From a13547aec78a75da2174e083f6015280787cd597 Mon Sep 17 00:00:00 2001
From: Peter Amstutz <peter.amstutz@curii.com>
Date: Fri, 18 Sep 2020 19:21:09 -0400
Subject: [PATCH] 16811: Add a test that system users/groups can't be deleted.

Also tweak PublicFavoritesProject migration to use up/down instead of
change.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---
 ...20200914203202_public_favorites_project.rb |  5 ++++-
 services/api/test/fixtures/groups.yml         |  7 +++++++
 services/api/test/unit/permission_test.rb     | 20 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/services/api/db/migrate/20200914203202_public_favorites_project.rb b/services/api/db/migrate/20200914203202_public_favorites_project.rb
index 0718778ddc..ef139aa704 100644
--- a/services/api/db/migrate/20200914203202_public_favorites_project.rb
+++ b/services/api/db/migrate/20200914203202_public_favorites_project.rb
@@ -4,7 +4,7 @@
 
 class PublicFavoritesProject < ActiveRecord::Migration[5.2]
   include CurrentApiClient
-  def change
+  def up
     act_as_system_user do
       public_project_group
       public_project_read_permission
@@ -17,4 +17,7 @@ class PublicFavoritesProject < ActiveRecord::Migration[5.2]
       end
     end
   end
+
+  def down
+  end
 end
diff --git a/services/api/test/fixtures/groups.yml b/services/api/test/fixtures/groups.yml
index ee0d786bbe..31a72f1720 100644
--- a/services/api/test/fixtures/groups.yml
+++ b/services/api/test/fixtures/groups.yml
@@ -56,6 +56,13 @@ system_group:
   description: System-owned Group
   group_class: role
 
+public_favorites_project:
+  uuid: zzzzz-j7d0g-publicfavorites
+  owner_uuid: zzzzz-tpzed-000000000000000
+  name: Public favorites
+  description: Public favorites
+  group_class: project
+
 empty_lonely_group:
   uuid: zzzzz-j7d0g-jtp06ulmvsezgyu
   owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb
index 10664474c6..123031b35f 100644
--- a/services/api/test/unit/permission_test.rb
+++ b/services/api/test/unit/permission_test.rb
@@ -579,4 +579,24 @@ class PermissionTest < ActiveSupport::TestCase
     assert users(:active).can?(write: prj.uuid)
     assert users(:active).can?(manage: prj.uuid)
   end
+
+  [system_user_uuid, anonymous_user_uuid].each do |u|
+    test "cannot delete system user #{u}" do
+      act_as_system_user do
+        assert_raises ArvadosModel::PermissionDeniedError do
+          User.find_by_uuid(u).destroy
+        end
+      end
+    end
+  end
+
+  [system_group_uuid, anonymous_group_uuid, public_project_uuid].each do |g|
+    test "cannot delete system group #{g}" do
+      act_as_system_user do
+        assert_raises ArvadosModel::PermissionDeniedError do
+          Group.find_by_uuid(g).destroy
+        end
+      end
+    end
+  end
 end
-- 
2.30.2