X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d0284f9f1af01be566d671e875f31b12eeca1960..e4382e25d68a70a107baeb257e1915972759334c:/services/api/test/unit/link_test.rb diff --git a/services/api/test/unit/link_test.rb b/services/api/test/unit/link_test.rb index e40326504a..3763706f3b 100644 --- a/services/api/test/unit/link_test.rb +++ b/services/api/test/unit/link_test.rb @@ -61,4 +61,46 @@ class LinkTest < ActiveSupport::TestCase ob.destroy end end + + def new_active_link_valid?(link_attrs) + set_user_from_auth :active + begin + Link. + create({link_class: "permission", + name: "can_read", + head_uuid: groups(:aproject).uuid, + }.merge(link_attrs)). + valid? + rescue ArvadosModel::PermissionDeniedError + false + end + end + + test "link granting permission to nonexistent user is invalid" do + refute new_active_link_valid?(tail_uuid: + users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}")) + end + + test "link granting non-project permission to unreadable user is invalid" do + refute new_active_link_valid?(tail_uuid: users(:admin).uuid, + head_uuid: collections(:bar_file).uuid) + end + + test "user can't add a Collection to a Project without permission" do + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: collections(:bar_file).uuid) + end + + test "user can't add a User to a Project" do + # Users *can* give other users permissions to projects. + # This test helps ensure that that exception is specific to permissions. + refute new_active_link_valid?(link_class: "name", + name: "Permission denied test name", + tail_uuid: users(:admin).uuid) + end + + test "link granting project permissions to unreadable user is invalid" do + refute new_active_link_valid?(tail_uuid: users(:admin).uuid) + end end