X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/24b1ca4bf401b6701055ad0df4160a9fc1aacd7b..5d7bef4122c59bec9145f2853b76170b4ddca67f:/services/api/test/unit/permission_test.rb diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb index 07709b7528..123031b35f 100644 --- a/services/api/test/unit/permission_test.rb +++ b/services/api/test/unit/permission_test.rb @@ -466,7 +466,7 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then change permission level" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") col = Collection.create!(owner_uuid: grp.uuid) assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -475,10 +475,6 @@ class PermissionTest < ActiveSupport::TestCase head_uuid: grp.uuid, link_class: 'permission', name: 'can_manage') - l2 = Link.create!(tail_uuid: grp.uuid, - head_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_read') assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first assert users(:active).can?(read: col.uuid) @@ -505,7 +501,7 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then add overlapping permission link to group" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") col = Collection.create!(owner_uuid: grp.uuid) assert_empty Collection.readable_by(users(:active)).where(uuid: col.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -514,10 +510,6 @@ class PermissionTest < ActiveSupport::TestCase head_uuid: grp.uuid, link_class: 'permission', name: 'can_manage') - l2 = Link.create!(tail_uuid: grp.uuid, - head_uuid: users(:active).uuid, - link_class: 'permission', - name: 'can_read') assert Collection.readable_by(users(:active)).where(uuid: col.uuid).first assert users(:active).can?(read: col.uuid) @@ -545,8 +537,14 @@ class PermissionTest < ActiveSupport::TestCase test "add user to group, then add overlapping permission link to subproject" do set_user_from_auth :admin - grp = Group.create!(owner_uuid: system_user_uuid, group_class: "project") - prj = Group.create!(owner_uuid: grp.uuid, group_class: "project") + grp = Group.create!(owner_uuid: system_user_uuid, group_class: "role") + prj = Group.create!(owner_uuid: system_user_uuid, group_class: "project") + + l0 = Link.create!(tail_uuid: grp.uuid, + head_uuid: prj.uuid, + link_class: 'permission', + name: 'can_manage') + assert_empty Group.readable_by(users(:active)).where(uuid: prj.uuid) assert_empty User.readable_by(users(:active)).where(uuid: users(:project_viewer).uuid) @@ -581,4 +579,24 @@ class PermissionTest < ActiveSupport::TestCase assert users(:active).can?(write: prj.uuid) assert users(:active).can?(manage: prj.uuid) end + + [system_user_uuid, anonymous_user_uuid].each do |u| + test "cannot delete system user #{u}" do + act_as_system_user do + assert_raises ArvadosModel::PermissionDeniedError do + User.find_by_uuid(u).destroy + end + end + end + end + + [system_group_uuid, anonymous_group_uuid, public_project_uuid].each do |g| + test "cannot delete system group #{g}" do + act_as_system_user do + assert_raises ArvadosModel::PermissionDeniedError do + Group.find_by_uuid(g).destroy + end + end + end + end end