diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8835d151..c603a1f4 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -68,6 +68,7 @@ Fixed - Batch import tests failing from forbidden obolibrary access (#1694) - **Samplesheets** - ``perform_project_sync()`` crash with no iRODS collections created (#1687) + - iRODS delete request modification UI view permission checks failing for non-creator contributors (#1737) Removed ------- diff --git a/samplesheets/tests/test_permissions_ajax.py b/samplesheets/tests/test_permissions_ajax.py index 36ea34c2..4a7798b6 100644 --- a/samplesheets/tests/test_permissions_ajax.py +++ b/samplesheets/tests/test_permissions_ajax.py @@ -8,8 +8,14 @@ from projectroles.tests.test_permissions import TestProjectPermissionBase from projectroles.utils import build_secret -from samplesheets.models import ISATab +from samplesheets.models import ( + ISATab, + IrodsDataRequest, + IRODS_REQUEST_ACTION_DELETE, + IRODS_REQUEST_STATUS_ACTIVE, +) from samplesheets.tests.test_io import SampleSheetIOMixin, SHEET_DIR +from samplesheets.tests.test_models import IrodsDataRequestMixin app_settings = AppSettingAPI() @@ -21,6 +27,7 @@ REMOTE_SITE_URL = 'https://sodar.bihealth.org' REMOTE_SITE_SECRET = build_secret() INVALID_SECRET = build_secret() +IRODS_FILE_PATH = '/sodarZone/path/test1.txt' class TestSampleSheetsAjaxPermissionBase( @@ -763,7 +770,7 @@ def setUp(self): # TODO: Set up request data def test_post(self): - """Test POST permissions""" + """Test StudyDisplayConfigAjaxView POST""" good_users = [ self.superuser, self.user_owner_cat, @@ -811,9 +818,6 @@ def test_post_archive(self): self.assert_response(self.url, self.user_guest, 400, method='POST') self.assert_response(self.url, self.anonymous, 403, method='POST') - # TODO: Test IrodsDataRequestCreateAjaxView (see sodar_core#823) - # TODO: Test IrodsDataRequestDeleteAjaxView (see sodar_core#823) - class TestSheetVersionCompareAjaxView(TestSampleSheetsAjaxPermissionBase): """Permission tests for SheetVersionCompareAjaxView""" @@ -878,3 +882,228 @@ def test_get_archive(self): self.project.set_public() self.assert_response(self.url, [self.user_no_roles], 200) self.assert_response(self.url, [self.anonymous], 403) + + +class TestIrodsDataRequestCreateAjaxView(TestSampleSheetsAjaxPermissionBase): + """Permission tests for IrodsDataRequestCreateAjaxView""" + + @classmethod + def _cleanup(cls): + IrodsDataRequest.objects.all().delete() + + def setUp(self): + super().setUp() + self.url = reverse( + 'samplesheets:ajax_irods_request_create', + kwargs={'project': self.project.sodar_uuid}, + ) + self.post_data = {'path': IRODS_FILE_PATH} + + def test_post(self): + """Test IrodsDataRequestCreateAjaxView POST""" + good_users = [ + self.superuser, + self.user_owner_cat, + self.user_delegate_cat, + self.user_contributor_cat, + self.user_owner, + self.user_delegate, + self.user_contributor, + ] + bad_users = [ + self.user_guest_cat, + self.user_finder_cat, + self.user_guest, + self.user_no_roles, + self.anonymous, + ] + self.assert_response( + self.url, + good_users, + 200, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, bad_users, 403, method='POST', data=self.post_data + ) + self.project.set_public() + self.assert_response( + self.url, + self.user_guest, + 403, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + ) + + @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True) + def test_post_anon(self): + """Test POST with anonymous guest access""" + self.project.set_public() + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + ) + + def test_post_archive(self): + """Test POST with archived project""" + self.project.set_archive() + good_users = [self.superuser] + bad_users = [ + self.user_owner_cat, + self.user_delegate_cat, + self.user_contributor_cat, + self.user_guest_cat, + self.user_finder_cat, + self.user_owner, + self.user_delegate, + self.user_contributor, + self.user_guest, + self.user_no_roles, + self.anonymous, + ] + self.assert_response( + self.url, + good_users, + 200, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, bad_users, 403, method='POST', data=self.post_data + ) + self.project.set_public() + self.assert_response( + self.url, + self.user_guest, + 403, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + ) + + +class TestIrodsDataRequestDeleteAjaxView( + IrodsDataRequestMixin, TestSampleSheetsAjaxPermissionBase +): + """Permission tests for IrodsDataRequestDeleteAjaxView""" + + def _cleanup(self): + self._make_request() + + def _make_request(self): + self.request = self.make_irods_request( + project=self.project, + action=IRODS_REQUEST_ACTION_DELETE, + path=IRODS_FILE_PATH, + status=IRODS_REQUEST_STATUS_ACTIVE, + user=self.user_contributor, + ) + + def setUp(self): + super().setUp() + self.url = reverse( + 'samplesheets:ajax_irods_request_delete', + kwargs={'project': self.project.sodar_uuid}, + ) + self.post_data = {'path': IRODS_FILE_PATH} + self._make_request() + + def test_post(self): + """Test IrodsDataRequestDeleteAjaxView POST""" + good_users = [ + self.superuser, + self.user_contributor, # Request creator + ] + bad_users = [ + self.user_owner_cat, + self.user_delegate_cat, + self.user_contributor_cat, + self.user_owner, + self.user_delegate, + self.user_guest_cat, + self.user_finder_cat, + self.user_guest, + self.user_no_roles, + self.anonymous, + ] + self.assert_response( + self.url, + good_users, + 200, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, bad_users, 403, method='POST', data=self.post_data + ) + self.project.set_public() + self.assert_response( + self.url, + self.user_guest, + 403, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + ) + + @override_settings(PROJECTROLES_ALLOW_ANONYMOUS=True) + def test_post_anon(self): + """Test POST with anonymous guest access""" + self.project.set_public() + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + ) + + def test_post_archive(self): + """Test POST with archived project""" + self.project.set_archive() + good_users = [self.superuser] + bad_users = [ + self.user_owner_cat, + self.user_delegate_cat, + self.user_contributor_cat, + self.user_guest_cat, + self.user_finder_cat, + self.user_owner, + self.user_delegate, + self.user_contributor, + self.user_guest, + self.user_no_roles, + self.anonymous, + ] + self.assert_response( + self.url, + good_users, + 200, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, bad_users, 403, method='POST', data=self.post_data + ) + self.project.set_public() + self.assert_response( + self.url, + self.user_guest, + 403, + method='POST', + data=self.post_data, + cleanup_method=self._cleanup, + ) + self.assert_response( + self.url, self.anonymous, 403, method='POST', data=self.post_data + )