end
test "readable_by" do
- set_user_from_auth :active_trustedclient
+ set_user_from_auth :admin
ob = Collection.create!
Link.create!(tail_uuid: users(:active).uuid,
end
test "writable_by" do
- set_user_from_auth :active_trustedclient
+ set_user_from_auth :admin
ob = Collection.create!
Link.create!(tail_uuid: users(:active).uuid,
end
test "manager user gets permission to minions' articles via can_manage link" do
+ Rails.configuration.Users.RoleGroupsVisibleToAll = false
+ Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false
manager = create :active_user, first_name: "Manage", last_name: "Er"
minion = create :active_user, first_name: "Min", last_name: "Ion"
minions_specimen = act_as_user minion do
end
test "users with bidirectional read permission in group can see each other, but cannot see each other's private articles" do
+ Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false
a = create :active_user, first_name: "A"
b = create :active_user, first_name: "B"
other = create :active_user, first_name: "OTHER"
test "add user to group, then remove them" do
set_user_from_auth :admin
grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
- col = Collection.create!(owner_uuid: grp.uuid)
+ col = Collection.create!(owner_uuid: system_user_uuid)
+
+ l0 = Link.create!(tail_uuid: grp.uuid,
+ head_uuid: col.uuid,
+ link_class: 'permission',
+ name: 'can_read')
+
assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
test "add user to group, then change permission level" do
set_user_from_auth :admin
- grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+ grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
col = Collection.create!(owner_uuid: grp.uuid)
assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
head_uuid: grp.uuid,
link_class: 'permission',
name: 'can_manage')
- l2 = Link.create!(tail_uuid: grp.uuid,
- head_uuid: users(:active).uuid,
- link_class: 'permission',
- name: 'can_read')
assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
assert users(:active).can?(read: col.uuid)
test "add user to group, then add overlapping permission link to group" do
set_user_from_auth :admin
- grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+ grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
col = Collection.create!(owner_uuid: grp.uuid)
assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid)
assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
head_uuid: grp.uuid,
link_class: 'permission',
name: 'can_manage')
- l2 = Link.create!(tail_uuid: grp.uuid,
- head_uuid: users(:active).uuid,
- link_class: 'permission',
- name: 'can_read')
assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
assert users(:active).can?(read: col.uuid)
assert users(:active).can?(write: col.uuid)
assert users(:active).can?(manage: col.uuid)
- l3.destroy!
+ # Creating l3 should have automatically deleted l1 and upgraded to
+ # the max permission of {l1, l3}, i.e., can_manage (see #18693) so
+ # there should be no can_read link now.
+ refute Link.where(tail_uuid: l3.tail_uuid,
+ head_uuid: l3.head_uuid,
+ link_class: 'permission',
+ name: 'can_read').any?
assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first
assert users(:active).can?(read: col.uuid)
test "add user to group, then add overlapping permission link to subproject" do
set_user_from_auth :admin
- grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
- prj = Group.create!(owner_uuid: grp.uuid, group_class: "project")
+ grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role")
+ prj = Group.create!(owner_uuid: system_user_uuid, group_class: "project")
+
+ l0 = Link.create!(tail_uuid: grp.uuid,
+ head_uuid: prj.uuid,
+ link_class: 'permission',
+ name: 'can_manage')
+
assert_empty Group.readable_by(users(:active)).where(uuid: prj.uuid)
assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid)
assert users(:active).can?(write: prj.uuid)
assert users(:active).can?(manage: prj.uuid)
- l3.destroy!
+ # Creating l3 should have automatically deleted l0 and upgraded to
+ # the max permission of {l0, l3}, i.e., can_manage (see #18693) so
+ # there should be no can_read link now.
+ refute Link.where(tail_uuid: l3.tail_uuid,
+ head_uuid: l3.head_uuid,
+ link_class: 'permission',
+ name: 'can_read').any?
assert Group.readable_by(users(:active)).where(uuid: prj.uuid).first
assert users(:active).can?(read: prj.uuid)
assert users(:active).can?(write: prj.uuid)
assert users(:active).can?(manage: prj.uuid)
end
+
+ [system_user_uuid, anonymous_user_uuid].each do |u|
+ test "cannot delete system user #{u}" do
+ act_as_system_user do
+ assert_raises ArvadosModel::PermissionDeniedError do
+ User.find_by_uuid(u).destroy
+ end
+ end
+ end
+ end
+
+ [system_group_uuid, anonymous_group_uuid, public_project_uuid].each do |g|
+ test "cannot delete system group #{g}" do
+ act_as_system_user do
+ assert_raises ArvadosModel::PermissionDeniedError do
+ Group.find_by_uuid(g).destroy
+ end
+ end
+ end
+ end
+
+ # Show query plan for readable_by query. The plan for a test db
+ # might not resemble the plan for a production db, but it doesn't
+ # hurt to show the test db plan in test logs, and the .
+ [false, true].each do |include_trash|
+ test "query plan, include_trash=#{include_trash}" do
+ sql = Collection.readable_by(users(:active), include_trash: include_trash).to_sql
+ sql = "explain analyze #{sql}"
+ STDERR.puts sql
+ q = ActiveRecord::Base.connection.exec_query(sql)
+ q.rows.each do |row| STDERR.puts(row) end
+ end
+ end
end
projects / arvados.git / blobdiff