X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a959f21c8147f26362df392bc3fd3290db69de85..3c12b6126b87af781058b159332446ee458635af:/services/api/test/unit/link_test.rb

diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb
index 56a38045e4..3763706f3b 100644
--- a/services/api/test/unit/link_test.rb
+++ b/services/api/test/unit/link_test.rb
@@ -13,6 +13,7 @@ class LinkTest < ActiveSupport::TestCase
                      link_class: 'name',
                      name: 'foo')
     assert a.valid?, a.errors.to_s
+    assert_equal groups(:aproject).uuid, a.owner_uuid
     assert_raises ActiveRecord::RecordNotUnique do
       b = Link.create!(tail_uuid: groups(:aproject).uuid,
                        head_uuid: specimens(:owned_by_active_user).uuid,
@@ -27,11 +28,13 @@ class LinkTest < ActiveSupport::TestCase
                      link_class: 'name',
                      name: 'foo')
     assert a.valid?, a.errors.to_s
+    assert_equal groups(:aproject).uuid, a.owner_uuid
     b = Link.create!(tail_uuid: groups(:asubproject).uuid,
                      head_uuid: specimens(:owned_by_active_user).uuid,
                      link_class: 'name',
                      name: 'foo')
     assert b.valid?, b.errors.to_s
+    assert_equal groups(:asubproject).uuid, b.owner_uuid
     assert_not_equal(a.uuid, b.uuid,
                      "created two links and got the same uuid back.")
   end
@@ -52,9 +55,52 @@ class LinkTest < ActiveSupport::TestCase
                        head_uuid: ob.uuid,
                        link_class: 'test',
                        name: 'test')
+    assert_equal users(:admin).uuid, link.owner_uuid
     assert_raises(ActiveRecord::DeleteRestrictionError,
                   "should not delete #{ob.uuid} with link #{link.uuid}") do
       ob.destroy
     end
   end
+
+  def new_active_link_valid?(link_attrs)
+    set_user_from_auth :active
+    begin
+      Link.
+        create({link_class: "permission",
+                 name: "can_read",
+                 head_uuid: groups(:aproject).uuid,
+               }.merge(link_attrs)).
+        valid?
+    rescue ArvadosModel::PermissionDeniedError
+      false
+    end
+  end
+
+  test "link granting permission to nonexistent user is invalid" do
+    refute new_active_link_valid?(tail_uuid:
+                                  users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}"))
+  end
+
+  test "link granting non-project permission to unreadable user is invalid" do
+    refute new_active_link_valid?(tail_uuid: users(:admin).uuid,
+                                  head_uuid: collections(:bar_file).uuid)
+  end
+
+  test "user can't add a Collection to a Project without permission" do
+    refute new_active_link_valid?(link_class: "name",
+                                  name: "Permission denied test name",
+                                  tail_uuid: collections(:bar_file).uuid)
+  end
+
+  test "user can't add a User to a Project" do
+    # Users *can* give other users permissions to projects.
+    # This test helps ensure that that exception is specific to permissions.
+    refute new_active_link_valid?(link_class: "name",
+                                  name: "Permission denied test name",
+                                  tail_uuid: users(:admin).uuid)
+  end
+
+  test "link granting project permissions to unreadable user is invalid" do
+    refute new_active_link_valid?(tail_uuid: users(:admin).uuid)
+  end
 end