fix archived project permissions, cleanup (#1706)

bihealth · Jul 28, 2023 · 62f2b6b · 62f2b6b
1 parent 618f03d
commit 62f2b6b
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 19 deletions.
diff --git a/samplesheets/tests/test_permissions_api.py b/samplesheets/tests/test_permissions_api.py
@@ -1,7 +1,5 @@
 """Tests for REST API View permissions in the samplesheets app"""
 
-# TODO: Fix behaviour on archive!
-
 import uuid
 
 from django.test import override_settings
@@ -550,7 +548,7 @@ def test_accept_anon(self):
         """Test POST in IrodsDataRequestRejectAPIView with anonymous access"""
         self.assert_response_api(self.url, self.anonymous, 401, method='POST')
 
-    def test_reject_archived(self):
+    def test_reject_archive(self):
         """Test POST in IrodsDataRequestUpdateAPIView with archived project"""
         self.project.set_archive()
         good_users = [self.superuser]
@@ -635,11 +633,10 @@ def test_delete_anon(self):
         self.project.set_public()
         self.assert_response_api(self.url, self.anonymous, 401, method='DELETE')
 
-    # TODO: Fix!
-    def test_delete_archived(self):
+    def test_delete_archive(self):
         """Test DELETE with archived project"""
         self.project.set_archive()
-        good_users = [self.superuser, self.user_contributor]
+        good_users = [self.superuser]
         bad_users = [
             self.user_owner_cat,
             self.user_delegate_cat,
@@ -648,6 +645,7 @@ def test_delete_archived(self):
             self.user_finder_cat,
             self.user_owner,
             self.user_delegate,
+            self.user_contributor,
             self.user_guest,
             self.user_no_roles,
         ]

diff --git a/samplesheets/tests/test_permissions_api_taskflow.py b/samplesheets/tests/test_permissions_api_taskflow.py
@@ -1,7 +1,5 @@
 """Tests for samplesheets REST API view permissions with taskflow"""
 
-# TODO: Fix behaviour on archive!
-
 import os
 
 from irods.keywords import REG_CHKSUM_KW
@@ -172,7 +170,7 @@ def test_get_anon(self):
         """Test GET with anonymous access"""
         self.assert_response_api(self.url, self.anonymous, 401)
 
-    def test_get_archived(self):
+    def test_get_archive(self):
         """Test GET with archived project"""
         self.project.set_archive()
         good_users = [self.superuser]
@@ -243,7 +241,7 @@ def test_create_anon(self):
             data=self.post_data,
         )
 
-    def test_create_archived(self):
+    def test_create_archive(self):
         """Test POST with archived project"""
         self.project.set_archive()
         good_users = [self.superuser]
@@ -317,11 +315,10 @@ def test_update_anon(self):
             self.url, self.anonymous, 401, method='PUT', data=self.update_data
         )
 
-    # TODO: Fix this! Contributor should not be allowed to edit when archived
-    def test_update_archived(self):
+    def test_update_archive(self):
         """Test POST with archived project"""
         self.project.set_archive()
-        good_users = [self.superuser, self.user_contributor]
+        good_users = [self.superuser]
         bad_users = [
             self.user_owner_cat,
             self.user_delegate_cat,
@@ -330,6 +327,7 @@ def test_update_archived(self):
             self.user_finder_cat,
             self.user_owner,
             self.user_delegate,
+            self.user_contributor,
             self.user_guest,
             self.user_no_roles,
         ]
@@ -394,7 +392,7 @@ def test_accept_anon(self):
         """Test POST with anonymous access"""
         self.assert_response_api(self.url, self.anonymous, 401, method='POST')
 
-    def test_accept_archived(self):
+    def test_accept_archive(self):
         """Test POST with archived project"""
         self.project.set_archive()
         good_users = [self.superuser]

diff --git a/samplesheets/views.py b/samplesheets/views.py
@@ -43,6 +43,7 @@
     ROLE_RANKING,
 )
 from projectroles.plugins import get_backend_api
+from projectroles.rules import can_modify_project_data
 from projectroles.utils import build_secret
 from projectroles.views import (
     LoginRequiredMixin,
@@ -1180,14 +1181,17 @@ def reject_request(
             # Handle project alerts
             cls.handle_alerts_deactivate(irods_request, app_alerts)
 
-    def has_irods_request_perms(self, request, irods_request):
-        """Check permissions for a landing zone."""
+    def has_irods_request_update_perms(self, request, irods_request):
+        """Check permissions for iRODS data request updating"""
         if (
             request.user.is_superuser
             or request.user.has_perm(
                 'samplesheets.manage_sheet', irods_request.project
             )
-            or request.user == irods_request.user
+            or (
+                request.user == irods_request.user
+                and can_modify_project_data(request.user, irods_request.project)
+            )
         ):
             return True
         return False

diff --git a/samplesheets/views_api.py b/samplesheets/views_api.py
@@ -424,7 +424,9 @@ class IrodsDataRequestUpdateAPIView(
 
     def perform_update(self, serializer):
         """Override perform_update() to update IrodsDataRequest"""
-        if not self.has_irods_request_perms(self.request, serializer.instance):
+        if not self.has_irods_request_update_perms(
+            self.request, serializer.instance
+        ):
             raise PermissionDenied
         serializer.save()
         # Add timeline event
@@ -450,7 +452,7 @@ def perform_destroy(self, instance):
         """
         Override perform_destroy() to delete IrodsDataRequest
         """
-        if not self.has_irods_request_perms(self.request, instance):
+        if not self.has_irods_request_update_perms(self.request, instance):
             raise PermissionDenied
         instance.delete()
         # Add timeline event