X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1ab33aed37fdcd448fe224375951089282901c48..3b40453701265dc66f8efb5865d29cf508f3ca43:/services/api/test/unit/permission_test.rb diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb index cb5ae7ba2f..14c810d81a 100644 --- a/services/api/test/unit/permission_test.rb +++ b/services/api/test/unit/permission_test.rb @@ -46,7 +46,7 @@ class PermissionTest < ActiveSupport::TestCase end test "readable_by" do - set_user_from_auth :active_trustedclient + set_user_from_auth :admin ob = Collection.create! Link.create!(tail_uuid: users(:active).uuid, @@ -57,7 +57,7 @@ class PermissionTest < ActiveSupport::TestCase end test "writable_by" do - set_user_from_auth :active_trustedclient + set_user_from_auth :admin ob = Collection.create! Link.create!(tail_uuid: users(:active).uuid, @@ -84,7 +84,7 @@ class PermissionTest < ActiveSupport::TestCase assert users(:active).can?(write: ob) assert users(:active).can?(read: ob) - l1.update_attributes!(name: 'can_read') + l1.update!(name: 'can_read') assert !users(:active).can?(write: ob) assert users(:active).can?(read: ob) @@ -153,6 +153,7 @@ class PermissionTest < ActiveSupport::TestCase set_user_from_auth :admin owner_grp = Group.create!(owner_uuid: users(:active).uuid, group_class: "role") + sp_grp = Group.create!(group_class: "project") Link.create!(link_class: 'permission', @@ -217,6 +218,8 @@ class PermissionTest < ActiveSupport::TestCase end test "manager user gets permission to minions' articles via can_manage link" do + Rails.configuration.Users.RoleGroupsVisibleToAll = false + Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false manager = create :active_user, first_name: "Manage", last_name: "Er" minion = create :active_user, first_name: "Min", last_name: "Ion" minions_specimen = act_as_user minion do @@ -227,7 +230,7 @@ class PermissionTest < ActiveSupport::TestCase # anyone any additional permissions.) g = nil act_as_user manager do - g = create :group, name: "NoBigSecret Lab" + g = create :group, name: "NoBigSecret Lab", group_class: "role" assert_empty(User.readable_by(manager).where(uuid: minion.uuid), "saw a user I shouldn't see") assert_raises(ArvadosModel::PermissionDeniedError, @@ -290,7 +293,7 @@ class PermissionTest < ActiveSupport::TestCase "manager saw the minion's private stuff") assert_raises(ArvadosModel::PermissionDeniedError, "manager could update minion's private stuff") do - minions_specimen.update_attributes(properties: {'x' => 'y'}) + minions_specimen.update(properties: {'x' => 'y'}) end end @@ -307,12 +310,13 @@ class PermissionTest < ActiveSupport::TestCase .where(uuid: minions_specimen.uuid), "manager could not find minion's specimen by uuid") assert_equal(true, - minions_specimen.update_attributes(properties: {'x' => 'y'}), + minions_specimen.update(properties: {'x' => 'y'}), "manager could not update minion's specimen object") end end test "users with bidirectional read permission in group can see each other, but cannot see each other's private articles" do + Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false a = create :active_user, first_name: "A" b = create :active_user, first_name: "B" other = create :active_user, first_name: "OTHER" @@ -323,7 +327,7 @@ class PermissionTest < ActiveSupport::TestCase "#{a.first_name} should not be able to see 'b' in the user list") act_as_system_user do - g = create :group + g = create :group, group_class: "role" [a,b].each do |u| create(:permission_link, name: 'can_read', tail_uuid: u.uuid, head_uuid: g.uuid) @@ -351,17 +355,17 @@ class PermissionTest < ActiveSupport::TestCase "OTHER can see #{u.first_name} in the user list") act_as_user u do assert_raises ArvadosModel::PermissionDeniedError, "wrote without perm" do - other.update_attributes!(prefs: {'pwned' => true}) + other.update!(prefs: {'pwned' => true}) end - assert_equal(true, u.update_attributes!(prefs: {'thisisme' => true}), + assert_equal(true, u.update!(prefs: {'thisisme' => true}), "#{u.first_name} can't update its own prefs") end act_as_user other do assert_raises(ArvadosModel::PermissionDeniedError, "OTHER wrote #{u.first_name} without perm") do - u.update_attributes!(prefs: {'pwned' => true}) + u.update!(prefs: {'pwned' => true}) end - assert_equal(true, other.update_attributes!(prefs: {'thisisme' => true}), + assert_equal(true, other.update!(prefs: {'thisisme' => true}), "OTHER can't update its own prefs") end end @@ -378,7 +382,7 @@ class PermissionTest < ActiveSupport::TestCase set_user_from_auth :rominiadmin ob = Collection.create! assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable user" do - ob.update_attributes!(owner_uuid: users(:active).uuid) + ob.update!(owner_uuid: users(:active).uuid) end end @@ -393,7 +397,7 @@ class PermissionTest < ActiveSupport::TestCase set_user_from_auth :rominiadmin ob = Collection.create! assert_raises ArvadosModel::PermissionDeniedError, "changed owner to unwritable group" do - ob.update_attributes!(owner_uuid: groups(:aproject).uuid) + ob.update!(owner_uuid: groups(:aproject).uuid) end end @@ -423,7 +427,13 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then remove them" do set_user_from_auth :admin grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") - col = Collection.create!(owner_uuid: grp.uuid) + col = Collection.create!(owner_uuid: system_user_uuid) + + l0 = Link.create!(tail_uuid: grp.uuid, + head_uuid: col.uuid, + link_class: 'permission', + name: 'can_read') + assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -459,7 +469,7 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then change permission level" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") col = Collection.create!(owner_uuid: grp.uuid) assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -468,10 +478,6 @@ class PermissionTest < ActiveSupport::TestCase head_uuid: grp.uuid, link_class: 'permission', name: 'can_manage') - l2 = Link.create!(tail_uuid: grp.uuid, - head_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_read') assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first assert users(:active).can?(read: col.uuid) @@ -498,7 +504,7 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then add overlapping permission link to group" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") col = Collection.create!(owner_uuid: grp.uuid) assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -507,10 +513,6 @@ class PermissionTest < ActiveSupport::TestCase head_uuid: grp.uuid, link_class: 'permission', name: 'can_manage') - l2 = Link.create!(tail_uuid: grp.uuid, - head_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_read') assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first assert users(:active).can?(read: col.uuid) @@ -527,7 +529,13 @@ class PermissionTest < ActiveSupport::TestCase assert users(:active).can?(write: col.uuid) assert users(:active).can?(manage: col.uuid) - l3.destroy! + # Creating l3 should have automatically deleted l1 and upgraded to + # the max permission of {l1, l3}, i.e., can_manage (see #18693) so + # there should be no can_read link now. + refute Link.where(tail_uuid: l3.tail_uuid, + head_uuid: l3.head_uuid, + link_class: 'permission', + name: 'can_read').any? assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first assert users(:active).can?(read: col.uuid) @@ -538,8 +546,14 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then add overlapping permission link to subproject" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") - prj = Group.create!(owner_uuid: grp.uuid, group_class: "project") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + prj = Group.create!(owner_uuid: system_user_uuid, group_class: "project") + + l0 = Link.create!(tail_uuid: grp.uuid, + head_uuid: prj.uuid, + link_class: 'permission', + name: 'can_manage') + assert_empty Group.readable_by(users(:active)).where(uuid: prj.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -567,11 +581,50 @@ class PermissionTest < ActiveSupport::TestCase assert users(:active).can?(write: prj.uuid) assert users(:active).can?(manage: prj.uuid) - l3.destroy! + # Creating l3 should have automatically deleted l0 and upgraded to + # the max permission of {l0, l3}, i.e., can_manage (see #18693) so + # there should be no can_read link now. + refute Link.where(tail_uuid: l3.tail_uuid, + head_uuid: l3.head_uuid, + link_class: 'permission', + name: 'can_read').any? assert Group.readable_by(users(:active)).where(uuid: prj.uuid).first assert users(:active).can?(read: prj.uuid) assert users(:active).can?(write: prj.uuid) assert users(:active).can?(manage: prj.uuid) end + + [system_user_uuid, anonymous_user_uuid].each do |u| + test "cannot delete system user #{u}" do + act_as_system_user do + assert_raises ArvadosModel::PermissionDeniedError do + User.find_by_uuid(u).destroy + end + end + end + end + + [system_group_uuid, anonymous_group_uuid, public_project_uuid].each do |g| + test "cannot delete system group #{g}" do + act_as_system_user do + assert_raises ArvadosModel::PermissionDeniedError do + Group.find_by_uuid(g).destroy + end + end + end + end + + # Show query plan for readable_by query. The plan for a test db + # might not resemble the plan for a production db, but it doesn't + # hurt to show the test db plan in test logs, and the . + [false, true].each do |include_trash| + test "query plan, include_trash=#{include_trash}" do + sql = Collection.readable_by(users(:active), include_trash: include_trash).to_sql + sql = "explain analyze #{sql}" + STDERR.puts sql + q = ActiveRecord::Base.connection.exec_query(sql) + q.rows.each do |row| STDERR.puts(row) end + end + end end