X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a942e37250873d383bd885ba0dba70c63b3c073d..22e5442051df04f9e0d74b21bd36e44a6464e945:/services/api/test/unit/permission_test.rb diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb index c1b8943773..18d2fbbcb5 100644 --- a/services/api/test/unit/permission_test.rb +++ b/services/api/test/unit/permission_test.rb @@ -1,3 +1,7 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + require 'test_helper' class PermissionTest < ActiveSupport::TestCase @@ -125,10 +129,10 @@ class PermissionTest < ActiveSupport::TestCase sp_grp = Group.create! sp = Specimen.create!(owner_uuid: sp_grp.uuid) - manage_perm = Link.create!(link_class: 'permission', - name: 'can_manage', - tail_uuid: owner_grp.uuid, - head_uuid: sp_grp.uuid) + Link.create!(link_class: 'permission', + name: 'can_manage', + tail_uuid: owner_grp.uuid, + head_uuid: sp_grp.uuid) # active user owns owner_grp, which has can_manage permission on sp_grp # user should be able to add permissions on sp. @@ -137,14 +141,12 @@ class PermissionTest < ActiveSupport::TestCase head_uuid: sp.uuid, link_class: 'permission', name: 'can_write') - test_uuid = test_perm.uuid assert test_perm.save, "could not save new permission on target object" assert test_perm.destroy, "could not delete new permission on target object" end - # TODO(twp): fix bug #3091, which should fix this test. - test "can_manage permission on a non-group object" do - skip + # bug #3091 + skip "can_manage permission on a non-group object" do set_user_from_auth :admin ob = Specimen.create! @@ -285,6 +287,12 @@ class PermissionTest < ActiveSupport::TestCase a = create :active_user, first_name: "A" b = create :active_user, first_name: "B" other = create :active_user, first_name: "OTHER" + + assert_empty(User.readable_by(b).where(uuid: a.uuid), + "#{b.first_name} should not be able to see 'a' in the user list") + assert_empty(User.readable_by(a).where(uuid: b.uuid), + "#{a.first_name} should not be able to see 'b' in the user list") + act_as_system_user do g = create :group [a,b].each do |u| @@ -294,6 +302,12 @@ class PermissionTest < ActiveSupport::TestCase name: 'can_read', head_uuid: u.uuid, tail_uuid: g.uuid) end end + + assert_not_empty(User.readable_by(b).where(uuid: a.uuid), + "#{b.first_name} should be able to see 'a' in the user list") + assert_not_empty(User.readable_by(a).where(uuid: b.uuid), + "#{a.first_name} should be able to see 'b' in the user list") + a_specimen = act_as_user a do Specimen.create! end @@ -354,4 +368,26 @@ class PermissionTest < ActiveSupport::TestCase end end + def container_logs(container, user) + Log.readable_by(users(user)). + where(object_uuid: containers(container).uuid, event_type: "test") + end + + test "container logs created by dispatch are visible to container requestor" do + set_user_from_auth :dispatch1 + Log.create!(object_uuid: containers(:running).uuid, + event_type: "test") + + assert_not_empty container_logs(:running, :admin) + assert_not_empty container_logs(:running, :active) + assert_empty container_logs(:running, :spectator) + end + + test "container logs created by dispatch are public if container request is public" do + set_user_from_auth :dispatch1 + Log.create!(object_uuid: containers(:running_older).uuid, + event_type: "test") + + assert_not_empty container_logs(:running_older, :anonymous) + end end