verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
# two new links: system_group, and 'All users' group.
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
assert_equal 'foo@example.com', created['email'], 'expected input email'
# verify links
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
assert_equal created['email'], 'foo@example.com', 'expected original email'
# verify links
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
# four extra links: system_group, login, group, repo and vm
- verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
+ verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
'All users', created['uuid'], 'arvados#group', true, 'Group'
verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token
end
+ # share project and collections with the new user
+ act_as_system_user do
+ Link.create!(tail_uuid: created['uuid'],
+ head_uuid: groups(:aproject).uuid,
+ link_class: 'permission',
+ name: 'can_manage')
+ Link.create!(tail_uuid: created['uuid'],
+ head_uuid: collections(:collection_owned_by_active).uuid,
+ link_class: 'permission',
+ name: 'can_read')
+ Link.create!(tail_uuid: created['uuid'],
+ head_uuid: collections(:collection_owned_by_active_with_file_stats).uuid,
+ link_class: 'permission',
+ name: 'can_write')
+ end
+
assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found'
post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin)
assert_not_nil created2['uuid'], 'expected uuid for the newly created user'
assert_equal created['uuid'], created2['uuid'], 'expected uuid not found'
assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup'
+ # check permissions are deleted
+ assert_empty Link.where(tail_uuid: created['uuid'])
verify_link_existence created['uuid'], created['email'], false, false, false, false, false
end
assert_response 403
end
+ test "disabling system root user not permitted" do
+ put("/arvados/v1/users/#{users(:system_user).uuid}",
+ params: {
+ user: {is_admin: false}
+ },
+ headers: auth(:admin))
+ assert_response 422
+
+ post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup",
+ params: {},
+ headers: auth(:admin))
+ assert_response 422
+ end
+
+ test "creating users only accepted for admins" do
+ assert_equal false, users(:active).is_admin
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "username" => "barney"
+ }
+ },
+ headers: auth(:active)
+ assert_response 403
+ end
+
+ test "create users assigns the system root user as their owner" do
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "username" => "barney"
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+ assert_not_nil json_response["uuid"]
+ assert_equal users(:system_user).uuid, json_response["owner_uuid"]
+ end
+
+ test "create users ignores provided owner_uuid field" do
+ assert_equal false, users(:admin).uuid == users(:system_user).uuid
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "owner_uuid" => users(:admin).uuid,
+ "username" => "barney"
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+ assert_not_nil json_response["uuid"]
+ assert_equal users(:system_user).uuid, json_response["owner_uuid"]
+ end
end
projects / arvados.git / blobdiff