X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7fc412308bcb4d853e6f9aeb9e7d45e5ab76b11f..61cd57499905e8e8cca07c774d1bf8c6bfa069a7:/services/api/test/unit/link_test.rb diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb index 72d6017ce7..028f403a28 100644 --- a/services/api/test/unit/link_test.rb +++ b/services/api/test/unit/link_test.rb @@ -4,45 +4,61 @@ class LinkTest < ActiveSupport::TestCase fixtures :all setup do - Thread.current[:user] = users(:active) - end - - test 'name links with the same tail_uuid must be unique' do - a = Link.create!(tail_uuid: groups(:afolder).uuid, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: 'foo') - assert a.valid?, a.errors.to_s - assert_raises ActiveRecord::RecordNotUnique do - b = Link.create!(tail_uuid: groups(:afolder).uuid, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: 'foo') + set_user_from_auth :admin_trustedclient + end + + test "cannot delete an object referenced by links" do + ob = Specimen.create + link = Link.create(tail_uuid: users(:active).uuid, + head_uuid: ob.uuid, + link_class: 'test', + name: 'test') + assert_equal users(:admin).uuid, link.owner_uuid + assert_raises(ActiveRecord::DeleteRestrictionError, + "should not delete #{ob.uuid} with link #{link.uuid}") do + ob.destroy end end - test 'name links with different tail_uuid need not be unique' do - a = Link.create!(tail_uuid: groups(:afolder).uuid, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: 'foo') - assert a.valid?, a.errors.to_s - b = Link.create!(tail_uuid: groups(:asubfolder).uuid, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: 'foo') - assert b.valid?, b.errors.to_s - assert_not_equal(a.uuid, b.uuid, - "created two links and got the same uuid back.") - end - - [nil, '', false].each do |name| - test "name links cannot have name=#{name.inspect}" do - a = Link.create(tail_uuid: groups(:afolder).uuid, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: name) - assert a.invalid?, "invalid name was accepted as valid?" + def new_active_link_valid?(link_attrs) + set_user_from_auth :active + begin + Link. + create({link_class: "permission", + name: "can_read", + head_uuid: groups(:aproject).uuid, + }.merge(link_attrs)). + valid? + rescue ArvadosModel::PermissionDeniedError + false end end + + test "link granting permission to nonexistent user is invalid" do + refute new_active_link_valid?(tail_uuid: + users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}")) + end + + test "link granting non-project permission to unreadable user is invalid" do + refute new_active_link_valid?(tail_uuid: users(:admin).uuid, + head_uuid: collections(:bar_file).uuid) + end + + test "user can't add a Collection to a Project without permission" do + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: collections(:bar_file).uuid) + end + + test "user can't add a User to a Project" do + # Users *can* give other users permissions to projects. + # This test helps ensure that that exception is specific to permissions. + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: users(:admin).uuid) + end + + test "link granting project permissions to unreadable user is invalid" do + refute new_active_link_valid?(tail_uuid: users(:admin).uuid) + end end