X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/32002eb6e87a391d1fad2b1b206dbc74d6659fc5..1e2e0e4f14a730ba1bbea6a4ced5d87ea2766c35:/apps/workbench/test/controllers/projects_controller_test.rb?ds=sidebyside

diff --git a/apps/workbench/test/controllers/projects_controller_test.rb b/apps/workbench/test/controllers/projects_controller_test.rb
index 8407dc3242..c2089ad18d 100644
--- a/apps/workbench/test/controllers/projects_controller_test.rb
+++ b/apps/workbench/test/controllers/projects_controller_test.rb
@@ -100,7 +100,9 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
-  test "project admin can remove items from the project" do
+  test "project admin can remove collections from the project" do
+    # Deleting an object that supports 'expires_at' should make it
+    # completely inaccessible to API queries, not simply moved out of the project.
     coll_key = "collection_to_remove_from_subproject"
     coll_uuid = api_fixture("collections")[coll_key]["uuid"]
     delete(:remove_item,
@@ -111,6 +113,29 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_response :success
     assert_match(/\b#{coll_uuid}\b/, @response.body,
                  "removed object not named in response")
+
+    use_token :subproject_admin
+    assert_raise ArvadosApiClient::NotFoundException do
+      Collection.find(coll_uuid)
+    end
+  end
+
+  test "project admin can remove items from project other than collections" do
+    # An object which does not have an expired_at field (e.g. Specimen)
+    # should be implicitly moved to the user's Home project when removed.
+    specimen_uuid = api_fixture('specimens', 'in_asubproject')['uuid']
+    delete(:remove_item,
+           { id: api_fixture('groups', 'asubproject')['uuid'],
+             item_uuid: specimen_uuid,
+             format: 'js' },
+           session_for(:subproject_admin))
+    assert_response :success
+    assert_match(/\b#{specimen_uuid}\b/, @response.body,
+                 "removed object not named in response")
+
+    use_token :subproject_admin
+    new_specimen = Specimen.find(specimen_uuid)
+    assert_equal api_fixture('users', 'subproject_admin')['uuid'], new_specimen.owner_uuid
   end
 
   test 'projects#show tab infinite scroll partial obeys limit' do
@@ -182,4 +207,18 @@ class ProjectsControllerTest < ActionController::TestCase
                           }]
     get :show, encoded_params, session_for(:active)
   end
+
+  test "visit non-public project as anonymous when anonymous browsing is enabled and expect page not found" do
+    Rails.configuration.anonymous_user_token = api_fixture('api_client_authorizations')['anonymous']['api_token']
+    get(:show, {id: api_fixture('groups')['aproject']['uuid']})
+    assert_response 404
+    assert_includes @response.inspect, 'you are not logged in'
+  end
+
+  test "visit home page as anonymous when anonymous browsing is enabled and expect login" do
+    Rails.configuration.anonymous_user_token = api_fixture('api_client_authorizations')['anonymous']['api_token']
+    get(:index)
+    assert_response :redirect
+    assert_match /\/users\/welcome/, @response.redirect_url
+  end
 end