X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a8fd97bee8b0d194a7013dffa0c8bfb8533e669b..8917fa82999bdf0020f623db9869abae99930b56:/services/api/test/functional/arvados/v1/groups_controller_test.rb

diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index f8f9eaeb0d..217809ae65 100644
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -14,22 +14,22 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
     assert_response 403
   end
 
-  test "get list of folders" do
+  test "get list of projects" do
     authorize_with :active
-    get :index, filters: [['group_class', '=', 'folder']], format: :json
+    get :index, filters: [['group_class', '=', 'project']], format: :json
     assert_response :success
     group_uuids = []
     json_response['items'].each do |group|
-      assert_equal 'folder', group['group_class']
+      assert_equal 'project', group['group_class']
       group_uuids << group['uuid']
     end
-    assert_includes group_uuids, groups(:afolder).uuid
-    assert_includes group_uuids, groups(:asubfolder).uuid
+    assert_includes group_uuids, groups(:aproject).uuid
+    assert_includes group_uuids, groups(:asubproject).uuid
     assert_not_includes group_uuids, groups(:system_group).uuid
     assert_not_includes group_uuids, groups(:private).uuid
   end
 
-  test "get list of groups that are not folders" do
+  test "get list of groups that are not projects" do
     authorize_with :active
     get :index, filters: [['group_class', '=', nil]], format: :json
     assert_response :success
@@ -38,8 +38,8 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
       assert_equal nil, group['group_class']
       group_uuids << group['uuid']
     end
-    assert_not_includes group_uuids, groups(:afolder).uuid
-    assert_not_includes group_uuids, groups(:asubfolder).uuid
+    assert_not_includes group_uuids, groups(:aproject).uuid
+    assert_not_includes group_uuids, groups(:asubproject).uuid
     assert_includes group_uuids, groups(:private).uuid
   end
 
@@ -54,25 +54,168 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
     assert_equal 0, json_response['items_available']
   end
 
+  def check_project_contents_response
+    assert_response :success
+    assert_operator 2, :<=, json_response['items_available']
+    assert_operator 2, :<=, json_response['items'].count
+    kinds = json_response['items'].collect { |i| i['kind'] }.uniq
+    expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job'
+    assert_equal expect_kinds, (expect_kinds & kinds)
+
+    json_response['items'].each do |i|
+      if i['kind'] == 'arvados#group'
+        assert(i['group_class'] == 'project',
+               "group#contents returned a non-project group")
+      end
+    end
+  end
+
   test 'get group-owned objects' do
     authorize_with :active
     get :contents, {
-      id: groups(:afolder).uuid,
+      id: groups(:aproject).uuid,
       format: :json,
       include_linked: true,
     }
+    check_project_contents_response
+  end
+
+  test "user with project read permission can see project objects" do
+    authorize_with :project_viewer
+    get :contents, {
+      id: groups(:aproject).uuid,
+      format: :json,
+      include_linked: true,
+    }
+    check_project_contents_response
+  end
+
+  [false, true].each do |include_linked|
+    test "list objects across projects, include_linked=#{include_linked}" do
+      authorize_with :project_viewer
+      get :contents, {
+        format: :json,
+        include_linked: include_linked,
+        filters: [['uuid', 'is_a', 'arvados#specimen']]
+      }
+      assert_response :success
+      found_uuids = json_response['items'].collect { |i| i['uuid'] }
+      [[:in_aproject, true],
+       [:in_asubproject, true],
+       [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+        if should_find
+          assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+        else
+          refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+        end
+      end
+    end
+  end
+
+  [false, true].each do |include_linked|
+    test "list objects in home project, include_linked=#{include_linked}" do
+      authorize_with :active
+      get :contents, {
+        format: :json,
+        id: users(:active).uuid,
+        include_linked: include_linked,
+      }
+      assert_response :success
+      found_uuids = json_response['items'].collect { |i| i['uuid'] }
+      if include_linked
+        assert_includes found_uuids, collections(:empty).uuid, "empty collection did not appear in home project"
+      end
+      assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project"
+      refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project"
+    end
+  end
+
+  test "user with project read permission can see project collections" do
+    authorize_with :project_viewer
+    get :contents, {
+      id: groups(:asubproject).uuid,
+      format: :json,
+      include_linked: true,
+    }
+    ids = json_response['items'].map { |item| item["uuid"] }
+    assert_includes ids, collections(:baz_file).uuid
+  end
+
+  test 'list objects across multiple projects' do
+    authorize_with :project_viewer
+    get :contents, {
+      format: :json,
+      include_linked: false,
+      filters: [['uuid', 'is_a', 'arvados#specimen']]
+    }
     assert_response :success
-    assert_operator 2, :<=, json_response['items_available']
-    assert_operator 2, :<=, json_response['items'].count
-    kinds = json_response['items'].collect { |i| i['kind'] }.uniq
-    expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job'
-    assert_equal expect_kinds, (expect_kinds & kinds)
+    found_uuids = json_response['items'].collect { |i| i['uuid'] }
+    [[:in_aproject, true],
+     [:in_asubproject, true],
+     [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
+      if should_find
+        assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
+      else
+        refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
+      end
+    end
+  end
+
+  # Even though the project_viewer tests go through other controllers,
+  # I'm putting them here so they're easy to find alongside the other
+  # project tests.
+  def check_new_project_link_fails(link_attrs)
+    @controller = Arvados::V1::LinksController.new
+    post :create, link: {
+      link_class: "permission",
+      name: "can_read",
+      head_uuid: groups(:aproject).uuid,
+    }.merge(link_attrs)
+    assert_includes(403..422, response.status)
+  end
+
+  test "user with project read permission can't add users to it" do
+    authorize_with :project_viewer
+    check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
+  end
+
+  test "user with project read permission can't add items to it" do
+    authorize_with :project_viewer
+    check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
+  end
+
+  test "user with project read permission can't rename items in it" do
+    authorize_with :project_viewer
+    @controller = Arvados::V1::LinksController.new
+    post :update, {
+      id: links(:job_name_in_aproject).uuid,
+      link: {name: "Denied test name"},
+    }
+    assert_includes(403..404, response.status)
+  end
+
+  test "user with project read permission can't remove items from it" do
+    @controller = Arvados::V1::PipelineTemplatesController.new
+    authorize_with :project_viewer
+    post :update, {
+      id: links(:template_name_in_aproject).head_uuid,
+      pipeline_template: {
+        owner_uuid: users(:project_viewer).uuid,
+      }
+    }
+    assert_response 403
+  end
+
+  test "user with project read permission can't delete it" do
+    authorize_with :project_viewer
+    post :destroy, {id: groups(:aproject).uuid}
+    assert_response 403
   end
 
   test 'get group-owned objects with limit' do
     authorize_with :active
     get :contents, {
-      id: groups(:afolder).uuid,
+      id: groups(:aproject).uuid,
       limit: 1,
       format: :json,
     }
@@ -84,7 +227,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
   test 'get group-owned objects with limit and offset' do
     authorize_with :active
     get :contents, {
-      id: groups(:afolder).uuid,
+      id: groups(:aproject).uuid,
       limit: 1,
       offset: 12345,
       format: :json,
@@ -97,7 +240,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
   test 'get group-owned objects with additional filter matching nothing' do
     authorize_with :active
     get :contents, {
-      id: groups(:afolder).uuid,
+      id: groups(:aproject).uuid,
       filters: [['uuid', 'in', ['foo_not_a_uuid','bar_not_a_uuid']]],
       format: :json,
     }
@@ -107,10 +250,10 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
   end
 
   test 'get group-owned objects without include_linked' do
-    unexpected_uuid = specimens(:in_afolder_linked_from_asubfolder).uuid
+    unexpected_uuid = specimens(:in_aproject_linked_from_asubproject).uuid
     authorize_with :active
     get :contents, {
-      id: groups(:asubfolder).uuid,
+      id: groups(:asubproject).uuid,
       format: :json,
     }
     assert_response :success
@@ -119,10 +262,10 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
   end
 
   test 'get group-owned objects with include_linked' do
-    expected_uuid = specimens(:in_afolder_linked_from_asubfolder).uuid
+    expected_uuid = specimens(:in_aproject_linked_from_asubproject).uuid
     authorize_with :active
     get :contents, {
-      id: groups(:asubfolder).uuid,
+      id: groups(:asubproject).uuid,
       include_linked: true,
       format: :json,
     }
@@ -130,7 +273,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
     uuids = json_response['items'].collect { |i| i['uuid'] }
     assert_includes uuids, expected_uuid, "Did not get #{expected_uuid}"
 
-    expected_name = links(:specimen_is_in_two_folders).name
+    expected_name = links(:specimen_is_in_two_projects).name
     found_specimen_name = false
     assert(json_response['links'].any?,
            "Expected a non-empty array of links in response")
@@ -158,7 +301,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
         # times within a test.
         @json_response = nil
         get :contents, {
-          id: groups(:afolder).uuid,
+          id: groups(:aproject).uuid,
           include_linked: inc_ind,
           limit: limit,
           offset: offset,
@@ -180,7 +323,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
           owner_received[item['owner_uuid']] = true
           offset += 1
           if not inc_ind
-            assert_equal groups(:afolder).uuid, item['owner_uuid']
+            assert_equal groups(:aproject).uuid, item['owner_uuid']
           end
         end
         break if offset >= items_available
@@ -197,7 +340,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
       test "Raise error on bogus #{arg} parameter #{val.inspect}" do
         authorize_with :active
         get :contents, {
-          :id => groups(:afolder).uuid,
+          :id => groups(:aproject).uuid,
           :format => :json,
           arg => val,
         }
@@ -209,7 +352,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
   test 'get writable_by list for owned group' do
     authorize_with :active
     get :show, {
-      id: groups(:afolder).uuid,
+      id: groups(:aproject).uuid,
       format: :json
     }
     assert_response :success