[ARVADOS] updated: 1.3.0-2621-g0c1b46dcf

Git user git at public.arvados.org
Tue Jun 2 17:27:41 UTC 2020 

Summary of changes:
 apps/workbench/test/integration/projects_test.rb |  2 +-
 services/api/app/models/link.rb                  | 13 +++++++---
 services/api/test/unit/permission_test.rb        | 32 ++++++++++++++++++++++--
 3 files changed, 40 insertions(+), 7 deletions(-)

       via  0c1b46dcfb5fce2f8fc73587adaeebfde8fa9268 (commit)
      from  3c3b8359373bb3046ccbb51b5a26504d73868716 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 0c1b46dcfb5fce2f8fc73587adaeebfde8fa9268
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Tue Jun 2 13:26:48 2020 -0400

    16007: Reenable updating the permission level of a link
    
    Add test to ensure permission table is synchronized when updating the
    level of an existing permission link.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/apps/workbench/test/integration/projects_test.rb b/apps/workbench/test/integration/projects_test.rb
index 17ab5e466..7a5103007 100644
--- a/apps/workbench/test/integration/projects_test.rb
+++ b/apps/workbench/test/integration/projects_test.rb
@@ -132,7 +132,7 @@ class ProjectsTest < ActionDispatch::IntegrationTest
     show_object_using('active', 'groups', 'aproject', 'A Project')
     click_on "Sharing"
     click_on "Share with groups"
-    good_uuid = api_fixture("groups")["private"]["uuid"]
+    good_uuid = api_fixture("groups")["future_project_viewing_group"]["uuid"]
     assert(page.has_selector?(".selectable[data-object-uuid=\"#{good_uuid}\"]"),
            "'share with groups' listing missing owned user group")
     bad_uuid = api_fixture("groups")["asubproject"]["uuid"]
diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb
index a7dfe8175..b63e04f74 100644
--- a/services/api/app/models/link.rb
+++ b/services/api/app/models/link.rb
@@ -13,7 +13,7 @@ class Link < ArvadosModel
 
   validate :name_links_are_obsolete
   validate :permission_to_attach_to_objects
-  before_update :cannot_alter_permissions
+  before_update :restrict_alter_permissions
   after_update :call_update_permissions
   after_create :call_update_permissions
   before_destroy :clear_permissions
@@ -50,6 +50,11 @@ class Link < ArvadosModel
     # All users can write links that don't affect permissions
     return true if self.link_class != 'permission'
 
+    if PERM_LEVEL[self.name].nil?
+      errors.add(:name, "is invalid permission, must be one of 'can_read', 'can_write', 'can_manage', 'can_login'")
+      return false
+    end
+
     rsc_class = ArvadosModel::resource_class_for_uuid tail_uuid
     if rsc_class == Group
       tail_obj = Group.find_by_uuid(tail_uuid)
@@ -84,13 +89,13 @@ class Link < ArvadosModel
     false
   end
 
-  def cannot_alter_permissions
+  def restrict_alter_permissions
     return true if self.link_class != 'permission' && self.link_class_was != 'permission'
 
     return true if current_user.andand.uuid == system_user.uuid
 
-    if link_class_changed? || name_changed? || tail_uuid_changed? || head_uuid_changed?
-      raise "Cannot alter a permission link"
+    if link_class_changed? || tail_uuid_changed? || head_uuid_changed?
+      raise "Can only alter permission link level"
     end
   end
 
diff --git a/services/api/test/unit/permission_test.rb b/services/api/test/unit/permission_test.rb
index 27ae4c6a9..31537effb 100644
--- a/services/api/test/unit/permission_test.rb
+++ b/services/api/test/unit/permission_test.rb
@@ -46,7 +46,7 @@ class PermissionTest < ActiveSupport::TestCase
   end
 
   test "readable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
 
     ob = Specimen.create!
     Link.create!(tail_uuid: users(:active).uuid,
@@ -57,7 +57,7 @@ class PermissionTest < ActiveSupport::TestCase
   end
 
   test "writable_by" do
-    set_user_from_auth :active_trustedclient
+    set_user_from_auth :admin
 
     ob = Specimen.create!
     Link.create!(tail_uuid: users(:active).uuid,
@@ -67,6 +67,34 @@ class PermissionTest < ActiveSupport::TestCase
     assert ob.writable_by.include?(users(:active).uuid), "user does not have write permission"
   end
 
+  test "update permission link" do
+    set_user_from_auth :admin
+
+    grp = Group.create! name: "blah project", group_class: "project"
+    ob = Specimen.create! owner_uuid: grp.uuid
+
+    assert !users(:active).can?(write: ob)
+    assert !users(:active).can?(read: ob)
+
+    l1 = Link.create!(tail_uuid: users(:active).uuid,
+                 head_uuid: grp.uuid,
+                 link_class: 'permission',
+                 name: 'can_write')
+
+    assert users(:active).can?(write: ob)
+    assert users(:active).can?(read: ob)
+
+    l1.update_attributes!(name: 'can_read')
+
+    assert !users(:active).can?(write: ob)
+    assert users(:active).can?(read: ob)
+
+    l1.destroy
+
+    assert !users(:active).can?(write: ob)
+    assert !users(:active).can?(read: ob)
+  end
+
   test "writable_by reports requesting user's own uuid for a writable project" do
     invited_to_write = users(:project_viewer)
     group = groups(:asubproject)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list