+ found_uuids = json_response['items'].collect { |i| i['uuid'] }
+ [[:in_aproject, true],
+ [:in_asubproject, true],
+ [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+ if should_find
+ assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+ else
+ refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+ end
+ end
+ end
+
+ test "list objects in home project" do
+ authorize_with :active
+ get :contents, {
+ format: :json,
+ id: users(:active).uuid
+ }
+ assert_response :success
+ found_uuids = json_response['items'].collect { |i| i['uuid'] }
+ assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project"
+ refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project"
+ end
+
+ test "user with project read permission can see project collections" do
+ authorize_with :project_viewer
+ get :contents, {
+ id: groups(:asubproject).uuid,
+ format: :json,
+ }
+ ids = json_response['items'].map { |item| item["uuid"] }
+ assert_includes ids, collections(:baz_file_in_asubproject).uuid
+ end
+
+ [['asc', :<=],
+ ['desc', :>=]].each do |order, operator|
+ test "user with project read permission can sort project collections #{order}" do
+ authorize_with :project_viewer
+ get :contents, {
+ id: groups(:asubproject).uuid,
+ format: :json,
+ filters: [['uuid', 'is_a', "arvados#collection"]],
+ order: "collections.name #{order}"
+ }
+ sorted_names = json_response['items'].collect { |item| item["name"] }
+ # Here we avoid assuming too much about the database
+ # collation. Both "alice"<"Bob" and "alice">"Bob" can be
+ # correct. Hopefully it _is_ safe to assume that if "a" comes
+ # before "b" in the ascii alphabet, "aX">"bY" is never true for
+ # any strings X and Y.
+ reliably_sortable_names = sorted_names.select do |name|
+ name[0] >= 'a' and name[0] <= 'z'
+ end.uniq do |name|
+ name[0]
+ end
+ # Preserve order of sorted_names. But do not use &=. If
+ # sorted_names has out-of-order duplicates, we want to preserve
+ # them here, so we can detect them and fail the test below.
+ sorted_names.select! do |name|
+ reliably_sortable_names.include? name
+ end
+ actually_checked_anything = false
+ previous = nil
+ sorted_names.each do |entry|
+ if previous
+ assert_operator(previous, operator, entry,
+ "Entries sorted incorrectly.")
+ actually_checked_anything = true
+ end
+ previous = entry
+ end
+ assert actually_checked_anything, "Didn't even find two names to compare."
+ end
+ end
+
+ test 'list objects across multiple projects' do
+ authorize_with :project_viewer
+ get :contents, {
+ format: :json,
+ filters: [['uuid', 'is_a', 'arvados#specimen']]
+ }
+ assert_response :success
+ found_uuids = json_response['items'].collect { |i| i['uuid'] }
+ [[:in_aproject, true],
+ [:in_asubproject, true],
+ [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+ if should_find
+ assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+ else
+ refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+ end
+ end
+ end
+
+ # Even though the project_viewer tests go through other controllers,
+ # I'm putting them here so they're easy to find alongside the other
+ # project tests.
+ def check_new_project_link_fails(link_attrs)
+ @controller = Arvados::V1::LinksController.new
+ post :create, link: {
+ link_class: "permission",
+ name: "can_read",
+ head_uuid: groups(:aproject).uuid,
+ }.merge(link_attrs)
+ assert_includes(403..422, response.status)
+ end
+
+ test "user with project read permission can't add users to it" do
+ authorize_with :project_viewer
+ check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
+ end
+
+ test "user with project read permission can't add items to it" do
+ authorize_with :project_viewer
+ check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
+ end
+
+ test "user with project read permission can't rename items in it" do
+ authorize_with :project_viewer
+ @controller = Arvados::V1::LinksController.new
+ post :update, {
+ id: jobs(:running).uuid,
+ name: "Denied test name",
+ }
+ assert_includes(403..404, response.status)
+ end
+
+ test "user with project read permission can't remove items from it" do
+ @controller = Arvados::V1::PipelineTemplatesController.new
+ authorize_with :project_viewer
+ post :update, {
+ id: pipeline_templates(:two_part).uuid,
+ pipeline_template: {
+ owner_uuid: users(:project_viewer).uuid,
+ }
+ }
+ assert_response 403
+ end
+
+ test "user with project read permission can't delete it" do
+ authorize_with :project_viewer
+ post :destroy, {id: groups(:aproject).uuid}
+ assert_response 403