16007: Reenable updating the permission level of a link

Add test to ensure permission table is synchronized when updating the
level of an existing permission link.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>

diff --git a/apps/workbench/test/integration/projects_test.rb b/apps/workbench/test/integration/projects_test.rb
index 17ab5e4661db335f7f40129d2dac246f69990e67..7a5103007f80f2eba79275a67c602a8cb7d5e3c9 100644 (file)
--- a/apps/workbench/test/integration/projects_test.rb
+++ b/apps/workbench/test/integration/projects_test.rb
@@ -132,7 +132,7 @@ class ProjectsTest < ActionDispatch::IntegrationTest
     show_object_using('active', 'groups', 'aproject', 'A Project')
     click_on "Sharing"
     click_on "Share with groups"
-    good_uuid = api_fixture("groups")["private"]["uuid"]
+    good_uuid = api_fixture("groups")["future_project_viewing_group"]["uuid"]
     assert(page.has_selector?(".selectable[data-object-uuid=\"#{good_uuid}\"]"),
            "'share with groups' listing missing owned user group")
     bad_uuid = api_fixture("groups")["asubproject"]["uuid"]

diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb
index 0b720561287352efdf81fdf83f2c7b9448fcf1f8..60a94c7e23032ec694d78706c1dd685e9c6eaa55 100644 (file)
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -13,7 +13,7 @@ class Link < ArvadosModel
 
   validate :name_links_are_obsolete
   validate :permission_to_attach_to_objects
-  before_update :cannot_alter_permissions
+  before_update :restrict_alter_permissions
   after_update :call_update_permissions
   after_create :call_update_permissions
   before_destroy :clear_permissions
@@ -50,6 +50,11 @@ class Link < ArvadosModel
     # All users can write links that don't affect permissions
     return true if self.link_class != 'permission'
 
+    if PERM_LEVEL[self.name].nil?
+      errors.add(:name, "is invalid permission, must be one of 'can_read', 'can_write', 'can_manage', 'can_login'")
+      return false
+    end
+
     rsc_class = ArvadosModel::resource_class_for_uuid tail_uuid
     if rsc_class == Group
       tail_obj = Group.find_by_uuid(tail_uuid)
@@ -84,13 +89,13 @@ class Link < ArvadosModel
     false
   end
 
-  def cannot_alter_permissions
+  def restrict_alter_permissions
     return true if self.link_class != 'permission' && self.link_class_was != 'permission'
 
     return true if current_user.andand.uuid == system_user.uuid
 
-    if link_class_changed? || name_changed? || tail_uuid_changed? || head_uuid_changed?
-      raise "Cannot alter a permission link"
+    if link_class_changed? || tail_uuid_changed? || head_uuid_changed?
+      raise "Can only alter permission link level"
     end
   end
 

diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb
index 03a8e82eed2cee144e5f69e63cd54aebe3d5c293..07709b752832ebd5421d8063c6cb74817327a366 100644 (file)
--- a/services/api/test/unit/permission_test.rb
+++ b/services/api/test/unit/permission_test.rb
@@ -46,7 +46,7 @@ class PermissionTest < ActiveSupport::TestCase
   end
 
   test "readable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
 
     ob = Collection.create!
     Link.create!(tail_uuid: users(:active).uuid,
@@ -57,7 +57,7 @@ class PermissionTest < ActiveSupport::TestCase
   end
 
   test "writable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
 
     ob = Collection.create!
     Link.create!(tail_uuid: users(:active).uuid,