj.reload
# User with manage permission can unfreeze, then create items
# inside it and its children
- assert proj.update_attributes(frozen_by_uuid: nil)
+ assert proj.update(frozen_by_uuid: nil)
assert Collection.create!(owner_uuid: proj.uuid, name: 'inside-unfrozen-project')
assert Collection.create!(owner_uuid: proj_inner.uuid, name: 'inside-inner-unfrozen-project')
# Re-freeze, and reconfigure so only admins can unfreeze.
- assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
+ assert proj.update(frozen_by_uuid: users(:active).uuid)
Rails.configuration.API.UnfreezeProjectRequiresAdmin = true
# Owner cannot unfreeze, because not admin.
err = assert_raises do
- proj.update_attributes!(frozen_by_uuid: nil)
+ proj.update!(frozen_by_uuid: nil)
end
assert_match /can only be changed by an admin user, once set/, err.inspect
proj.reload
# Cannot trash or delete a frozen project's ancestor
assert_raises(StandardError, "should not be able to set trash_at on parent of frozen project") do
- parent.update_attributes!(trash_at: db_current_time)
+ parent.update!(trash_at: db_current_time)
end
parent.reload
assert_raises(StandardError, "should not be able to set delete_at on parent of frozen project") do
- parent.update_attributes!(delete_at: db_current_time)
+ parent.update!(delete_at: db_current_time)
end
parent.reload
assert_nil parent.frozen_by_uuid
act_as_user users(:admin) do
# Even admin cannot change frozen_by_uuid to someone else's UUID.
err = assert_raises do
- proj.update_attributes!(frozen_by_uuid: users(:project_viewer).uuid)
+ proj.update!(frozen_by_uuid: users(:project_viewer).uuid)
end
assert_match /can only be set to the current user's UUID/, err.inspect
proj.reload
# Admin can unfreeze.
- assert proj.update_attributes(frozen_by_uuid: nil), proj.errors.messages
+ assert proj.update(frozen_by_uuid: nil), proj.errors.messages
end
# Cannot freeze a project if it contains container requests in
creq_uncommitted = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid))
creq_committed = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid, state: 'Committed'))
err = assert_raises do
- proj.update_attributes!(frozen_by_uuid: users(:active).uuid)
+ proj.update!(frozen_by_uuid: users(:active).uuid)
end
assert_match /container request zzzzz-xvhdp-.* with state = Committed/, err.inspect
proj.reload
# Can freeze once all container requests are in Uncommitted or
# Final state
- creq_committed.update_attributes!(state: ContainerRequest::Final)
- assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
+ creq_committed.update!(state: ContainerRequest::Final)
+ assert proj.update(frozen_by_uuid: users(:active).uuid)
+ end
+ end
+
+ [
+ [false, :admin, true],
+ [false, :active, false],
+ [true, :admin, true],
+ [true, :active, true],
+ [true, :inactive, false],
+ ].each do |conf, user, allowed|
+ test "config.Users.CanCreateRoleGroups conf=#{conf}, user=#{user}" do
+ Rails.configuration.Users.CanCreateRoleGroups = conf
+ act_as_user users(user) do
+ if allowed
+ Group.create!(name: 'admin-created', group_class: 'role')
+ else
+ assert_raises(ArvadosModel::PermissionDeniedError) do
+ Group.create!(name: 'user-created', group_class: 'role')
+ end
+ end
+ end
end
end
end
projects / arvados.git / blobdiff