X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/783343e5aca00f730315d943cecf74e4277a38e7..fde712e92ad33e03dfd79f5fca99d2005cdd0795:/services/api/test/functional/arvados/v1/groups_controller_test.rb diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb index 49e9b7d6c6..c02da121e7 100644 --- a/services/api/test/functional/arvados/v1/groups_controller_test.rb +++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb @@ -16,11 +16,11 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase test "get list of projects" do authorize_with :active - get :index, filters: [['group_class', 'in', ['project', 'folder']]], format: :json + get :index, filters: [['group_class', '=', 'project']], format: :json assert_response :success group_uuids = [] json_response['items'].each do |group| - assert_includes ['folder', 'project'], group['group_class'] + assert_equal 'project', group['group_class'] group_uuids << group['uuid'] end assert_includes group_uuids, groups(:aproject).uuid @@ -54,6 +54,22 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase assert_equal 0, json_response['items_available'] end + def check_project_contents_response + assert_response :success + assert_operator 2, :<=, json_response['items_available'] + assert_operator 2, :<=, json_response['items'].count + kinds = json_response['items'].collect { |i| i['kind'] }.uniq + expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' + assert_equal expect_kinds, (expect_kinds & kinds) + + json_response['items'].each do |i| + if i['kind'] == 'arvados#group' + assert(i['group_class'] == 'project', + "group#contents returned a non-project group") + end + end + end + test 'get group-owned objects' do authorize_with :active get :contents, { @@ -61,12 +77,121 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase format: :json, include_linked: true, } + check_project_contents_response + end + + test "user with project read permission can see project objects" do + authorize_with :project_viewer + get :contents, { + id: groups(:aproject).uuid, + format: :json, + include_linked: true, + } + check_project_contents_response + end + + [false, true].each do |include_linked| + test "list objects across projects, include_linked=#{include_linked}" do + authorize_with :project_viewer + get :contents, { + format: :json, + include_linked: include_linked, + filters: [['uuid', 'is_a', 'arvados#specimen']] + } + assert_response :success + found_uuids = json_response['items'].collect { |i| i['uuid'] } + [[:in_aproject, true], + [:in_asubproject, true], + [:owned_by_private_group, false]].each do |specimen_fixture, should_find| + if should_find + assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'" + else + refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'" + end + end + end + end + + test "user with project read permission can see project collections" do + authorize_with :project_viewer + get :contents, { + id: groups(:asubproject).uuid, + format: :json, + include_linked: true, + } + ids = json_response['items'].map { |item| item["uuid"] } + assert_includes ids, collections(:baz_file).uuid + end + + test 'list objects across multiple projects' do + authorize_with :project_viewer + get :contents, { + format: :json, + include_linked: false, + filters: [['uuid', 'is_a', 'arvados#specimen']] + } assert_response :success - assert_operator 2, :<=, json_response['items_available'] - assert_operator 2, :<=, json_response['items'].count - kinds = json_response['items'].collect { |i| i['kind'] }.uniq - expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' - assert_equal expect_kinds, (expect_kinds & kinds) + found_uuids = json_response['items'].collect { |i| i['uuid'] } + [[:in_aproject, true], + [:in_asubproject, true], + [:owned_by_private_group, false]].each do |specimen_fixture, should_find| + if should_find + assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'" + else + refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'" + end + end + end + + # Even though the project_viewer tests go through other controllers, + # I'm putting them here so they're easy to find alongside the other + # project tests. + def check_new_project_link_fails(link_attrs) + @controller = Arvados::V1::LinksController.new + post :create, link: { + link_class: "permission", + name: "can_read", + head_uuid: groups(:aproject).uuid, + }.merge(link_attrs) + assert_includes(403..422, response.status) + end + + test "user with project read permission can't add users to it" do + authorize_with :project_viewer + check_new_project_link_fails(tail_uuid: users(:spectator).uuid) + end + + test "user with project read permission can't add items to it" do + authorize_with :project_viewer + check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid) + end + + test "user with project read permission can't rename items in it" do + authorize_with :project_viewer + @controller = Arvados::V1::LinksController.new + post :update, { + id: links(:job_name_in_aproject).uuid, + link: {name: "Denied test name"}, + } + assert_includes(403..404, response.status) + end + + test "user with project read permission can't remove items from it" do + @controller = Arvados::V1::PipelineTemplatesController.new + authorize_with :project_viewer + post :update, { + id: links(:template_name_in_aproject).head_uuid, + pipeline_template: { + owner_uuid: users(:project_viewer).uuid, + } + } + assert_response 403 + end + + test "user with project read permission can't delete it" do + authorize_with :project_viewer + post :destroy, {id: groups(:aproject).uuid} + assert_response 403 end test 'get group-owned objects with limit' do