add missing ajax view permission tests (#1706)

bihealth · Jul 31, 2023 · 31b575a · 31b575a
1 parent 99af0f7
commit 31b575a
Show file tree

Hide file tree

Showing 2 changed files with 235 additions and 5 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -68,6 +68,7 @@ Fixed
     - Batch import tests failing from forbidden obolibrary access (#1694)
 - **Samplesheets**
     - ``perform_project_sync()`` crash with no iRODS collections created (#1687)
+    - iRODS delete request modification UI view permission checks failing for non-creator contributors (#1737)
 
 Removed
 -------

diff --git a/samplesheets/tests/test_permissions_ajax.py b/samplesheets/tests/test_permissions_ajax.py
@@ -8,8 +8,14 @@
 from projectroles.tests.test_permissions import TestProjectPermissionBase
 from projectroles.utils import build_secret
 
-from samplesheets.models import ISATab
+from samplesheets.models import (
+    ISATab,
+    IrodsDataRequest,
+    IRODS_REQUEST_ACTION_DELETE,
+    IRODS_REQUEST_STATUS_ACTIVE,
+)
 from samplesheets.tests.test_io import SampleSheetIOMixin, SHEET_DIR
+from samplesheets.tests.test_models import IrodsDataRequestMixin
 
 
 app_settings = AppSettingAPI()
@@ -21,6 +27,7 @@
 REMOTE_SITE_URL = 'https://sodar.bihealth.org'
 REMOTE_SITE_SECRET = build_secret()
 INVALID_SECRET = build_secret()
+IRODS_FILE_PATH = '/sodarZone/path/test1.txt'
 
 
 class TestSampleSheetsAjaxPermissionBase(
@@ -763,7 +770,7 @@ def setUp(self):
         # TODO: Set up request data
 
     def test_post(self):
-        """Test POST permissions"""
+        """Test StudyDisplayConfigAjaxView POST"""
         good_users = [
             self.superuser,
             self.user_owner_cat,
@@ -811,9 +818,6 @@ def test_post_archive(self):
         self.assert_response(self.url, self.user_guest, 400, method='POST')
         self.assert_response(self.url, self.anonymous, 403, method='POST')
 
-    # TODO: Test IrodsDataRequestCreateAjaxView (see sodar_core#823)
-    # TODO: Test IrodsDataRequestDeleteAjaxView (see sodar_core#823)
-
 
 class TestSheetVersionCompareAjaxView(TestSampleSheetsAjaxPermissionBase):
     """Permission tests for SheetVersionCompareAjaxView"""
@@ -878,3 +882,228 @@ def test_get_archive(self):
         self.project.set_public()
         self.assert_response(self.url, [self.user_no_roles], 200)
         self.assert_response(self.url, [self.anonymous], 403)
+
+
+class TestIrodsDataRequestCreateAjaxView(TestSampleSheetsAjaxPermissionBase):
+    """Permission tests for IrodsDataRequestCreateAjaxView"""
+
+    @classmethod
+    def _cleanup(cls):
+        IrodsDataRequest.objects.all().delete()
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'samplesheets:ajax_irods_request_create',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.post_data = {'path': IRODS_FILE_PATH}
+
+    def test_post(self):
+        """Test IrodsDataRequestCreateAjaxView POST"""
+        good_users = [
+            self.superuser,
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+        ]
+        bad_users = [
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_guest,
+            self.user_no_roles,
+            self.anonymous,
+        ]
+        self.assert_response(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.project.set_public()
+        self.assert_response(
+            self.url,
+            self.user_guest,
+            403,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_post_anon(self):
+        """Test POST with anonymous guest access"""
+        self.project.set_public()
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )
+
+    def test_post_archive(self):
+        """Test POST with archived project"""
+        self.project.set_archive()
+        good_users = [self.superuser]
+        bad_users = [
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_no_roles,
+            self.anonymous,
+        ]
+        self.assert_response(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.project.set_public()
+        self.assert_response(
+            self.url,
+            self.user_guest,
+            403,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )
+
+
+class TestIrodsDataRequestDeleteAjaxView(
+    IrodsDataRequestMixin, TestSampleSheetsAjaxPermissionBase
+):
+    """Permission tests for IrodsDataRequestDeleteAjaxView"""
+
+    def _cleanup(self):
+        self._make_request()
+
+    def _make_request(self):
+        self.request = self.make_irods_request(
+            project=self.project,
+            action=IRODS_REQUEST_ACTION_DELETE,
+            path=IRODS_FILE_PATH,
+            status=IRODS_REQUEST_STATUS_ACTIVE,
+            user=self.user_contributor,
+        )
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            'samplesheets:ajax_irods_request_delete',
+            kwargs={'project': self.project.sodar_uuid},
+        )
+        self.post_data = {'path': IRODS_FILE_PATH}
+        self._make_request()
+
+    def test_post(self):
+        """Test IrodsDataRequestDeleteAjaxView POST"""
+        good_users = [
+            self.superuser,
+            self.user_contributor,  # Request creator
+        ]
+        bad_users = [
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_guest,
+            self.user_no_roles,
+            self.anonymous,
+        ]
+        self.assert_response(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.project.set_public()
+        self.assert_response(
+            self.url,
+            self.user_guest,
+            403,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )
+
+    @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True)
+    def test_post_anon(self):
+        """Test POST with anonymous guest access"""
+        self.project.set_public()
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )
+
+    def test_post_archive(self):
+        """Test POST with archived project"""
+        self.project.set_archive()
+        good_users = [self.superuser]
+        bad_users = [
+            self.user_owner_cat,
+            self.user_delegate_cat,
+            self.user_contributor_cat,
+            self.user_guest_cat,
+            self.user_finder_cat,
+            self.user_owner,
+            self.user_delegate,
+            self.user_contributor,
+            self.user_guest,
+            self.user_no_roles,
+            self.anonymous,
+        ]
+        self.assert_response(
+            self.url,
+            good_users,
+            200,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, bad_users, 403, method='POST', data=self.post_data
+        )
+        self.project.set_public()
+        self.assert_response(
+            self.url,
+            self.user_guest,
+            403,
+            method='POST',
+            data=self.post_data,
+            cleanup_method=self._cleanup,
+        )
+        self.assert_response(
+            self.url, self.anonymous, 403, method='POST', data=self.post_data
+        )