X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/bbc3324f62acfda616c3ef867331bddcdc4f5114..6175b80719275d88f7c2bb0a8c15417dc9eb246b:/services/api/test/integration/permissions_test.rb

diff --git a/services/api/test/integration/permissions_test.rb b/services/api/test/integration/permissions_test.rb
index ae338b74dc..f8f1e254bf 100644
--- a/services/api/test/integration/permissions_test.rb
+++ b/services/api/test/integration/permissions_test.rb
@@ -1,8 +1,18 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'test_helper'
 
 class PermissionsTest < ActionDispatch::IntegrationTest
+  include DbCurrentTime
+  include CurrentApiClient  # for empty_collection
   fixtures :users, :groups, :api_client_authorizations, :collections
 
+  teardown do
+    User.invalidate_permissions_cache db_current_time.to_i
+  end
+
   test "adding and removing direct can_read links" do
     # try to read collection as spectator
     get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
@@ -100,7 +110,7 @@ class PermissionsTest < ActionDispatch::IntegrationTest
     # try to read collection as spectator
     get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
     assert_response 404
-    
+
   end
 
 
@@ -151,7 +161,7 @@ class PermissionsTest < ActionDispatch::IntegrationTest
     # try to read collection as spectator
     get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
     assert_response 404
-    
+
   end
 
   test "adding can_read links from user to group, group to group, group to collection" do
@@ -212,18 +222,6 @@ class PermissionsTest < ActionDispatch::IntegrationTest
     assert_response 404
   end
 
-  test "read-only group-admin sees correct subset of user list" do
-    get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
-    assert_response :success
-    resp_uuids = json_response['items'].collect { |i| i['uuid'] }
-    [[true, users(:rominiadmin).uuid],
-     [true, users(:active).uuid],
-     [false, users(:miniadmin).uuid],
-     [false, users(:spectator).uuid]].each do |should_find, uuid|
-      assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
-    end
-  end
-
   test "read-only group-admin cannot modify administered user" do
     put "/arvados/v1/users/#{users(:active).uuid}", {
       :user => {
@@ -285,12 +283,11 @@ class PermissionsTest < ActionDispatch::IntegrationTest
 
   test "get_permissions returns list" do
     # First confirm that user :active cannot get permissions on group :public
-    get "/arvados/v1/permissions/#{groups(:public).uuid}", {
-      :format => :json,
-    }, auth(:active)
+    get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
     assert_response 404
 
-    # add some permissions
+    # add some permissions, including can_manage
+    # permission for user :active
     post "/arvados/v1/links", {
       :format => :json,
       :link => {
@@ -332,9 +329,9 @@ class PermissionsTest < ActionDispatch::IntegrationTest
 
     # Now user :active should be able to retrieve permissions
     # on group :public.
-    get "/arvados/v1/permissions/#{groups(:public).uuid}", {
-      :format => :json,
-    }, auth(:active)
+    get("/arvados/v1/permissions/#{groups(:public).uuid}",
+        { :format => :json },
+        auth(:active))
     assert_response :success
 
     perm_uuids = json_response['items'].map { |item| item['uuid'] }
@@ -344,17 +341,38 @@ class PermissionsTest < ActionDispatch::IntegrationTest
   end
 
   test "get_permissions returns 404 for nonexistent uuid" do
-    nonexistent = Collection.generate_uuid
+    nonexistent = Group.generate_uuid
     # make sure it really doesn't exist
-    get "/arvados/v1/collections/#{nonexistent}", { :format => :json }, auth(:admin)
+    get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin)
     assert_response 404
 
-    get "/arvados/v1/permissions/#{nonexistent}", { :format => :json }, auth(:active)
+    get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active)
     assert_response 404
   end
 
-  test "get_permissions returns 403 if user lacks manage permission" do
-    get "/arvados/v1/permissions/#{collections(:foo_file).uuid}", { :format => :json }, auth(:active)
+  test "get_permissions returns 403 if user can read but not manage" do
+    post "/arvados/v1/links", {
+      :link => {
+        tail_uuid: users(:active).uuid,
+        link_class: 'permission',
+        name: 'can_read',
+        head_uuid: groups(:public).uuid,
+        properties: {}
+      }
+    }, auth(:admin)
+    assert_response :success
+
+    get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
     assert_response 403
   end
+
+  test "active user can read the empty collection" do
+    # The active user should be able to read the empty collection.
+
+    get("/arvados/v1/collections/#{empty_collection_uuid}",
+        { :format => :json },
+        auth(:active))
+    assert_response :success
+    assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty"
+  end
 end