+ post :destroy, id: groups(:all_users).uuid
+ assert_response 403
+ end
+
+ test "get list of projects" do
+ authorize_with :active
+ get :index, filters: [['group_class', 'in', ['project', 'folder']]], format: :json
+ assert_response :success
+ group_uuids = []
+ json_response['items'].each do |group|
+ assert_includes ['folder', 'project'], group['group_class']
+ group_uuids << group['uuid']
+ end
+ assert_includes group_uuids, groups(:aproject).uuid
+ assert_includes group_uuids, groups(:asubproject).uuid
+ assert_not_includes group_uuids, groups(:system_group).uuid
+ assert_not_includes group_uuids, groups(:private).uuid
+ end
+
+ test "get list of groups that are not projects" do
+ authorize_with :active
+ get :index, filters: [['group_class', '=', nil]], format: :json
+ assert_response :success
+ group_uuids = []
+ json_response['items'].each do |group|
+ assert_equal nil, group['group_class']
+ group_uuids << group['uuid']
+ end
+ assert_not_includes group_uuids, groups(:aproject).uuid
+ assert_not_includes group_uuids, groups(:asubproject).uuid
+ assert_includes group_uuids, groups(:private).uuid
+ end
+
+ test "get list of groups with bogus group_class" do
+ authorize_with :active
+ get :index, {
+ filters: [['group_class', '=', 'nogrouphasthislittleclass']],
+ format: :json,
+ }
+ assert_response :success
+ assert_equal [], json_response['items']
+ assert_equal 0, json_response['items_available']
+ end
+
+ def check_project_contents_response
+ assert_response :success
+ assert_operator 2, :<=, json_response['items_available']
+ assert_operator 2, :<=, json_response['items'].count
+ kinds = json_response['items'].collect { |i| i['kind'] }.uniq
+ expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job'
+ assert_equal expect_kinds, (expect_kinds & kinds)
+
+ json_response['items'].each do |i|
+ if i['kind'] == 'arvados#group'
+ assert(i['group_class'] == 'project',
+ "group#contents returned a non-project group")
+ end
+ end
+ end
+
+ test 'get group-owned objects' do
+ authorize_with :active
+ get :contents, {
+ id: groups(:aproject).uuid,
+ format: :json,
+ include_linked: true,
+ }
+ check_project_contents_response
+ end
+
+ test "user with project read permission can see project objects" do
+ authorize_with :project_viewer
+ get :contents, {
+ id: groups(:aproject).uuid,
+ format: :json,
+ include_linked: true,
+ }
+ check_project_contents_response
+ end
+
+ [false, true].each do |include_linked|
+ test "list objects across projects, include_linked=#{include_linked}" do
+ authorize_with :project_viewer
+ get :contents, {
+ format: :json,
+ include_linked: include_linked,
+ filters: [['uuid', 'is_a', 'arvados#specimen']]
+ }
+ assert_response :success
+ found_uuids = json_response['items'].collect { |i| i['uuid'] }
+ [[:in_aproject, true],
+ [:in_asubproject, true],
+ [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+ if should_find
+ assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+ else
+ refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+ end
+ end
+ end
+
+ test "user with project read permission can see project collections" do
+ authorize_with :project_viewer
+ get :contents, {
+ id: groups(:asubproject).uuid,
+ format: :json,
+ include_linked: true,
+ }
+ ids = json_response['items'].map { |item| item["uuid"] }
+ assert_includes ids, collections(:baz_file).uuid
+ end
+
+ test 'list objects across multiple projects' do
+ authorize_with :project_viewer
+ get :contents, {
+ format: :json,
+ include_linked: false,
+ filters: [['uuid', 'is_a', 'arvados#specimen']]
+ }
+ assert_response :success
+ found_uuids = json_response['items'].collect { |i| i['uuid'] }
+ [[:in_aproject, true],
+ [:in_asubproject, true],
+ [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+ if should_find
+ assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+ else
+ refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+ end
+ end
+ end
+
+ # Even though the project_viewer tests go through other controllers,
+ # I'm putting them here so they're easy to find alongside the other
+ # project tests.
+ def check_new_project_link_fails(link_attrs)
+ @controller = Arvados::V1::LinksController.new
+ post :create, link: {
+ link_class: "permission",
+ name: "can_read",
+ head_uuid: groups(:aproject).uuid,
+ }.merge(link_attrs)
+ assert_includes(403..422, response.status)
+ end
+
+ test "user with project read permission can't add users to it" do
+ authorize_with :project_viewer
+ check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
+ end
+
+ test "user with project read permission can't add items to it" do
+ authorize_with :project_viewer
+ check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
+ end
+
+ test "user with project read permission can't rename items in it" do
+ authorize_with :project_viewer
+ @controller = Arvados::V1::LinksController.new
+ post :update, {
+ id: links(:job_name_in_aproject).uuid,
+ link: {name: "Denied test name"},
+ }
+ assert_includes(403..404, response.status)
+ end
+
+ test "user with project read permission can't remove items from it" do
+ @controller = Arvados::V1::PipelineTemplatesController.new
+ authorize_with :project_viewer
+ post :update, {
+ id: links(:template_name_in_aproject).head_uuid,
+ pipeline_template: {
+ owner_uuid: users(:project_viewer).uuid,
+ }
+ }