Add test for non-authorized samples

ELIXIR-Belgium · Jun 26, 2024 · 4c533ba · 4c533ba
1 parent 4b6080e
commit 4c533ba
Showing 1 changed file with 29 additions and 6 deletions.
diff --git a/test/functional/assays_controller_test.rb b/test/functional/assays_controller_test.rb
@@ -2183,26 +2183,49 @@ def check_fixtures_for_authorization_of_sops_and_datafiles_links
     with_config_value(:isa_json_compliance_enabled, true) do
       person = FactoryBot.create(:person)
       other_person = FactoryBot.create(:person)
-      project = person.projects.first
       investigation = FactoryBot.create(:investigation, is_isa_json_compliant: true, contributor: person)
       study = FactoryBot.create(:isa_json_compliant_study, investigation: )
       assay_stream = FactoryBot.create(:assay_stream, study: , contributor: person, position: 0)
 
       authorized_child_assay = FactoryBot.create(:assay, contributor: person, study: , assay_stream:, position: 0)
-      unauthorized_child_assay = FactoryBot.create(:assay, contributor: other_person, study: , assay_stream:, position: 1)
 
       login_as(person)
-      refute unauthorized_child_assay.can_manage?
       refute authorized_child_assay.can_manage?(other_person)
       patch :manage_update, params: { id: assay_stream, propagate_permissions: '1', assay: {creator_ids: [other_person.id]}, policy_attributes: {access_type: Policy::NO_ACCESS, permissions_attributes: {'1' => {contributor_type: 'Person', contributor_id: other_person.id, access_type: Policy::MANAGING}}}}
 
+      # assert that the permissions of the authorized assay were propagated
+      # other_person should see the assay stream and the authorized assay
+      assay_stream.reload
+      assert assay_stream.can_manage?(other_person)
+      authorized_child_assay.reload
+      assert authorized_child_assay.can_manage?(other_person)
+    end
+  end
+
+  test 'should not propagate assay stream permissions when not authorized' do
+    with_config_value(:isa_json_compliance_enabled, true) do
+      person = FactoryBot.create(:person)
+      second_person = FactoryBot.create(:person)
+      third_person = FactoryBot.create(:person)
+
+      investigation = FactoryBot.create(:investigation, is_isa_json_compliant: true, contributor: person)
+      study = FactoryBot.create(:isa_json_compliant_study, investigation: )
+      assay_stream = FactoryBot.create(:assay_stream, study: , contributor: person, position: 0)
+      unauthorized_child_assay = FactoryBot.create(:assay, contributor: second_person, study: , assay_stream:, position: 0)
+
+      login_as(person)
+      patch :manage_update, params: { id: assay_stream, propagate_permissions: '1', assay: {creator_ids: [third_person.id]}, policy_attributes: {access_type: Policy::NO_ACCESS, permissions_attributes: {'1' => {contributor_type: 'Person', contributor_id: third_person.id, access_type: Policy::MANAGING}}}}
+
       # assert the flash[:error] text. The permissions of the unauthorized assay should not be propagated
       assert flash[:error], "<ul><li>You do not have the necessary permissions to propagate permissions to #{t('assay').downcase} [#{unauthorized_child_assay.id}]: '#{unauthorized_child_assay.title}'</li></ul>"
       assert_redirected_to assay_path(assay_stream)
 
-      # assert that the permissions of the authorized assay were propagated
-      authorized_child_assay.reload
-      assert authorized_child_assay.can_manage?(other_person)
+      # assert that the permissions of the unauthorized assay were not propagated
+      # third_person should not see the unauthorized assay but still see the assay stream
+      assay_stream.reload
+      assert assay_stream.can_manage?(third_person)
+      unauthorized_child_assay.reload
+      refute unauthorized_child_assay.can_manage?(third_person)
     end
   end