X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a959f21c8147f26362df392bc3fd3290db69de85..bd1f0b637be6c97374b31ed5c442ff88d25e626e:/services/api/test/functional/arvados/v1/links_controller_test.rb diff --git a/services/api/test/functional/arvados/v1/links_controller_test.rb b/services/api/test/functional/arvados/v1/links_controller_test.rb index d5b42665c3..b4b78168f2 100644 --- a/services/api/test/functional/arvados/v1/links_controller_test.rb +++ b/services/api/test/functional/arvados/v1/links_controller_test.rb @@ -118,7 +118,7 @@ class Arvados::V1::LinksControllerTest < ActionController::TestCase link_class: 'test', name: 'stuff', head_uuid: users(:active).uuid, - tail_uuid: virtual_machines(:testvm).uuid + tail_uuid: virtual_machines(:testvm2).uuid } authorize_with :active post :create, link: link @@ -165,7 +165,7 @@ class Arvados::V1::LinksControllerTest < ActionController::TestCase assert_response :success found = assigns(:objects) assert_not_equal 0, found.count - assert_equal found.count, (found.select { |f| f.head_uuid.match /[a-f0-9]{32}\+\d+/}).count + assert_equal found.count, (found.select { |f| f.head_uuid.match /.....-4zz18-.............../}).count end test "test can still use where tail_kind" do @@ -270,17 +270,70 @@ class Arvados::V1::LinksControllerTest < ActionController::TestCase assert_response :success end - test "refuse duplicate name" do - the_name = links(:job_name_in_aproject).name - the_project = links(:job_name_in_aproject).tail_uuid + test "project owner can show a project permission" do + uuid = links(:project_viewer_can_read_project).uuid authorize_with :active - post :create, link: { - tail_uuid: the_project, - head_uuid: specimens(:owned_by_active_user).uuid, - link_class: 'name', - name: the_name, - properties: {this_s: "a duplicate name"} - } - assert_response 422 + get :show, id: uuid + assert_response :success + assert_equal(uuid, assigns(:object).andand.uuid) + end + + test "admin can show a project permission" do + uuid = links(:project_viewer_can_read_project).uuid + authorize_with :admin + get :show, id: uuid + assert_response :success + assert_equal(uuid, assigns(:object).andand.uuid) + end + + test "project viewer can't show others' project permissions" do + authorize_with :project_viewer + get :show, id: links(:admin_can_write_aproject).uuid + assert_response 404 + end + + test "requesting a nonexistent link returns 404" do + authorize_with :active + get :show, id: 'zzzzz-zzzzz-zzzzzzzzzzzzzzz' + assert_response 404 + end + + test "retrieve all permissions using generic links index api" do + skip "(not implemented)" + # Links.readable_by() does not return the full set of permission + # links that are visible to a user (i.e., all permission links + # whose head_uuid references an object for which the user has + # ownership or can_manage permission). Therefore, neither does + # /arvados/v1/links. + # + # It is possible to retrieve the full set of permissions for a + # single object via /arvados/v1/permissions. + authorize_with :active + get :index, filters: [['link_class', '=', 'permission'], + ['head_uuid', '=', groups(:aproject).uuid]] + assert_response :success + assert_not_nil assigns(:objects) + assert_includes(assigns(:objects).map(&:uuid), + links(:project_viewer_can_read_project).uuid) + end + + test "admin can index project permissions" do + authorize_with :admin + get :index, filters: [['link_class', '=', 'permission'], + ['head_uuid', '=', groups(:aproject).uuid]] + assert_response :success + assert_not_nil assigns(:objects) + assert_includes(assigns(:objects).map(&:uuid), + links(:project_viewer_can_read_project).uuid) + end + + test "project viewer can't index others' project permissions" do + authorize_with :project_viewer + get :index, filters: [['link_class', '=', 'permission'], + ['head_uuid', '=', groups(:aproject).uuid], + ['tail_uuid', '!=', users(:project_viewer).uuid]] + assert_response :success + assert_not_nil assigns(:objects) + assert_empty assigns(:objects) end end