[ARVADOS] updated: 043a68cf46920499a96f21ef8b584607e82374d0

git at public.curoverse.com git at public.curoverse.com
Mon Jul 14 15:01:43 EDT 2014 

Summary of changes:
 .../app/controllers/arvados/v1/users_controller.rb |  2 +-
 .../arvados/v1/groups_controller_test.rb           | 37 ++++++++++++++++++----
 2 files changed, 31 insertions(+), 8 deletions(-)

       via  043a68cf46920499a96f21ef8b584607e82374d0 (commit)
       via  48215a979585cc2de5d985e9a69912afd31b3bce (commit)
      from  1a443cf1eae37912dc90c1d74f41d7a1c68f5587 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 043a68cf46920499a96f21ef8b584607e82374d0
Author: Brett Smith <brett at curoverse.com>
Date:   Mon Jul 14 15:02:33 2014 -0400

    2044: Fixup 1a443cf1: More project reader tests.

diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index 1e7a881..0b76029 100644
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -83,22 +83,39 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
     check_project_contents_response
   end
 
-  # Even though the next two tests go through other controllers, I'm
-  # putting them here so they're easy to find alongside the other
+  # Even though the project_viewer tests go through other controllers,
+  # I'm putting them here so they're easy to find alongside the other
   # project tests.
-  test "user with project read permission can't add users to it" do
+  def check_new_project_link_fails(link_attrs)
     @controller = Arvados::V1::LinksController.new
-    authorize_with :project_viewer
     post :create, link: {
-      tail_uuid: users(:spectator).uuid,
       link_class: "permission",
       name: "can_read",
       head_uuid: groups(:aproject).uuid,
-    }
-    # 404 seems like the best error, but that's not nailed down yet.
+    }.merge(link_attrs)
     assert_includes(403..422, response.status)
   end
 
+  test "user with project read permission can't add users to it" do
+    authorize_with :project_viewer
+    check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
+  end
+
+  test "user with project read permission can't add items to it" do
+    authorize_with :project_viewer
+    check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
+  end
+
+  test "user with project read permission can't rename items in it" do
+    authorize_with :project_viewer
+    @controller = Arvados::V1::LinksController.new
+    post :update, {
+      id: links(:job_name_in_aproject).uuid,
+      link: {name: "Denied test name"},
+    }
+    assert_includes(403..404, response.status)
+  end
+
   test "user with project read permission can't remove items from it" do
     @controller = Arvados::V1::PipelineTemplatesController.new
     authorize_with :project_viewer
@@ -111,6 +128,12 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
     assert_response 403
   end
 
+  test "user with project read permission can't delete it" do
+    authorize_with :project_viewer
+    post :destroy, {id: groups(:aproject).uuid}
+    assert_response 403
+  end
+
   test 'get group-owned objects with limit' do
     authorize_with :active
     get :contents, {

commit 48215a979585cc2de5d985e9a69912afd31b3bce
Author: Brett Smith <brett at curoverse.com>
Date:   Mon Jul 14 15:01:59 2014 -0400

    2044: Fixup a33fb608: Punctuation tweak from review.

diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb
index a31fddc..a044fb7 100644
--- a/services/api/app/controllers/arvados/v1/users_controller.rb
+++ b/services/api/app/controllers/arvados/v1/users_controller.rb
@@ -123,7 +123,7 @@ class Arvados::V1::UsersController < ApplicationController
   end
 
   def find_objects_for_index
-    if (action_name == "index") and not @read_users.any? { |u| u.is_admin }
+    if (action_name == "index") and (not @read_users.any? { |u| u.is_admin })
       # Non-admin index returns very basic information about all active users.
       # We ignore where and filters params to avoid leaking information.
       @where = {}

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list