X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0561bd0c3c07257fd58ded6c7cfa5feeae97af57..9ed6176060dfe4a7cd477c201d6a1323f9489664:/services/api/test/integration/permissions_test.rb diff --git a/services/api/test/integration/permissions_test.rb b/services/api/test/integration/permissions_test.rb index f8f1e254bf..65f5adc1d1 100644 --- a/services/api/test/integration/permissions_test.rb +++ b/services/api/test/integration/permissions_test.rb @@ -6,109 +6,132 @@ require 'test_helper' class PermissionsTest < ActionDispatch::IntegrationTest include DbCurrentTime - include CurrentApiClient # for empty_collection fixtures :users, :groups, :api_client_authorizations, :collections - teardown do - User.invalidate_permissions_cache db_current_time.to_i - end - test "adding and removing direct can_read links" do # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # try to add permission as spectator - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: collections(:foo_file).uuid, - properties: {} - } - }, auth(:spectator) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collections(:foo_file).uuid, + properties: {} + } + }, + headers: auth(:spectator) assert_response 422 # add permission as admin - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: collections(:foo_file).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collections(:foo_file).uuid, + properties: {} + } + }, + headers: auth(:admin) u = json_response['uuid'] assert_response :success # read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response :success # try to delete permission as spectator - delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator) + delete "/arvados/v1/links/#{u}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 403 # delete permission as admin - delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin) + delete "/arvados/v1/links/#{u}", + params: {:format => :json}, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 end test "adding can_read links from user to group, group to collection" do # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # add permission for spectator to read group - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:private).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:private_role).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # add permission for group to read collection - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: groups(:private).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: collections(:foo_file).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: groups(:private_role).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collections(:foo_file).uuid, + properties: {} + } + }, + headers: auth(:admin) u = json_response['uuid'] assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response :success # delete permission for group to read collection - delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin) + delete "/arvados/v1/links/#{u}", + params: {:format => :json}, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 end @@ -116,141 +139,175 @@ class PermissionsTest < ActionDispatch::IntegrationTest test "adding can_read links from group to collection, user to group" do # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # add permission for group to read collection - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: groups(:private).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: collections(:foo_file).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: groups(:private_role).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collections(:foo_file).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # add permission for spectator to read group - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:private).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:private_role).uuid, + properties: {} + } + }, + headers: auth(:admin) u = json_response['uuid'] assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response :success # delete permission for spectator to read group - delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin) + delete "/arvados/v1/links/#{u}", + params: {:format => :json}, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 end test "adding can_read links from user to group, group to group, group to collection" do # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 # add permission for user to read group - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:private).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:private_role).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success # add permission for group to read group - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: groups(:private).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:empty_lonely_group).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: groups(:private_role).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:empty_lonely_group).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success # add permission for group to read collection - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: groups(:empty_lonely_group).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: collections(:foo_file).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: groups(:empty_lonely_group).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collections(:foo_file).uuid, + properties: {} + } + }, + headers: auth(:admin) u = json_response['uuid'] assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response :success # delete permission for group to read collection - delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin) + delete "/arvados/v1/links/#{u}", + params: {:format => :json}, + headers: auth(:admin) assert_response :success # try to read collection as spectator - get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) + get "/arvados/v1/collections/#{collections(:foo_file).uuid}", + params: {:format => :json}, + headers: auth(:spectator) assert_response 404 end test "read-only group-admin cannot modify administered user" do - put "/arvados/v1/users/#{users(:active).uuid}", { - :user => { - first_name: 'KilroyWasHere' + put "/arvados/v1/users/#{users(:active).uuid}", + params: { + :user => { + first_name: 'KilroyWasHere' + }, + :format => :json }, - :format => :json - }, auth(:rominiadmin) + headers: auth(:rominiadmin) assert_response 403 end test "read-only group-admin cannot read or update non-administered user" do - get "/arvados/v1/users/#{users(:spectator).uuid}", { - :format => :json - }, auth(:rominiadmin) + get "/arvados/v1/users/#{users(:spectator).uuid}", + params: {:format => :json}, + headers: auth(:rominiadmin) assert_response 404 - put "/arvados/v1/users/#{users(:spectator).uuid}", { - :user => { - first_name: 'KilroyWasHere' + put "/arvados/v1/users/#{users(:spectator).uuid}", + params: { + :user => { + first_name: 'KilroyWasHere' + }, + :format => :json }, - :format => :json - }, auth(:rominiadmin) + headers: auth(:rominiadmin) assert_response 404 end test "RO group-admin finds user's specimens, RW group-admin can update" do [[:rominiadmin, false], [:miniadmin, true]].each do |which_user, update_should_succeed| - get "/arvados/v1/specimens", {:format => :json}, auth(which_user) + get "/arvados/v1/specimens", + params: {:format => :json}, + headers: auth(which_user) assert_response :success resp_uuids = json_response['items'].collect { |i| i['uuid'] } [[true, specimens(:owned_by_active_user).uuid], @@ -262,14 +319,16 @@ class PermissionsTest < ActionDispatch::IntegrationTest [which_user.to_s, should_find ? '' : 'not ', uuid]) - put "/arvados/v1/specimens/#{uuid}", { - :specimen => { - properties: { - miniadmin_was_here: true - } + put "/arvados/v1/specimens/#{uuid}", + params: { + :specimen => { + properties: { + miniadmin_was_here: true + } + }, + :format => :json }, - :format => :json - }, auth(which_user) + headers: auth(which_user) if !should_find assert_response 404 elsif !update_should_succeed @@ -283,95 +342,373 @@ class PermissionsTest < ActionDispatch::IntegrationTest test "get_permissions returns list" do # First confirm that user :active cannot get permissions on group :public - get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active) + get "/arvados/v1/permissions/#{groups(:public).uuid}", + params: nil, + headers: auth(:active) assert_response 404 - # add some permissions, including can_manage - # permission for user :active - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:spectator).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:public).uuid, - properties: {} - } - }, auth(:admin) + get "/arvados/v1/links", + params: { + :filters => [["link_class", "=", "permission"], ["head_uuid", "=", groups(:public).uuid]].to_json + }, + headers: auth(:active) + assert_response :success + assert_equal [], json_response['items'] + + ### add some permissions, including can_manage + ### permission for user :active + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:public).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success can_read_uuid = json_response['uuid'] - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:inactive).uuid, - link_class: 'permission', - name: 'can_write', - head_uuid: groups(:public).uuid, - properties: {} - } - }, auth(:admin) + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:inactive).uuid, + link_class: 'permission', + name: 'can_write', + head_uuid: groups(:public).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success can_write_uuid = json_response['uuid'] - post "/arvados/v1/links", { - :format => :json, - :link => { - tail_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_manage', - head_uuid: groups(:public).uuid, - properties: {} - } - }, auth(:admin) + # Still should not be able read these permission links + get "/arvados/v1/permissions/#{groups(:public).uuid}", + params: nil, + headers: auth(:active) + assert_response 404 + + get "/arvados/v1/links", + params: { + :filters => [["link_class", "=", "permission"], ["head_uuid", "=", groups(:public).uuid]].to_json + }, + headers: auth(:active) + assert_response :success + assert_equal [], json_response['items'] + + # Shouldn't be able to read links directly either + get "/arvados/v1/links/#{can_read_uuid}", + params: {}, + headers: auth(:active) + assert_response 404 + + ### Now add a can_manage link + post "/arvados/v1/links", + params: { + :format => :json, + :link => { + tail_uuid: users(:active).uuid, + link_class: 'permission', + name: 'can_manage', + head_uuid: groups(:public).uuid, + properties: {} + } + }, + headers: auth(:admin) assert_response :success can_manage_uuid = json_response['uuid'] - # Now user :active should be able to retrieve permissions - # on group :public. + # user :active should be able to retrieve permissions + # on group :public using get_permissions get("/arvados/v1/permissions/#{groups(:public).uuid}", - { :format => :json }, - auth(:active)) + params: { :format => :json }, + headers: auth(:active)) + assert_response :success + + perm_uuids = json_response['items'].map { |item| item['uuid'] } + assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found" + assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found" + assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found" + + # user :active should be able to retrieve permissions + # on group :public using link list + get "/arvados/v1/links", + params: { + :filters => [["link_class", "=", "permission"], ["head_uuid", "=", groups(:public).uuid]].to_json + }, + headers: auth(:active) assert_response :success perm_uuids = json_response['items'].map { |item| item['uuid'] } assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found" assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found" assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found" + + # Should be able to read links directly too + get "/arvados/v1/links/#{can_read_uuid}", + headers: auth(:active) + assert_response :success + + ### Create some objects of different types (other than projects) + ### inside a subproject inside the shared project, and share those + ### individual objects with a 3rd user ("spectator"). + post '/arvados/v1/groups', + params: { + group: { + owner_uuid: groups(:public).uuid, + name: 'permission test subproject', + group_class: 'project', + }, + }, + headers: auth(:admin) + assert_response :success + subproject_uuid = json_response['uuid'] + + test_types = ['collection', 'workflow', 'container_request'] + test_type_create_attrs = { + 'container_request' => { + command: ["echo", "foo"], + container_image: links(:docker_image_collection_tag).name, + cwd: "/tmp", + environment: {}, + mounts: {"/out" => {kind: "tmp", capacity: 1000000}}, + output_path: "/out", + runtime_constraints: {"vcpus" => 1, "ram" => 2}, + }, + } + + test_object = {} + test_object_perm_link = {} + test_types.each do |test_type| + post "/arvados/v1/#{test_type}s", + params: { + test_type.to_sym => { + owner_uuid: subproject_uuid, + name: "permission test #{test_type} in subproject", + }.merge(test_type_create_attrs[test_type] || {}).to_json, + }, + headers: auth(:admin) + assert_response :success + test_object[test_type] = json_response + + post '/arvados/v1/links', + params: { + link: { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: test_object[test_type]['uuid'], + } + }, + headers: auth(:admin) + assert_response :success + test_object_perm_link[test_type] = json_response + end + + # The "active-can_manage-project" permission should cause the + # "spectator-can_read-object" links to be visible to the "active" + # user. + test_types.each do |test_type| + get "/arvados/v1/permissions/#{test_object[test_type]['uuid']}", + headers: auth(:active) + assert_response :success + perm_uuids = json_response['items'].map { |item| item['uuid'] } + assert_includes perm_uuids, test_object_perm_link[test_type]['uuid'], "can_read_uuid not found" + + get "/arvados/v1/links/#{test_object_perm_link[test_type]['uuid']}", + headers: auth(:active) + assert_response :success + + [ + ['head_uuid', '=', test_object[test_type]['uuid']], + ['head_uuid', 'in', [test_object[test_type]['uuid']]], + ['head_uuid', 'in', [users(:admin).uuid, test_object[test_type]['uuid']]], + ].each do |filter| + get "/arvados/v1/links", + params: { + filters: ([['link_class', '=', 'permission'], filter]).to_json, + }, + headers: auth(:active) + assert_response :success + assert_not_empty json_response['items'], "could not find can_read link using index with filter #{filter}" + assert_equal test_object_perm_link[test_type]['uuid'], json_response['items'][0]['uuid'] + end + + # The "spectator-can_read-object" link should be visible to the + # subject user ("spectator") in a filter query, even without + # can_manage permission on the target object. + [ + ['tail_uuid', '=', users(:spectator).uuid], + ].each do |filter| + get "/arvados/v1/links", + params: { + filters: ([['link_class', '=', 'permission'], filter]).to_json, + }, + headers: auth(:spectator) + assert_response :success + perm_uuids = json_response['items'].map { |item| item['uuid'] } + assert_includes perm_uuids, test_object_perm_link[test_type]['uuid'], "could not find can_read link using index with filter #{filter}" + end + end + + ### Now delete the can_manage link + delete "/arvados/v1/links/#{can_manage_uuid}", + headers: auth(:active) + assert_response :success + + # Should not be able read these permission links again + test_types.each do |test_type| + get "/arvados/v1/permissions/#{groups(:public).uuid}", + headers: auth(:active) + assert_response 404 + + get "/arvados/v1/permissions/#{test_object[test_type]['uuid']}", + headers: auth(:active) + assert_response 404 + + get "/arvados/v1/links", + params: { + filters: [["link_class", "=", "permission"], ["head_uuid", "=", groups(:public).uuid]].to_json + }, + headers: auth(:active) + assert_response :success + assert_equal [], json_response['items'] + + [ + ['head_uuid', '=', test_object[test_type]['uuid']], + ['head_uuid', 'in', [users(:admin).uuid, test_object[test_type]['uuid']]], + ['head_uuid', 'in', []], + ].each do |filter| + get "/arvados/v1/links", + params: { + :filters => [["link_class", "=", "permission"], filter].to_json + }, + headers: auth(:active) + assert_response :success + assert_equal [], json_response['items'] + end + + # Should not be able to read links directly either + get "/arvados/v1/links/#{can_read_uuid}", + headers: auth(:active) + assert_response 404 + + test_types.each do |test_type| + get "/arvados/v1/links/#{test_object_perm_link[test_type]['uuid']}", + headers: auth(:active) + assert_response 404 + end + end + + ### Create a collection, and share it with a direct permission + ### link (as opposed to sharing its parent project) + post "/arvados/v1/collections", + params: { + collection: { + name: 'permission test', + } + }, + headers: auth(:admin) + assert_response :success + collection_uuid = json_response['uuid'] + post "/arvados/v1/links", + params: { + link: { + tail_uuid: users(:spectator).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: collection_uuid, + properties: {} + } + }, + headers: auth(:admin) + assert_response :success + can_read_collection_uuid = json_response['uuid'] + + # Should not be able read the permission link via permissions API, + # because permission is only can_read, not can_manage + get "/arvados/v1/permissions/#{collection_uuid}", + headers: auth(:active) + assert_response 404 + + # Should not be able to read the permission link directly, for + # same reason + get "/arvados/v1/links/#{can_read_collection_uuid}", + headers: auth(:active) + assert_response 404 + + ### Now add a can_manage link + post "/arvados/v1/links", + params: { + link: { + tail_uuid: users(:active).uuid, + link_class: 'permission', + name: 'can_manage', + head_uuid: collection_uuid, + properties: {} + } + }, + headers: auth(:admin) + assert_response :success + can_manage_collection_uuid = json_response['uuid'] + + # Should be able read both permission links via permissions API + get "/arvados/v1/permissions/#{collection_uuid}", + headers: auth(:active) + assert_response :success + perm_uuids = json_response['items'].map { |item| item['uuid'] } + assert_includes perm_uuids, can_read_collection_uuid, "can_read_uuid not found" + assert_includes perm_uuids, can_manage_collection_uuid, "can_manage_uuid not found" + + # Should be able to read both permission links directly + [can_read_collection_uuid, can_manage_collection_uuid].each do |uuid| + get "/arvados/v1/links/#{uuid}", + headers: auth(:active) + assert_response :success + end end test "get_permissions returns 404 for nonexistent uuid" do nonexistent = Group.generate_uuid # make sure it really doesn't exist - get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin) + get "/arvados/v1/groups/#{nonexistent}", params: nil, headers: auth(:admin) assert_response 404 - get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active) + get "/arvados/v1/permissions/#{nonexistent}", params: nil, headers: auth(:active) assert_response 404 end test "get_permissions returns 403 if user can read but not manage" do - post "/arvados/v1/links", { - :link => { - tail_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: groups(:public).uuid, - properties: {} - } - }, auth(:admin) - assert_response :success - - get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active) + post "/arvados/v1/links", + params: { + :link => { + tail_uuid: users(:active).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:public).uuid, + properties: {} + } + }, + headers: auth(:admin) + assert_response :success + + get "/arvados/v1/permissions/#{groups(:public).uuid}", + params: nil, + headers: auth(:active) assert_response 403 end test "active user can read the empty collection" do # The active user should be able to read the empty collection. - get("/arvados/v1/collections/#{empty_collection_uuid}", - { :format => :json }, - auth(:active)) + get("/arvados/v1/collections/#{empty_collection_pdh}", + params: {:format => :json}, + headers: auth(:active)) assert_response :success assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty" end