Merge branch '13939-unqualified-contents-orders'

[arvados.git] / services / api / test / functional / arvados / v1 / users_controller_test.rb

diff --git a/services/api/test/functional/arvados/v1/users_controller_test.rb b/services/api/test/functional/arvados/v1/users_controller_test.rb
index ebab9933672e9e80eaa05c7243d63a2eccbc3d2e..b01597c05bf0280ea6cc6fa052ba98ff70526994 100644 (file)
--- a/services/api/test/functional/arvados/v1/users_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/users_controller_test.rb
@@ -861,6 +861,22 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
     end
   end
 
+  [['src', :active_trustedclient],
+   ['dst', :project_viewer_trustedclient]].each do |which_scoped, auth|
+    test "refuse to merge with scoped #{which_scoped} token" do
+      act_as_system_user do
+        api_client_authorizations(auth).update_attributes(scopes: ["GET /", "POST /", "PUT /"])
+      end
+      authorize_with(:active_trustedclient)
+      post(:merge, {
+             new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
+             new_owner_uuid: users(:project_viewer).uuid,
+             redirect_to_new_user: true,
+           })
+      assert_response(403)
+    end
+  end
+
   test "refuse to merge if new_owner_uuid is not writable" do
     authorize_with(:project_viewer_trustedclient)
     post(:merge, {
@@ -871,6 +887,25 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
     assert_response(403)
   end
 
+  test "refuse to merge if new_owner_uuid is empty" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: "",
+           redirect_to_new_user: true,
+         })
+    assert_response(422)
+  end
+
+  test "refuse to merge if new_owner_uuid is not provided" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           redirect_to_new_user: true,
+         })
+    assert_response(422)
+  end
+
   test "refuse to update redirect_to_user_uuid directly" do
     authorize_with(:active_trustedclient)
     patch(:update, {