X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1cf15bae4e5236084c338fb557c749533adce679..1b785fd50c259eb42cd2c8c4ba2e440d7bfe0032:/services/api/test/unit/link_test.rb diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb index e40326504a..640b26c64d 100644 --- a/services/api/test/unit/link_test.rb +++ b/services/api/test/unit/link_test.rb @@ -61,4 +61,46 @@ class LinkTest < ActiveSupport::TestCase ob.destroy end end + + def new_active_link_valid?(link_attrs) + set_user_from_auth :active + begin + Link. + create({link_class: "permission", + name: "can_read", + head_uuid: groups(:aproject).uuid, + }.merge(link_attrs)). + valid? + rescue ArvadosModel::PermissionDeniedError + false + end + end + + test "link granting permission to nonexistent user is invalid" do + refute new_active_link_valid?(tail_uuid: + users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}")) + end + + test "link granting non-project permission to unreadable user is invalid" do + refute new_active_link_valid?(tail_uuid: users(:admin).uuid, + head_uuid: collections(:bar_file).uuid) + end + + test "user can't add a Collection to a Project without permission" do + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: collections(:bar_file).uuid) + end + + test "user can't add a User to a Project" do + # Users *can* give other users permissions to projects. + # This test helps ensure that that exception is specific to permissions. + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: users(:admin).uuid) + end + + test "link granting project permissions to unreadable user is valid" do + assert new_active_link_valid?(tail_uuid: users(:admin).uuid) + end end