Add tighter control on project owner management (#3194)

sillsdev · Oct 7, 2024 · f36a699 · f36a699
1 parent f34f053
commit f36a699
Show file tree

Hide file tree

Showing 5 changed files with 445 additions and 36 deletions.
diff --git a/Backend.Tests/Controllers/UserRoleControllerTests.cs b/Backend.Tests/Controllers/UserRoleControllerTests.cs
@@ -48,7 +48,12 @@ public async Task Setup()
             _projId = (await _projRepo.Create(new Project { Name = "UserRoleControllerTests" }))!.Id;
         }
 
-        private UserRole RandomUserRole(Role role = Role.Harvester)
+        private ProjectRole ProjectRoleInProj(Role role = Role.Harvester)
+        {
+            return new ProjectRole { ProjectId = _projId, Role = role };
+        }
+
+        private UserRole UserRoleInProj(Role role = Role.Harvester)
         {
             return new UserRole { ProjectId = _projId, Role = role };
         }
@@ -59,7 +64,7 @@ public async Task TestGetAllUserRoles()
             var roles = new List<Role> { Role.Harvester, Role.Editor, Role.Administrator };
             foreach (var role in roles)
             {
-                await _userRoleRepo.Create(RandomUserRole(role));
+                await _userRoleRepo.Create(UserRoleInProj(role));
             }
 
             var getResult = await _userRoleController.GetProjectUserRoles(_projId);
@@ -97,14 +102,14 @@ public async Task TestHasPermissionNotAuthorized()
         [Test]
         public async Task TestGetCurrentPermissions()
         {
-            var userRole = await _userRoleRepo.Create(RandomUserRole());
+            var userRole = await _userRoleRepo.Create(UserRoleInProj());
             var user = await _userRepo.Create(new User());
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(user!.Id);
             user.ProjectRoles[_projId] = userRole.Id;
             await _userRepo.Update(user.Id, user);
 
-            await _userRoleRepo.Create(RandomUserRole());
-            await _userRoleRepo.Create(RandomUserRole());
+            await _userRoleRepo.Create(UserRoleInProj());
+            await _userRoleRepo.Create(UserRoleInProj());
 
             var result = await _userRoleController.GetCurrentPermissions(_projId);
             Assert.That(result, Is.InstanceOf<ObjectResult>());
@@ -179,7 +184,7 @@ public async Task TestGetCurrentPermissionsNotAuthorized()
         [Test]
         public async Task TestCreateUserRole()
         {
-            var userRole = RandomUserRole();
+            var userRole = UserRoleInProj();
             var id = (string)((ObjectResult)await _userRoleController.CreateUserRole(_projId, userRole)).Value!;
             userRole.Id = id;
             Assert.That(await _userRoleRepo.GetAllUserRoles(_projId), Does.Contain(userRole));
@@ -188,7 +193,7 @@ public async Task TestCreateUserRole()
         [Test]
         public async Task TestCreateUserRolesMissingProject()
         {
-            var userRole = RandomUserRole();
+            var userRole = UserRoleInProj();
             var result = await _userRoleController.CreateUserRole(MissingId, userRole);
             Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
         }
@@ -197,20 +202,29 @@ public async Task TestCreateUserRolesMissingProject()
         public async Task TestCreateUserRolesNoPermission()
         {
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
-            var userRole = await _userRoleRepo.Create(RandomUserRole());
+            var userRole = await _userRoleRepo.Create(UserRoleInProj());
             var result = await _userRoleController.CreateUserRole(_projId, userRole);
             Assert.That(result, Is.InstanceOf<ForbidResult>());
         }
 
+        [Test]
+        public async Task TestCreateUserRolesSecondOwner()
+        {
+            var firstOwner = await _userRoleController.CreateUserRole(_projId, UserRoleInProj(Role.Owner));
+            Assert.That(firstOwner, Is.InstanceOf<OkObjectResult>());
+            var secondOwner = await _userRoleController.CreateUserRole(_projId, UserRoleInProj(Role.Owner));
+            Assert.That(secondOwner, Is.InstanceOf<ForbidResult>());
+        }
+
         [Test]
         public async Task TestUpdateUserRole()
         {
-            var userRole = RandomUserRole(Role.Harvester);
+            var userRole = UserRoleInProj(Role.Harvester);
             await _userRoleRepo.Create(userRole);
             var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
             var userId = (await _userRepo.Create(user))!.Id;
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
-            var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };
+            var projectRole = ProjectRoleInProj(Role.Editor);
             await _userRoleController.UpdateUserRole(userId, projectRole);
             var result = await _userRoleController.GetCurrentPermissions(_projId);
 
@@ -226,21 +240,20 @@ public async Task TestUpdateUserRole()
         [Test]
         public async Task TestUpdateUserRoleNoChange()
         {
-            var userRole = RandomUserRole(Role.Harvester);
+            var userRole = UserRoleInProj(Role.Harvester);
             await _userRoleRepo.Create(userRole);
             var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
             var userId = (await _userRepo.Create(user))!.Id;
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
-            var projectRole = new ProjectRole { ProjectId = _projId, Role = userRole.Role };
-            var result = await _userRoleController.UpdateUserRole(userId, projectRole);
+            var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(userRole.Role));
             Assert.That(((ObjectResult)result).StatusCode, Is.EqualTo(StatusCodes.Status304NotModified));
         }
 
         [Test]
         public async Task TestCreateNewUpdateUserRole()
         {
             var userId = (await _userRepo.Create(new User()))!.Id;
-            var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };
+            var projectRole = ProjectRoleInProj(Role.Editor);
             var updateResult = await _userRoleController.UpdateUserRole(userId, projectRole);
             var newUserRoleId = (string)((OkObjectResult)updateResult).Value!;
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
@@ -258,12 +271,11 @@ public async Task TestCreateNewUpdateUserRole()
         [Test]
         public async Task TestUpdateUserRolesMissingIds()
         {
-            var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };
-
+            var projectRole = ProjectRoleInProj(Role.Editor);
             var missingUserIdResult = await _userRoleController.UpdateUserRole(MissingId, projectRole);
             Assert.That(missingUserIdResult, Is.InstanceOf<NotFoundObjectResult>());
 
-            var userRoleId = (await _userRoleRepo.Create(RandomUserRole(Role.Harvester))).Id;
+            var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Harvester))).Id;
             projectRole.ProjectId = MissingId;
             var missingProjIdResult = await _userRoleController.UpdateUserRole(userRoleId, projectRole);
             Assert.That(missingProjIdResult, Is.InstanceOf<NotFoundObjectResult>());
@@ -273,15 +285,35 @@ public async Task TestUpdateUserRolesMissingIds()
         public async Task TestUpdateUserRolesNoPermission()
         {
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
-            var userRoleId = (await _userRoleRepo.Create(RandomUserRole(Role.Harvester))).Id;
-            var result = await _userRoleController.UpdateUserRole(userRoleId, new ProjectRole());
+            var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Harvester))).Id;
+            var result = await _userRoleController.UpdateUserRole(userRoleId, ProjectRoleInProj());
+            Assert.That(result, Is.InstanceOf<ForbidResult>());
+        }
+
+        [Test]
+        public async Task TestUpdateUserRolesToOwner()
+        {
+            var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Administrator))).Id;
+            var user = new User { ProjectRoles = { [_projId] = userRoleId } };
+            var userId = (await _userRepo.Create(user))!.Id;
+            var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(Role.Owner));
+            Assert.That(result, Is.InstanceOf<ForbidResult>());
+        }
+
+        [Test]
+        public async Task TestUpdateUserRolesFromOwner()
+        {
+            var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Owner))).Id;
+            var user = new User { ProjectRoles = { [_projId] = userRoleId } };
+            var userId = (await _userRepo.Create(user))!.Id;
+            var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(Role.Administrator));
             Assert.That(result, Is.InstanceOf<ForbidResult>());
         }
 
         [Test]
         public async Task TestDeleteUserRole()
         {
-            var userRole = RandomUserRole();
+            var userRole = UserRoleInProj();
             await _userRoleRepo.Create(userRole);
             var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
             var userId = (await _userRepo.Create(user))!.Id;
@@ -305,16 +337,30 @@ public async Task TestDeleteUserRole()
         public async Task TestDeleteUserRoleNoPermission()
         {
             _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
-            var userRole = await _userRoleRepo.Create(RandomUserRole());
-            var result = await _userRoleController.DeleteUserRole(_projId, userRole.Id);
+            var userRole = await _userRoleRepo.Create(UserRoleInProj());
+            var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
+            var userId = (await _userRepo.Create(user))!.Id;
+            var result = await _userRoleController.DeleteUserRole(_projId, userId);
+            Assert.That(result, Is.InstanceOf<ForbidResult>());
+        }
+
+        [Test]
+        public async Task TestDeleteUserRoleOwner()
+        {
+            var userRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
+            var userId = (await _userRepo.Create(user))!.Id;
+            var result = await _userRoleController.DeleteUserRole(_projId, userId);
             Assert.That(result, Is.InstanceOf<ForbidResult>());
         }
 
         [Test]
         public async Task TestDeleteUserRoleMissingIds()
         {
-            var userRole = await _userRoleRepo.Create(RandomUserRole());
-            var projectResult = await _userRoleController.DeleteUserRole(MissingId, userRole.Id);
+            var userRole = await _userRoleRepo.Create(UserRoleInProj());
+            var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
+            var userId = (await _userRepo.Create(user))!.Id;
+            var projectResult = await _userRoleController.DeleteUserRole(MissingId, userId);
             Assert.That(projectResult, Is.InstanceOf<NotFoundObjectResult>());
 
             var wordResult = await _userRoleController.DeleteUserRole(_projId, MissingId);
@@ -324,9 +370,9 @@ public async Task TestDeleteUserRoleMissingIds()
         [Test]
         public async Task TestDeleteAllUserRoles()
         {
-            await _userRoleRepo.Create(RandomUserRole());
-            await _userRoleRepo.Create(RandomUserRole());
-            await _userRoleRepo.Create(RandomUserRole());
+            await _userRoleRepo.Create(UserRoleInProj());
+            await _userRoleRepo.Create(UserRoleInProj());
+            await _userRoleRepo.Create(UserRoleInProj());
 
             Assert.That(await _userRoleRepo.GetAllUserRoles(_projId), Has.Count.EqualTo(3));
 
@@ -348,5 +394,98 @@ public async Task TestDeleteAllUserRolesNoPermission()
             var result = await _userRoleController.DeleteProjectUserRoles(_projId);
             Assert.That(result, Is.InstanceOf<ForbidResult>());
         }
+
+        [Test]
+        public async Task TestChangeOwnerNoPermission()
+        {
+            _userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldId = (await _userRepo.Create(oldOwner))!.Id;
+            var newId = (await _userRepo.Create(new()))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
+            Assert.That(result, Is.InstanceOf<ForbidResult>());
+        }
+
+        [Test]
+        public async Task TestChangeOwnerSameId()
+        {
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldId = (await _userRepo.Create(oldOwner))!.Id;
+            var newId = (await _userRepo.Create(new()))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(_projId, oldId, oldId);
+            Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
+
+            result = await _userRoleController.ChangeOwner(_projId, newId, newId);
+            Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
+        }
+
+        [Test]
+        public async Task TestChangeOwnerMissingProjectOrUser()
+        {
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldId = (await _userRepo.Create(oldOwner))!.Id;
+            var newId = (await _userRepo.Create(new()))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(MissingId, oldId, newId);
+            Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
+
+            result = await _userRoleController.ChangeOwner(_projId, MissingId, newId);
+            Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
+
+            result = await _userRoleController.ChangeOwner(_projId, oldId, MissingId);
+            Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
+        }
+
+        [Test]
+        public async Task TestChangeOwnerOldUserNotOwner()
+        {
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Editor));
+            var oldEditor = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldEditorId = (await _userRepo.Create(oldEditor))!.Id;
+            var oldOtherId = (await _userRepo.Create(new()))!.Id;
+            var newId = (await _userRepo.Create(new()))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(_projId, oldEditorId, newId);
+            Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
+
+            result = await _userRoleController.ChangeOwner(_projId, oldOtherId, newId);
+            Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
+        }
+
+        [Test]
+        public async Task TestChangeOwnerNewRole()
+        {
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldId = (await _userRepo.Create(oldOwner))!.Id;
+            var newId = (await _userRepo.Create(new()))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
+            Assert.That(result, Is.InstanceOf<OkObjectResult>());
+            Assert.That((await _userRoleRepo.GetUserRole(_projId, oldRole.Id))?.Role, Is.EqualTo(Role.Administrator));
+            var newRoleId = (await _userRepo.GetUser(newId))!.ProjectRoles[_projId];
+            Assert.That((await _userRoleRepo.GetUserRole(_projId, newRoleId))?.Role, Is.EqualTo(Role.Owner));
+        }
+
+        [Test]
+        public async Task TestChangeOwnerUpdateRole()
+        {
+            var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
+            var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
+            var oldId = (await _userRepo.Create(oldOwner))!.Id;
+            var newRole = await _userRoleRepo.Create(UserRoleInProj());
+            var newOwner = new User { ProjectRoles = { [_projId] = newRole.Id } };
+            var newId = (await _userRepo.Create(newOwner))!.Id;
+
+            var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
+            Assert.That(result, Is.InstanceOf<OkObjectResult>());
+            Assert.That((await _userRoleRepo.GetUserRole(_projId, oldRole.Id))?.Role, Is.EqualTo(Role.Administrator));
+            Assert.That((await _userRoleRepo.GetUserRole(_projId, newRole.Id))?.Role, Is.EqualTo(Role.Owner));
+        }
     }
 }