projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 46906bb)
Check permission before deleting objects
authorTom Clegg <tom@clinicalfuture.com>
Thu, 5 Dec 2013 21:12:50 +0000 (13:12 -0800)
committerTom Clegg <tom@clinicalfuture.com>
Thu, 5 Dec 2013 21:25:07 +0000 (13:25 -0800)
services/api/app/models/arvados_model.rb patch | blob | history
services/api/test/fixtures/groups.yml [new file with mode: 0644] patch | blob
services/api/test/functional/arvados/v1/groups_controller_test.rb patch | blob | history

diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 136684d009d533791172f6969ea9e326836e0633..60e850864cb362cb333af41bf99fde692be7ddb1 100644 (file)
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -9,6 +9,7 @@ class ArvadosModel < ActiveRecord::Base
   attr_protected :modified_at
   before_create :ensure_permission_to_create
   before_update :ensure_permission_to_update
+  before_destroy :ensure_permission_to_destroy
   before_create :update_modified_by_fields
   before_update :maybe_update_modified_by_fields
   validate :ensure_serialized_attribute_type
@@ -87,6 +88,14 @@ class ArvadosModel < ActiveRecord::Base
     end
   end
 
+  def ensure_permission_to_destroy
+    raise PermissionDeniedError unless permission_to_destroy
+  end
+
+  def permission_to_destroy
+    permission_to_update
+  end
+
   def maybe_update_modified_by_fields
     update_modified_by_fields if self.changed?
   end
diff --git a/services/api/test/fixtures/groups.yml b/services/api/test/fixtures/groups.yml
new file mode 100644 (file)
index 0000000..ebf2234
--- /dev/null
+++ b/services/api/test/fixtures/groups.yml
@@ -0,0 +1,5 @@
+public:
+  uuid: zzzzz-j7d0g-it30l961gq3t0oi
+  owner_uuid: zzzzz-tpzed-d9tiejq69daie8f
+  name: Public
+  description: Public Group
diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index 40adbd2dfec70afeb35db213147eab4ca3ef404a..6530181b68fb9c6a35024d37c88994af2bfe5860 100644 (file)
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -1,4 +1,11 @@
 require 'test_helper'
 
 class Arvados::V1::GroupsControllerTest < ActionController::TestCase
+
+  test "attempt to delete group without write access" do
+    authorize_with :active
+    post :destroy, id: groups(:public).uuid
+    assert_response 403
+  end
+
 end