def test_changing_archive_updates_permissions(): ai = ArchiveItemFactory() im = ImageFactory() civ = ComponentInterfaceValueFactory(image=im) with capture_on_commit_callbacks(execute=True): ai.values.set([civ]) assert get_groups_with_set_perms(im) == { ai.archive.editors_group: {"view_image"}, ai.archive.uploaders_group: {"view_image"}, ai.archive.users_group: {"view_image"}, } a2 = ArchiveFactory() ai.archive = a2 with capture_on_commit_callbacks(execute=True): ai.save() assert get_groups_with_set_perms(im) == { a2.editors_group: {"view_image"}, a2.uploaders_group: {"view_image"}, a2.users_group: {"view_image"}, }
def test_deleting_archive_item_removes_permissions(): ai1, ai2 = ArchiveItemFactory.create_batch(2) im = ImageFactory() civ = ComponentInterfaceValueFactory(image=im) with capture_on_commit_callbacks(execute=True): ai1.values.set([civ]) ai2.values.set([civ]) assert get_groups_with_set_perms(im) == { ai1.archive.editors_group: {"view_image"}, ai1.archive.uploaders_group: {"view_image"}, ai1.archive.users_group: {"view_image"}, ai2.archive.editors_group: {"view_image"}, ai2.archive.uploaders_group: {"view_image"}, ai2.archive.users_group: {"view_image"}, } with capture_on_commit_callbacks(execute=True): ai1.delete() assert get_groups_with_set_perms(im) == { ai2.archive.editors_group: {"view_image"}, ai2.archive.uploaders_group: {"view_image"}, ai2.archive.users_group: {"view_image"}, }
def test_related_permissions_assigned(client, reverse, factory, related_name, perm): org1, org2 = OrganizationFactory(), OrganizationFactory() obj1, obj2, obj3, obj4 = ( factory(), factory(), factory(), factory(), ) if reverse: for obj in [obj1, obj2, obj3, obj4]: obj.organizations.add(org1, org2) for obj in [obj3, obj4]: obj.organizations.remove(org1, org2) for obj in [obj1, obj2]: obj.organizations.remove(org2) else: getattr(org1, related_name).add(obj1, obj2, obj3, obj4) getattr(org1, related_name).remove(obj3, obj4) # We end up with org1 only being related to obj1 and obj2 expected_perms = { obj1: { org1.editors_group: {perm}, org1.members_group: {perm} }, obj2: { org1.editors_group: {perm}, org1.members_group: {perm} }, } for obj in [obj1, obj2, obj3, obj4]: for group in [ org1.editors_group, org1.members_group, org2.editors_group, org2.members_group, ]: assert get_groups_with_set_perms(obj).get( group) == expected_perms.get(obj, {}).get(group) # Test clearing if reverse: obj1.organizations.clear() obj2.organizations.clear() else: getattr(org1, related_name).clear() for obj in [obj1, obj2, obj3, obj4]: for group in [ org1.editors_group, org1.members_group, org2.editors_group, org2.members_group, ]: assert get_groups_with_set_perms(obj).get(group) is None
def test_job_permissions_for_challenge(self): ai = AlgorithmImageFactory(ready=True) archive = ArchiveFactory() evaluation = EvaluationFactory(submission__phase__archive=archive, submission__algorithm_image=ai) # Fake an image upload via a session u = UserFactory() s = UploadSessionFactory(creator=u) im = ImageFactory() s.image_set.set([im]) archive.images.set([im]) create_algorithm_jobs_for_evaluation(evaluation_pk=evaluation.pk) job = Job.objects.get() # Only the challenge admins and job viewers should be able to view the # job. NOTE: NOT THE ALGORITHM EDITORS, they are the participants # to the challenge and should not be able to see the test data assert get_groups_with_set_perms(job) == { evaluation.submission.phase.challenge.admins_group: {"view_job"}, job.viewers: {"view_job"}, } # No-one should be able to change the job assert (get_users_with_perms(job, attach_perms=True, with_group_users=False) == {}) # No-one should be in the viewers group assert {*job.viewers.user_set.all()} == set()
def test_job_permissions_for_archive(self): ai = AlgorithmImageFactory(ready=True) archive = ArchiveFactory() # Fake an image upload via a session u = UserFactory() s = UploadSessionFactory(creator=u) im = ImageFactory() s.image_set.set([im]) archive.images.set([im]) archive.algorithms.set([ai.algorithm]) create_algorithm_jobs_for_archive(archive_pks=[archive.pk]) job = Job.objects.get() # The archive editors, users and uploaders, algorithm editors and job # viewers should be able to view the job assert get_groups_with_set_perms(job) == { archive.editors_group: {"view_job"}, archive.users_group: {"view_job"}, archive.uploaders_group: {"view_job"}, ai.algorithm.editors_group: {"view_job"}, job.viewers: {"view_job"}, } # No-one should be able to change the job assert (get_users_with_perms(job, attach_perms=True, with_group_users=False) == {}) # No-one should be in the viewers group assert {*job.viewers.user_set.all()} == set()
def test_job_permissions_for_session(self): ai = AlgorithmImageFactory(ready=True) u = UserFactory() s = UploadSessionFactory(creator=u) im = ImageFactory() s.image_set.set([im]) create_algorithm_jobs_for_session(upload_session_pk=s.pk, algorithm_image_pk=ai.pk) job = Job.objects.get() # Editors and viewers should be able to view the job assert get_groups_with_set_perms(job) == { ai.algorithm.editors_group: {"view_job"}, job.viewers: {"view_job"}, } # The Session Creator should be able to change the job assert get_users_with_perms(job, attach_perms=True, with_group_users=False) == { u: ["change_job"] } # The only member of the viewers group should be the creator assert {*job.viewers.user_set.all()} == {u}
def test_archive_permissions(self, public): a: Archive = ArchiveFactory(public=public) expected_perms = { a.editors_group: { "view_archive", "use_archive", "upload_archive", "change_archive", }, a.uploaders_group: { "view_archive", "use_archive", "upload_archive", }, a.users_group: {"view_archive", "use_archive"}, } if public: reg_and_anon = Group.objects.get( name=settings.REGISTERED_AND_ANON_USERS_GROUP_NAME) expected_perms[reg_and_anon] = {"view_archive"} assert get_groups_with_set_perms(a) == expected_perms assert get_users_with_perms(a, with_group_users=False).count() == 0
def test_organization_permissions(self): o: Organization = OrganizationFactory() assert get_groups_with_set_perms(o) == { o.editors_group: {"change_organization"} } assert not get_users_with_perms(o, with_group_users=False).exists()
def test_deleting_display_set_removes_permissions(): ds1, ds2 = DisplaySetFactory.create_batch(2) im = ImageFactory() civ = ComponentInterfaceValueFactory(image=im) with capture_on_commit_callbacks(execute=True): ds1.values.set([civ]) ds2.values.set([civ]) assert get_groups_with_set_perms(im) == { ds1.reader_study.editors_group: {"view_image"}, ds1.reader_study.readers_group: {"view_image"}, ds2.reader_study.editors_group: {"view_image"}, ds2.reader_study.readers_group: {"view_image"}, } with capture_on_commit_callbacks(execute=True): ds1.delete() assert get_groups_with_set_perms(im) == { ds2.reader_study.editors_group: {"view_image"}, ds2.reader_study.readers_group: {"view_image"}, }
def test_changing_reader_study_updates_permissions(): ds = DisplaySetFactory() im = ImageFactory() civ = ComponentInterfaceValueFactory(image=im) with capture_on_commit_callbacks(execute=True): ds.values.set([civ]) assert get_groups_with_set_perms(im) == { ds.reader_study.editors_group: {"view_image"}, ds.reader_study.readers_group: {"view_image"}, } rs = ReaderStudyFactory(use_display_sets=False) ds.reader_study = rs with capture_on_commit_callbacks(execute=True): ds.save() assert get_groups_with_set_perms(im) == { rs.editors_group: {"view_image"}, rs.readers_group: {"view_image"}, }
def test_archive_item_permissions_signal(client, reverse): # noqa: C901 ai1, ai2 = ArchiveItemFactory.create_batch(2) im1, im2, im3, im4 = ImageFactory.create_batch(4) civ1, civ2, civ3, civ4 = ( ComponentInterfaceValueFactory(image=im1), ComponentInterfaceValueFactory(image=im2), ComponentInterfaceValueFactory(image=im3), ComponentInterfaceValueFactory(image=im4), ) with capture_on_commit_callbacks(execute=True): if reverse: for civ in [civ1, civ2, civ3, civ4]: civ.archive_items.add(ai1, ai2) for civ in [civ3, civ4]: civ.archive_items.remove(ai1, ai2) for civ in [civ1, civ2]: civ.archive_items.remove(ai2) else: # Test that adding images works ai1.values.add(civ1, civ2, civ3, civ4) # Test that removing images works ai1.values.remove(civ3, civ4) assert get_groups_with_set_perms(im1) == { ai1.archive.editors_group: {"view_image"}, ai1.archive.uploaders_group: {"view_image"}, ai1.archive.users_group: {"view_image"}, } assert get_groups_with_set_perms(im2) == { ai1.archive.editors_group: {"view_image"}, ai1.archive.uploaders_group: {"view_image"}, ai1.archive.users_group: {"view_image"}, } assert get_groups_with_set_perms(im3) == {} assert get_groups_with_set_perms(im4) == {} # Test clearing with capture_on_commit_callbacks(execute=True): if reverse: civ1.archive_items.clear() civ2.archive_items.clear() else: ai1.values.clear() assert get_groups_with_set_perms(im1) == {} assert get_groups_with_set_perms(im2) == {}
def test_job_permissions_for_challenge(self): ai = AlgorithmImageFactory(ready=True) archive = ArchiveFactory() evaluation = EvaluationFactory(submission__phase__archive=archive, submission__algorithm_image=ai) # Fake an image upload via a session u = UserFactory() s = UploadSessionFactory(creator=u) im = ImageFactory() s.image_set.set([im]) civ = ComponentInterfaceValueFactory( image=im, interface=ai.algorithm.inputs.get()) archive_item = ArchiveItemFactory(archive=archive) with capture_on_commit_callbacks(execute=True): archive_item.values.add(civ) create_algorithm_jobs_for_evaluation(evaluation_pk=evaluation.pk) job = Job.objects.get() # Only the challenge admins and job viewers should be able to view the # job and logs. # NOTE: NOT THE *ALGORITHM* EDITORS, they are the participants # to the challenge and should not be able to see the test data assert get_groups_with_set_perms(job) == { evaluation.submission.phase.challenge.admins_group: { "view_job", "view_logs", }, job.viewers: {"view_job"}, } # No-one should be able to change the job assert (get_users_with_perms(job, attach_perms=True, with_group_users=False) == {}) # No-one should be in the viewers group assert {*job.viewers.user_set.all()} == set()
def test_display_set_permissions_signal(client, reverse): ds1, ds2 = DisplaySetFactory.create_batch(2) im1, im2, im3, im4 = ImageFactory.create_batch(4) civ1, civ2, civ3, civ4 = ( ComponentInterfaceValueFactory(image=im1), ComponentInterfaceValueFactory(image=im2), ComponentInterfaceValueFactory(image=im3), ComponentInterfaceValueFactory(image=im4), ) with capture_on_commit_callbacks(execute=True): if reverse: for civ in [civ1, civ2, civ3, civ4]: civ.display_sets.add(ds1, ds2) for civ in [civ3, civ4]: civ.display_sets.remove(ds1, ds2) for civ in [civ1, civ2]: civ.display_sets.remove(ds2) else: # Test that adding images works ds1.values.add(civ1, civ2, civ3, civ4) # Test that removing images works ds1.values.remove(civ3, civ4) assert get_groups_with_set_perms(im1) == { ds1.reader_study.editors_group: {"view_image"}, ds1.reader_study.readers_group: {"view_image"}, } assert get_groups_with_set_perms(im2) == { ds1.reader_study.editors_group: {"view_image"}, ds1.reader_study.readers_group: {"view_image"}, } assert get_groups_with_set_perms(im3) == {} assert get_groups_with_set_perms(im4) == {} # Test clearing with capture_on_commit_callbacks(execute=True): if reverse: civ1.display_sets.clear() civ2.display_sets.clear() else: ds1.values.clear() assert get_groups_with_set_perms(im1) == {} assert get_groups_with_set_perms(im2) == {}
def test_job_permissions_for_archive(self): ai = AlgorithmImageFactory(ready=True) archive = ArchiveFactory() # Fake an image upload via a session u = UserFactory() s = UploadSessionFactory(creator=u) im = ImageFactory() s.image_set.set([im]) civ = ComponentInterfaceValueFactory( image=im, interface=ai.algorithm.inputs.get()) archive_item = ArchiveItemFactory(archive=archive) with capture_on_commit_callbacks(execute=True): archive_item.values.add(civ) archive.algorithms.set([ai.algorithm]) create_algorithm_jobs_for_archive(archive_pks=[archive.pk]) job = Job.objects.get() # The archive editors, users and uploaders and job # viewers should be able to view the job. # NOTE: NOT THE ALGORITHM EDITORS, if they need # access the job can be shared with them. assert get_groups_with_set_perms(job) == { archive.editors_group: {"view_job"}, archive.users_group: {"view_job"}, archive.uploaders_group: {"view_job"}, job.viewers: {"view_job"}, } # No-one should be able to change the job assert (get_users_with_perms(job, attach_perms=True, with_group_users=False) == {}) # No-one should be in the viewers group assert {*job.viewers.user_set.all()} == set()