in_batches(of: 15).
update_all('is_trashed = true')
- # Sweep trashed projects and their contents (as well as role
- # groups that were trashed before #18340 when that was
- # disallowed)
+ # Want to make sure the #update_trash hook on the Group class
+ # runs. It does a couple of important things:
+ #
+ # - For projects, puts all the subprojects in the trashed_groups table.
+ #
+ # - For role groups, starting from #20943, when a role group
+ # enters the trash it keeps its members but loses its outbound
+ # permissions.
Group.
- where('delete_at is not null and delete_at < statement_timestamp()').each do |project|
- delete_project_and_contents(project.uuid)
+ where("is_trashed = false and trash_at < statement_timestamp()").each do |grp|
+ grp.is_trashed = true
+ grp.save
end
+
+ # Sweep groups and their contents that are ready to be deleted
Group.
- where('is_trashed = false and trash_at < statement_timestamp()').
- update_all('is_trashed = true')
+ where('delete_at is not null and delete_at < statement_timestamp()').each do |group|
+ delete_project_and_contents(group.uuid)
+ end
# Sweep expired tokens
ActiveRecord::Base.connection.execute("DELETE from api_client_authorizations where expires_at <= statement_timestamp()")
assert_response 404
end
+ test "adding can_read links from group to collection, user to group, then trash group" do
+ # try to read collection as spectator
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response 404
+
+ # add permission for group to read collection
+ post "/arvados/v1/links",
+ params: {
+ :format => :json,
+ :link => {
+ tail_uuid: groups(:private_role).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: collections(:foo_file).uuid,
+ properties: {}
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+
+ # try to read collection as spectator
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response 404
+
+ # add permission for spectator to read group
+ post "/arvados/v1/links",
+ params: {
+ :format => :json,
+ :link => {
+ tail_uuid: users(:spectator).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: groups(:private_role).uuid,
+ properties: {}
+ }
+ },
+ headers: auth(:admin)
+ u = json_response['uuid']
+ assert_response :success
+
+ # try to read collection as spectator
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response :success
+
+ # put the group in the trash, this should keep the group members
+ # but delete the permissions.
+ post "/arvados/v1/groups/#{groups(:private_role).uuid}/trash",
+ params: {:format => :json},
+ headers: auth(:admin)
+ assert_response :success
+
+ # try to read collection as spectator, should fail now
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response 404
+
+ # should not be able to grant permission to a trashed group
+ post "/arvados/v1/links",
+ params: {
+ :format => :json,
+ :link => {
+ tail_uuid: groups(:private_role).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: collections(:foo_file).uuid,
+ properties: {}
+ }
+ },
+ headers: auth(:admin)
+ assert_response 422
+
+ # take the group out of the trash
+ post "/arvados/v1/groups/#{groups(:private_role).uuid}/untrash",
+ params: {:format => :json},
+ headers: auth(:admin)
+ assert_response :success
+
+ # when a role group is untrashed the permissions don't
+ # automatically come back
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response 404
+
+ # re-add permission for group to read collection
+ post "/arvados/v1/links",
+ params: {
+ :format => :json,
+ :link => {
+ tail_uuid: groups(:private_role).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: collections(:foo_file).uuid,
+ properties: {}
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+
+ # since spectator is still be a member of the group, it should be
+ # able to read foo file now.
+ get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
+ params: {:format => :json},
+ headers: auth(:spectator)
+ assert_response :success
+ end
+
test "read-only group-admin cannot modify administered user" do
put "/arvados/v1/users/#{users(:active).uuid}",
params: {