From 2404ef48996bfe7d2eba57e617e373b3a6bc5f6e Mon Sep 17 00:00:00 2001 From: Nick Muerdter <12112+GUI@users.noreply.github.com> Date: Tue, 23 Jan 2024 14:15:15 -0700 Subject: [PATCH] More work on read-only views for admin_view permissions. --- .../components/admin-groups/record-form.js | 15 +- .../app/components/admins/record-form.js | 7 +- .../app/components/api-scopes/record-form.js | 7 +- .../app/components/api-users/record-form.js | 9 +- .../app/controllers/admin-groups/index.js | 10 ++ .../admin-ui/app/controllers/admins/index.js | 10 ++ .../app/controllers/api-scopes/index.js | 10 ++ .../app/templates/admin-groups/index.hbs | 8 +- .../admin-ui/app/templates/admins/index.hbs | 8 +- .../app/templates/api-scopes/index.hbs | 8 +- .../components/admin-groups/record-form.hbs | 16 +- .../components/admins/record-form.hbs | 4 +- .../components/api-scopes/record-form.hbs | 16 +- src/api-umbrella/web-app/models/admin.lua | 8 +- .../v1/admin_groups/test_admin_permissions.rb | 10 +- test/apis/v1/admins/test_admin_permissions.rb | 37 +++- .../v1/api_scopes/test_admin_permissions.rb | 10 +- test/apis/v1/users/test_admin_permissions.rb | 161 ++++++++++++++++++ test/apis/v1/users/test_permissions.rb | 8 - .../admin_permissions.rb | 45 ++++- 20 files changed, 346 insertions(+), 61 deletions(-) create mode 100644 src/api-umbrella/admin-ui/app/controllers/admin-groups/index.js create mode 100644 src/api-umbrella/admin-ui/app/controllers/admins/index.js create mode 100644 src/api-umbrella/admin-ui/app/controllers/api-scopes/index.js create mode 100644 test/apis/v1/users/test_admin_permissions.rb diff --git a/src/api-umbrella/admin-ui/app/components/admin-groups/record-form.js b/src/api-umbrella/admin-ui/app/components/admin-groups/record-form.js index 45185e0ab..ae058d592 100644 --- a/src/api-umbrella/admin-ui/app/components/admin-groups/record-form.js +++ b/src/api-umbrella/admin-ui/app/components/admin-groups/record-form.js @@ -1,6 +1,8 @@ // eslint-disable-next-line ember/no-classic-components import Component from '@ember/component'; -import { action } from '@ember/object'; +import { action, computed } from '@ember/object'; +import { reads } from '@ember/object/computed'; +import { inject } from '@ember/service'; import { tagName } from '@ember-decorators/component'; // eslint-disable-next-line ember/no-mixins import Save from 'api-umbrella-admin-ui/mixins/save'; @@ -10,6 +12,17 @@ import escape from 'lodash-es/escape'; @classic @tagName("") export default class RecordForm extends Component.extend(Save) { + @inject() + session; + + @reads('session.data.authenticated.admin') + currentAdmin; + + @computed('currentAdmin.permissions.admin_manage') + get isDisabled() { + return !this.currentAdmin.permissions.admin_manage; + } + @action submitForm(event) { event.preventDefault(); diff --git a/src/api-umbrella/admin-ui/app/components/admins/record-form.js b/src/api-umbrella/admin-ui/app/components/admins/record-form.js index 1709b939d..b1f5d5b21 100644 --- a/src/api-umbrella/admin-ui/app/components/admins/record-form.js +++ b/src/api-umbrella/admin-ui/app/components/admins/record-form.js @@ -1,6 +1,6 @@ // eslint-disable-next-line ember/no-classic-components import Component from '@ember/component'; -import { action } from '@ember/object'; +import { action, computed } from '@ember/object'; import { reads } from '@ember/object/computed'; import { inject } from '@ember/service'; import { tagName } from '@ember-decorators/component'; @@ -20,6 +20,11 @@ export default class RecordForm extends Component.extend(Save) { @reads('session.data.authenticated.admin') currentAdmin; + @computed('currentAdmin.permissions.admin_manage') + get isDisabled() { + return !this.currentAdmin.permissions.admin_manage; + } + get usernameLabel() { return usernameLabel(); } diff --git a/src/api-umbrella/admin-ui/app/components/api-scopes/record-form.js b/src/api-umbrella/admin-ui/app/components/api-scopes/record-form.js index bdbf3f107..0f147ef0b 100644 --- a/src/api-umbrella/admin-ui/app/components/api-scopes/record-form.js +++ b/src/api-umbrella/admin-ui/app/components/api-scopes/record-form.js @@ -1,6 +1,6 @@ // eslint-disable-next-line ember/no-classic-components import Component from '@ember/component'; -import { action } from '@ember/object'; +import { action, computed } from '@ember/object'; import { reads } from '@ember/object/computed'; import { inject } from '@ember/service'; import { tagName } from '@ember-decorators/component'; @@ -18,6 +18,11 @@ export default class RecordForm extends Component.extend(Save) { @reads('session.data.authenticated.admin') currentAdmin; + @computed('currentAdmin.permissions.admin_manage') + get isDisabled() { + return !this.currentAdmin.permissions.admin_manage; + } + @action submitForm(event) { event.preventDefault(); diff --git a/src/api-umbrella/admin-ui/app/components/api-users/record-form.js b/src/api-umbrella/admin-ui/app/components/api-users/record-form.js index f49b63149..b11ad81dc 100644 --- a/src/api-umbrella/admin-ui/app/components/api-users/record-form.js +++ b/src/api-umbrella/admin-ui/app/components/api-users/record-form.js @@ -1,6 +1,7 @@ // eslint-disable-next-line ember/no-classic-components import Component from '@ember/component'; import { action, computed } from '@ember/object'; +import { reads } from '@ember/object/computed'; import { inject } from '@ember/service'; // eslint-disable-next-line ember/no-mixins import Save from 'api-umbrella-admin-ui/mixins/save'; @@ -24,10 +25,12 @@ export default class RecordForm extends Component.extend(Save) { { id: false, name: 'Disabled' }, ]; - @computed('session.data.authenticated.admin') + @reads('session.data.authenticated.admin') + currentAdmin; + + @computed('currentAdmin.permissions.user_manage') get isDisabled() { - const currentAdmin = this.session.data.authenticated.admin; - return !currentAdmin.permissions.user_manage; + return !this.currentAdmin.permissions.user_manage; } @action diff --git a/src/api-umbrella/admin-ui/app/controllers/admin-groups/index.js b/src/api-umbrella/admin-ui/app/controllers/admin-groups/index.js new file mode 100644 index 000000000..76a86edaa --- /dev/null +++ b/src/api-umbrella/admin-ui/app/controllers/admin-groups/index.js @@ -0,0 +1,10 @@ +import Controller from '@ember/controller'; +import { inject as service } from '@ember/service'; + +export default class IndexController extends Controller { + @service session; + + get currentAdmin() { + return this.session.data.authenticated.admin; + } +} diff --git a/src/api-umbrella/admin-ui/app/controllers/admins/index.js b/src/api-umbrella/admin-ui/app/controllers/admins/index.js new file mode 100644 index 000000000..76a86edaa --- /dev/null +++ b/src/api-umbrella/admin-ui/app/controllers/admins/index.js @@ -0,0 +1,10 @@ +import Controller from '@ember/controller'; +import { inject as service } from '@ember/service'; + +export default class IndexController extends Controller { + @service session; + + get currentAdmin() { + return this.session.data.authenticated.admin; + } +} diff --git a/src/api-umbrella/admin-ui/app/controllers/api-scopes/index.js b/src/api-umbrella/admin-ui/app/controllers/api-scopes/index.js new file mode 100644 index 000000000..76a86edaa --- /dev/null +++ b/src/api-umbrella/admin-ui/app/controllers/api-scopes/index.js @@ -0,0 +1,10 @@ +import Controller from '@ember/controller'; +import { inject as service } from '@ember/service'; + +export default class IndexController extends Controller { + @service session; + + get currentAdmin() { + return this.session.data.authenticated.admin; + } +} diff --git a/src/api-umbrella/admin-ui/app/templates/admin-groups/index.hbs b/src/api-umbrella/admin-ui/app/templates/admin-groups/index.hbs index c7a572ada..ccf4b99e7 100644 --- a/src/api-umbrella/admin-ui/app/templates/admin-groups/index.hbs +++ b/src/api-umbrella/admin-ui/app/templates/admin-groups/index.hbs @@ -1,7 +1,9 @@

Admin Groups

-
- Add New Admin Group -
+{{#if this.currentAdmin.permissions.admin_manage}} +
+ Add New Admin Group +
+{{/if}} diff --git a/src/api-umbrella/admin-ui/app/templates/admins/index.hbs b/src/api-umbrella/admin-ui/app/templates/admins/index.hbs index cd0c7fcb6..7b7407048 100644 --- a/src/api-umbrella/admin-ui/app/templates/admins/index.hbs +++ b/src/api-umbrella/admin-ui/app/templates/admins/index.hbs @@ -1,7 +1,9 @@

Admins

-
- Add New Admin -
+{{#if this.currentAdmin.permissions.admin_manage}} +
+ Add New Admin +
+{{/if}} diff --git a/src/api-umbrella/admin-ui/app/templates/api-scopes/index.hbs b/src/api-umbrella/admin-ui/app/templates/api-scopes/index.hbs index ea2be760d..a23cfd061 100644 --- a/src/api-umbrella/admin-ui/app/templates/api-scopes/index.hbs +++ b/src/api-umbrella/admin-ui/app/templates/api-scopes/index.hbs @@ -1,7 +1,9 @@

API Scopes

-
- Add New API Scope -
+{{#if this.currentAdmin.permissions.admin_manage}} +
+ Add New API Scope +
+{{/if}} diff --git a/src/api-umbrella/admin-ui/app/templates/components/admin-groups/record-form.hbs b/src/api-umbrella/admin-ui/app/templates/components/admin-groups/record-form.hbs index ae5143af9..951b80f72 100644 --- a/src/api-umbrella/admin-ui/app/templates/components/admin-groups/record-form.hbs +++ b/src/api-umbrella/admin-ui/app/templates/components/admin-groups/record-form.hbs @@ -3,7 +3,7 @@
-
+
{{f.text-field "name" label="Group Name"}} {{f.checkboxes-field "apiScopeIds" label="Scopes" options=this.apiScopeOptions}} {{f.checkboxes-field "permissionIds" label="Permissions" options=this.permissionOptions}} @@ -25,7 +25,9 @@
- + {{#unless this.isDisabled}} + + {{/unless}}
{{#if this.model.id}} @@ -35,10 +37,12 @@
{{#if this.model.id}} -
- Delete Admin Group -
+ {{#unless this.isDisabled}} +
+ Delete Admin Group +
+ {{/unless}} {{/if}} - \ No newline at end of file + diff --git a/src/api-umbrella/admin-ui/app/templates/components/admins/record-form.hbs b/src/api-umbrella/admin-ui/app/templates/components/admins/record-form.hbs index 9d1b93be9..b2e9f277e 100644 --- a/src/api-umbrella/admin-ui/app/templates/components/admins/record-form.hbs +++ b/src/api-umbrella/admin-ui/app/templates/components/admins/record-form.hbs @@ -54,8 +54,8 @@
{{/if}} - {{#if this.currentAdmin.permissions.admin_manage}} -
+ {{#if (or this.currentAdmin.permissions.admin_manage this.currentAdmin.permissions.admin_view)}} +
Permissions {{f.checkboxes-field "groupIds" label=(t "Groups") options=this.groupOptions}} diff --git a/src/api-umbrella/admin-ui/app/templates/components/api-scopes/record-form.hbs b/src/api-umbrella/admin-ui/app/templates/components/api-scopes/record-form.hbs index b0a9f7de1..305eeff32 100644 --- a/src/api-umbrella/admin-ui/app/templates/components/api-scopes/record-form.hbs +++ b/src/api-umbrella/admin-ui/app/templates/components/api-scopes/record-form.hbs @@ -3,7 +3,7 @@
-
+
{{f.text-field "name" label="Name"}} {{f.text-field "host" label="Host"}} {{f.text-field "pathPrefix" label="Path Prefix"}} @@ -39,7 +39,9 @@
- + {{#unless this.isDisabled}} + + {{/unless}}
{{#if this.model.id}} @@ -49,10 +51,12 @@
{{#if this.model.id}} -
- Delete API Scope -
+ {{#unless this.isDisabled}} +
+ Delete API Scope +
+ {{/unless}} {{/if}} - \ No newline at end of file + diff --git a/src/api-umbrella/web-app/models/admin.lua b/src/api-umbrella/web-app/models/admin.lua index 6968fddb1..4dd5caabb 100644 --- a/src/api-umbrella/web-app/models/admin.lua +++ b/src/api-umbrella/web-app/models/admin.lua @@ -246,7 +246,6 @@ Admin = model_ext.new_class("admins", { username = json_null_default(self.username), email = json_null_default(self.email), name = json_null_default(self.name), - notes = json_null_default(self.notes), superuser = json_null_default(self.superuser), current_sign_in_provider = json_null_default(self.current_sign_in_provider), last_sign_in_provider = json_null_default(self.last_sign_in_provider), @@ -275,7 +274,12 @@ Admin = model_ext.new_class("admins", { version = 1, } - if ngx.ctx.current_admin and ngx.ctx.current_admin.id == self.id then + local current_admin = ngx.ctx.current_admin + if current_admin and current_admin:allows_permission("admin_manage") then + data["notes"] = json_null_default(self.notes) + end + + if current_admin and current_admin.id == self.id then data["authentication_token"] = self:authentication_token_decrypted() end diff --git a/test/apis/v1/admin_groups/test_admin_permissions.rb b/test/apis/v1/admin_groups/test_admin_permissions.rb index 2f88c5f6c..ba158ade2 100644 --- a/test/apis/v1/admin_groups/test_admin_permissions.rb +++ b/test/apis/v1/admin_groups/test_admin_permissions.rb @@ -112,14 +112,14 @@ def assert_admin_permitted(factory, admin) assert_admin_permitted_index(factory, admin) assert_admin_permitted_show(factory, admin) permission_ids = admin.groups.map { |group| group.permission_ids }.flatten.uniq - if permission_ids.include?("admin_view") && !permission_ids.include?("admin_manage") - assert_admin_forbidden_create(factory, admin) - assert_admin_forbidden_update(factory, admin) - assert_admin_forbidden_destroy(factory, admin) - else + if admin.superuser? || permission_ids.include?("admin_manage") assert_admin_permitted_create(factory, admin) assert_admin_permitted_update(factory, admin) assert_admin_permitted_destroy(factory, admin) + else + assert_admin_forbidden_create(factory, admin) + assert_admin_forbidden_update(factory, admin) + assert_admin_forbidden_destroy(factory, admin) end end diff --git a/test/apis/v1/admins/test_admin_permissions.rb b/test/apis/v1/admins/test_admin_permissions.rb index e841e5bb3..9cc961491 100644 --- a/test/apis/v1/admins/test_admin_permissions.rb +++ b/test/apis/v1/admins/test_admin_permissions.rb @@ -270,20 +270,47 @@ def test_permits_any_admin_to_view_but_not_edit_own_record assert_equal(0, active_count - initial_count) end + def test_notes_only_visible_to_admin_managers_and_superusers + record = FactoryBot.create(:google_admin, :notes => "Private notes") + + superuser_admin = FactoryBot.create(:admin) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/admins/#{record.id}.json", http_options.deep_merge(admin_token(superuser_admin))) + assert_response_code(200, response) + data = MultiJson.load(response.body) + assert_equal("Private notes", data.fetch("admin").fetch("notes")) + + manager_admin = FactoryBot.create(:limited_admin, :groups => [ + FactoryBot.create(:google_admin_group, :admin_view_and_manage_permission), + ]) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/admins/#{record.id}.json", http_options.deep_merge(admin_token(manager_admin))) + assert_response_code(200, response) + data = MultiJson.load(response.body) + assert_equal("Private notes", data.fetch("admin").fetch("notes")) + + viewer_admin = FactoryBot.create(:limited_admin, :groups => [ + FactoryBot.create(:google_admin_group, :admin_view_permission), + ]) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/admins/#{record.id}.json", http_options.deep_merge(admin_token(viewer_admin))) + assert_response_code(200, response) + data = MultiJson.load(response.body) + refute_includes(data.fetch("admin").keys, "notes") + refute_includes("Private notes", response.body) + end + private def assert_admin_permitted(factory, admin) assert_admin_permitted_index(factory, admin) assert_admin_permitted_show(factory, admin) permission_ids = admin.groups.map { |group| group.permission_ids }.flatten.uniq - if permission_ids.include?("admin_view") && !permission_ids.include?("admin_manage") - assert_admin_forbidden_create(factory, admin) - assert_admin_forbidden_update(factory, admin) - assert_admin_forbidden_destroy(factory, admin) - else + if admin.superuser? || permission_ids.include?("admin_manage") assert_admin_permitted_create(factory, admin) assert_admin_permitted_update(factory, admin) assert_admin_permitted_destroy(factory, admin) + else + assert_admin_forbidden_create(factory, admin) + assert_admin_forbidden_update(factory, admin) + assert_admin_forbidden_destroy(factory, admin) end end diff --git a/test/apis/v1/api_scopes/test_admin_permissions.rb b/test/apis/v1/api_scopes/test_admin_permissions.rb index 3c03c4ed9..42aaabf0e 100644 --- a/test/apis/v1/api_scopes/test_admin_permissions.rb +++ b/test/apis/v1/api_scopes/test_admin_permissions.rb @@ -74,14 +74,14 @@ def assert_admin_permitted(factory, admin) assert_admin_permitted_index(factory, admin) assert_admin_permitted_show(factory, admin) permission_ids = admin.groups.map { |group| group.permission_ids }.flatten.uniq - if permission_ids.include?("admin_view") && !permission_ids.include?("admin_manage") - assert_admin_forbidden_create(factory, admin) - assert_admin_forbidden_update(factory, admin) - assert_admin_forbidden_destroy(factory, admin) - else + if admin.superuser? || permission_ids.include?("admin_manage") assert_admin_permitted_create(factory, admin) assert_admin_permitted_update(factory, admin) assert_admin_permitted_destroy(factory, admin) + else + assert_admin_forbidden_create(factory, admin) + assert_admin_forbidden_update(factory, admin) + assert_admin_forbidden_destroy(factory, admin) end end diff --git a/test/apis/v1/users/test_admin_permissions.rb b/test/apis/v1/users/test_admin_permissions.rb new file mode 100644 index 000000000..12ee0c31a --- /dev/null +++ b/test/apis/v1/users/test_admin_permissions.rb @@ -0,0 +1,161 @@ +require_relative "../../../test_helper" + +class Test::Apis::V1::Users::TestAdminPermissions < Minitest::Test + include ApiUmbrellaTestHelpers::AdminAuth + include ApiUmbrellaTestHelpers::AdminPermissions + include ApiUmbrellaTestHelpers::Setup + + def setup + super + setup_server + end + + def test_default_admin_view_permissions + factory = :api_user + assert_default_admin_permissions(factory, :required_permissions => ["user_view"], :scopes_irrelevant => true) + end + + def test_default_admin_manage_permissions + factory = :api_user + assert_default_admin_permissions(factory, :required_permissions => ["user_view", "user_manage"], :scopes_irrelevant => true) + end + + private + + def assert_admin_permitted(factory, admin) + assert_admin_permitted_index(factory, admin) + assert_admin_permitted_show(factory, admin) + permission_ids = admin.groups.map { |group| group.permission_ids }.flatten.uniq + if admin.superuser? || permission_ids.include?("user_manage") + assert_admin_permitted_create(factory, admin) + assert_admin_permitted_update(factory, admin) + else + assert_admin_forbidden_create(factory, admin) + assert_admin_forbidden_update(factory, admin) + end + assert_no_destroy(factory, admin) + end + + def assert_admin_forbidden(factory, admin) + assert_admin_forbidden_index(factory, admin) + assert_admin_forbidden_show(factory, admin) + assert_admin_forbidden_create(factory, admin) + assert_admin_forbidden_update(factory, admin) + assert_no_destroy(factory, admin) + end + + def assert_admin_permitted_index(factory, admin) + record = FactoryBot.create(factory) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token(admin))) + + assert_response_code(200, response) + data = MultiJson.load(response.body) + record_ids = data["data"].map { |r| r["id"] } + assert_includes(record_ids, record.id) + end + + def assert_admin_forbidden_index(factory, admin, role_based_error: false) + record = FactoryBot.create(factory) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token(admin))) + + assert_response_code(200, response) + data = MultiJson.load(response.body) + record_ids = data["data"].map { |r| r["id"] } + refute_includes(record_ids, record.id) + end + + def assert_admin_permitted_show(factory, admin) + record = FactoryBot.create(factory) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options.deep_merge(admin_token(admin))) + + assert_response_code(200, response) + data = MultiJson.load(response.body) + assert_equal(["user"], data.keys) + end + + def assert_admin_forbidden_show(factory, admin, role_based_error: false) + record = FactoryBot.create(factory) + response = Typhoeus.get("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options.deep_merge(admin_token(admin))) + + assert_response_code(403, response) + data = MultiJson.load(response.body) + assert_equal(["errors"], data.keys) + end + + def assert_admin_permitted_create(factory, admin) + attributes = FactoryBot.attributes_for(factory).deep_stringify_keys + initial_count = active_count + response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token(admin)).deep_merge({ + :headers => { "Content-Type" => "application/json" }, + :body => MultiJson.dump(:user => attributes), + })) + + assert_response_code(201, response) + data = MultiJson.load(response.body) + refute_nil(data["user"]["first_name"]) + assert_equal(attributes["first_name"], data["user"]["first_name"]) + assert_equal(1, active_count - initial_count) + end + + def assert_admin_forbidden_create(factory, admin, role_based_error: false) + attributes = FactoryBot.attributes_for(factory).deep_stringify_keys + initial_count = active_count + response = Typhoeus.post("https://127.0.0.1:9081/api-umbrella/v1/users.json", http_options.deep_merge(admin_token(admin)).deep_merge({ + :headers => { "Content-Type" => "application/json" }, + :body => MultiJson.dump(:user => attributes), + })) + + assert_response_code(403, response) + data = MultiJson.load(response.body) + assert_equal(["errors"], data.keys) + assert_equal(0, active_count - initial_count) + end + + def assert_admin_permitted_update(factory, admin) + record = FactoryBot.create(factory) + + attributes = record.serializable_hash + attributes["first_name"] += rand(999_999).to_s + response = Typhoeus.put("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options.deep_merge(admin_token(admin)).deep_merge({ + :headers => { "Content-Type" => "application/json" }, + :body => MultiJson.dump(:user => attributes), + })) + + assert_response_code(200, response) + record = ApiUser.find(record.id) + refute_nil(record.first_name) + assert_equal(attributes["first_name"], record.first_name) + end + + def assert_admin_forbidden_update(factory, admin, role_based_error: false) + record = FactoryBot.create(factory) + + attributes = record.serializable_hash + attributes["first_name"] += rand(999_999).to_s + response = Typhoeus.put("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options.deep_merge(admin_token(admin)).deep_merge({ + :headers => { "Content-Type" => "application/json" }, + :body => MultiJson.dump(:user => attributes), + })) + + assert_response_code(403, response) + data = MultiJson.load(response.body) + assert_equal(["errors"], data.keys) + + record = ApiUser.find(record.id) + refute_nil(record.first_name) + refute_equal(attributes["first_name"], record.first_name) + end + + def assert_no_destroy(factory, admin) + record = FactoryBot.create(factory) + initial_count = active_count + response = Typhoeus.delete("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options.deep_merge(admin_token(admin))) + + assert_response_code(404, response) + assert_equal(0, active_count - initial_count) + end + + def active_count + ApiUser.count + end +end diff --git a/test/apis/v1/users/test_permissions.rb b/test/apis/v1/users/test_permissions.rb index 2217f4c1c..883d6a88f 100644 --- a/test/apis/v1/users/test_permissions.rb +++ b/test/apis/v1/users/test_permissions.rb @@ -374,14 +374,6 @@ def assert_admin_forbidden_update(api_key, admin, role_based_error: false) refute_equal(attributes["first_name"], record.first_name) end - def assert_admin_permitted_destroy(api_key, admin) - record = FactoryBot.create(:api_user) - initial_count = active_count - response = Typhoeus.delete("https://127.0.0.1:9081/api-umbrella/v1/users/#{record.id}.json", http_options(api_key, admin)) - assert_response_code(204, response) - assert_equal(-1, active_count - initial_count) - end - def assert_no_destroy(api_key, admin) record = FactoryBot.create(:api_user) initial_count = active_count diff --git a/test/support/api_umbrella_test_helpers/admin_permissions.rb b/test/support/api_umbrella_test_helpers/admin_permissions.rb index 8fd5af1b0..b5a2932db 100644 --- a/test/support/api_umbrella_test_helpers/admin_permissions.rb +++ b/test/support/api_umbrella_test_helpers/admin_permissions.rb @@ -14,6 +14,9 @@ def assert_default_admin_permissions(factory, options) if options[:required_permissions] == ["admin_view"] options[:except_required_permissions] -= ["admin_manage"] end + if options[:required_permissions] == ["user_view"] + options[:except_required_permissions] -= ["user_manage"] + end assert_as_superuser(factory, options) assert_as_localhost_prefix_full_admin(factory, options) @@ -68,7 +71,11 @@ def assert_as_localhost_sub_prefix_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:localhost_root_api_scope, :path_prefix => "/z")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_as_google_prefix_full_admin(factory, options) @@ -119,7 +126,11 @@ def assert_as_google_sub_prefix_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:google_api_scope, :path_prefix => "/googlez")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_as_localhost_incomplete_host_full_admin(factory, options) @@ -128,7 +139,11 @@ def assert_as_localhost_incomplete_host_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:localhost_root_api_scope, :host => "localhos")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_as_localhost_trailing_host_full_admin(factory, options) @@ -137,7 +152,11 @@ def assert_as_localhost_trailing_host_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:localhost_root_api_scope, :host => "localhostz")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_as_google_incomplete_host_full_admin(factory, options) @@ -146,7 +165,11 @@ def assert_as_google_incomplete_host_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:google_api_scope, :host => "localhos")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_as_google_trailing_host_full_admin(factory, options) @@ -155,7 +178,11 @@ def assert_as_google_trailing_host_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:google_api_scope, :host => "localhostz")), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end def assert_overlapping_scopes_as_localhost_and_google_full_admin(factory, options) @@ -210,7 +237,11 @@ def assert_overlapping_scopes_as_yahoo_full_admin(factory, options) ApiScope.find_or_create_by_instance!(FactoryBot.build(:yahoo_api_scope)), ]), ]) - assert_admin_forbidden(factory, admin) + if options[:scopes_irrelevant] + assert_admin_permitted(factory, admin) + else + assert_admin_forbidden(factory, admin) + end end end end