verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
created['uuid'], created['email'], 'arvados#user', false, 'User'
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
repo_name, created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
email: "foo@example.com"
}
}
+ assert_response :success
response_items = JSON.parse(@response.body)['items']
# arvados#user, repo link and link add user to 'All users' group
verify_num_links @all_links_at_start, 5
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
repo_name, created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
'expecting inactive user email'
# expect repo and vm links
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'test_repo', resp_obj['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
created['uuid'], created['email'], 'arvados#user', false, 'User'
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'test_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
created['uuid'], created['email'], 'arvados#user', false, 'User'
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'test_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
'All users', created['uuid'], 'arvados#group', true, 'Group'
- verify_link response_items, 'arvados#repository', false, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', false, 'permission', 'can_manage',
'test_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
'All users', created['uuid'], 'arvados#group', true, 'Group'
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'new_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
'All users', created['uuid'], 'arvados#group', true, 'Group'
# since no repo name in input, we won't get any; even though user has one
- verify_link response_items, 'arvados#repository', false, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', false, 'permission', 'can_manage',
'new_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
'All users', created['uuid'], 'arvados#group', true, 'Group'
- verify_link response_items, 'arvados#repository', true, 'permission', 'can_write',
+ verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'test_repo', created['uuid'], 'arvados#repository', true, 'Repository'
verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
assert active_user['is_invited'], 'expected is_invited for active user'
verify_link_existence active_user['uuid'], active_user['email'],
- false, false, false, true, true
+ false, true, false, true, true
authorize_with :admin
verify_link_existence response_user['uuid'], response_user['email'],
false, false, false, false, false
+
+ assert_equal([], User.find_by_uuid(users(:active).uuid).groups_i_can(:read),
+ "active user can still read some groups after being deactivated")
end
test "setup user with send notification param false and verify no email" do
'Expected workbench url in email body'
end
+ test "non-admin user can get basic information about active users" do
+ authorize_with :spectator
+ get(:index)
+ check_non_admin_index
+ check_active_users_index
+ end
+
+ test "non-admin user can limit index" do
+ authorize_with :spectator
+ get(:index, limit: 2)
+ check_non_admin_index
+ assert_equal(2, json_response["items"].size,
+ "non-admin index limit was ineffective")
+ end
+
+ test "filters are ignored for non-admin index" do
+ check_index_condition_fails(:spectator,
+ filters: [["last_name", "=", "__nonexistent__"]])
+ end
+
+ test "where is ignored for non-admin index" do
+ check_index_condition_fails(:spectator,
+ where: {last_name: "__nonexistent__"})
+ end
+
+ test "group admin is treated like non-admin for index" do
+ check_index_condition_fails(:rominiadmin,
+ filters: [["last_name", "=", "__nonexistent__"]])
+ end
+
+ test "admin has full index powers" do
+ authorize_with :admin
+ check_inactive_user_findable
+ end
+
+ test "reader token can grant admin index powers" do
+ authorize_with :spectator
+ check_inactive_user_findable(reader_tokens: [api_token(:admin)])
+ end
+
+ test "admin can filter on user.is_active" do
+ authorize_with :admin
+ get(:index, filters: [["is_active", "=", "true"]])
+ assert_response :success
+ check_active_users_index
+ end
+
+ test "admin can search where user.is_active" do
+ authorize_with :admin
+ get(:index, where: {is_active: true})
+ assert_response :success
+ check_active_users_index
+ end
+
+ test "update active_no_prefs user profile and expect notification email" do
+ authorize_with :admin
+
+ put :update, {
+ id: users(:active_no_prefs).uuid,
+ user: {
+ prefs: {:profile => {'organization' => 'example.com'}}
+ }
+ }
+ assert_response :success
+
+ found_email = false
+ ActionMailer::Base.deliveries.andand.each do |email|
+ if email.subject == "Profile created by #{users(:active_no_prefs).email}"
+ found_email = true
+ break
+ end
+ end
+ assert_equal true, found_email, 'Expected email after creating profile'
+ end
+
+ test "update active_no_prefs_profile user profile and expect notification email" do
+ authorize_with :admin
+
+ user = {}
+ user[:prefs] = users(:active_no_prefs_profile).prefs
+ user[:prefs][:profile] = {:profile => {'organization' => 'example.com'}}
+ put :update, {
+ id: users(:active_no_prefs_profile).uuid,
+ user: user
+ }
+ assert_response :success
+
+ found_email = false
+ ActionMailer::Base.deliveries.andand.each do |email|
+ if email.subject == "Profile created by #{users(:active_no_prefs_profile).email}"
+ found_email = true
+ break
+ end
+ end
+ assert_equal true, found_email, 'Expected email after creating profile'
+ end
+
+ test "update active user profile and expect no notification email" do
+ authorize_with :admin
+
+ put :update, {
+ id: users(:active).uuid,
+ user: {
+ prefs: {:profile => {'organization' => 'anotherexample.com'}}
+ }
+ }
+ assert_response :success
+
+ found_email = false
+ ActionMailer::Base.deliveries.andand.each do |email|
+ if email.subject == "Profile created by #{users(:active).email}"
+ found_email = true
+ break
+ end
+ end
+ assert_equal false, found_email, 'Expected no email after updating profile'
+ end
+
+
+ NON_ADMIN_USER_DATA = ["uuid", "kind", "is_active", "email", "first_name",
+ "last_name"].sort
+
+ def check_non_admin_index
+ assert_response :success
+ response_items = json_response["items"]
+ assert_not_nil response_items
+ response_items.each do |user_data|
+ assert_equal(NON_ADMIN_USER_DATA, user_data.keys.sort,
+ "data in all users response did not match expectations")
+ assert_equal("arvados#user", user_data["kind"])
+ assert(user_data["is_active"], "non-admin index returned inactive user")
+ end
+ end
+
+ def check_active_users_index
+ response_uuids = json_response["items"].map { |u| u["uuid"] }
+ [:admin, :miniadmin, :active, :spectator].each do |user_key|
+ assert_includes(response_uuids, users(user_key).uuid,
+ "#{user_key} missing from index")
+ end
+ refute_includes(response_uuids, users(:inactive).uuid,
+ "inactive user included in index")
+ end
+
+ def check_index_condition_fails(user_sym, params)
+ authorize_with user_sym
+ get(:index, params)
+ check_non_admin_index
+ assert(json_response["items"]
+ .any? { |u| u["last_name"] != "__nonexistent__" },
+ "#{params.inspect} successfully applied to non-admin index")
+ end
+
+ def check_inactive_user_findable(params={})
+ inactive_user = users(:inactive)
+ get(:index, params.merge(filters: [["email", "=", inactive_user.email]]))
+ assert_response :success
+ user_list = json_response["items"]
+ assert_equal(1, user_list.andand.count)
+ # This test needs to check a column non-admins have no access to,
+ # to ensure that admins see all user information.
+ assert_equal(inactive_user.identity_url, user_list.first["identity_url"],
+ "admin's filtered index did not return inactive user")
+ end
+
def verify_num_links (original_links, expected_additional_links)
links_now = Link.all
assert_equal expected_additional_links, Link.all.size-original_links.size,
def find_obj_in_resp (response_items, object_type, head_kind=nil)
return_obj = nil
+ response_items
response_items.each { |x|
if !x
next
end
repo_perms = Link.where(tail_uuid: uuid,
- link_class: 'permission',
- name: 'can_write').where("head_uuid like ?", Repository.uuid_like_pattern)
+ link_class: 'permission',
+ name: 'can_manage').where("head_uuid like ?", Repository.uuid_like_pattern)
if expect_repo_perms
assert repo_perms.any?, "expected repo_perms"
else