def test_changing_archive_updates_permissions():
ai = ArchiveItemFactory()
im = ImageFactory()
civ = ComponentInterfaceValueFactory(image=im)
with capture_on_commit_callbacks(execute=True):
ai.values.set([civ])
assert get_groups_with_set_perms(im) == {
ai.archive.editors_group: {"view_image"},
ai.archive.uploaders_group: {"view_image"},
ai.archive.users_group: {"view_image"},
}
a2 = ArchiveFactory()
ai.archive = a2
with capture_on_commit_callbacks(execute=True):
ai.save()
assert get_groups_with_set_perms(im) == {
a2.editors_group: {"view_image"},
a2.uploaders_group: {"view_image"},
a2.users_group: {"view_image"},
}
def test_deleting_archive_item_removes_permissions():
ai1, ai2 = ArchiveItemFactory.create_batch(2)
im = ImageFactory()
civ = ComponentInterfaceValueFactory(image=im)
with capture_on_commit_callbacks(execute=True):
ai1.values.set([civ])
ai2.values.set([civ])
assert get_groups_with_set_perms(im) == {
ai1.archive.editors_group: {"view_image"},
ai1.archive.uploaders_group: {"view_image"},
ai1.archive.users_group: {"view_image"},
ai2.archive.editors_group: {"view_image"},
ai2.archive.uploaders_group: {"view_image"},
ai2.archive.users_group: {"view_image"},
}
with capture_on_commit_callbacks(execute=True):
ai1.delete()
assert get_groups_with_set_perms(im) == {
ai2.archive.editors_group: {"view_image"},
ai2.archive.uploaders_group: {"view_image"},
ai2.archive.users_group: {"view_image"},
}
def test_related_permissions_assigned(client, reverse, factory, related_name,
perm):
org1, org2 = OrganizationFactory(), OrganizationFactory()
obj1, obj2, obj3, obj4 = (
factory(),
factory(),
factory(),
factory(),
)
if reverse:
for obj in [obj1, obj2, obj3, obj4]:
obj.organizations.add(org1, org2)
for obj in [obj3, obj4]:
obj.organizations.remove(org1, org2)
for obj in [obj1, obj2]:
obj.organizations.remove(org2)
else:
getattr(org1, related_name).add(obj1, obj2, obj3, obj4)
getattr(org1, related_name).remove(obj3, obj4)
# We end up with org1 only being related to obj1 and obj2
expected_perms = {
obj1: {
org1.editors_group: {perm},
org1.members_group: {perm}
},
obj2: {
org1.editors_group: {perm},
org1.members_group: {perm}
},
}
for obj in [obj1, obj2, obj3, obj4]:
for group in [
org1.editors_group,
org1.members_group,
org2.editors_group,
org2.members_group,
]:
assert get_groups_with_set_perms(obj).get(
group) == expected_perms.get(obj, {}).get(group)
# Test clearing
if reverse:
obj1.organizations.clear()
obj2.organizations.clear()
else:
getattr(org1, related_name).clear()
for obj in [obj1, obj2, obj3, obj4]:
for group in [
org1.editors_group,
org1.members_group,
org2.editors_group,
org2.members_group,
]:
assert get_groups_with_set_perms(obj).get(group) is None
def test_job_permissions_for_challenge(self):
ai = AlgorithmImageFactory(ready=True)
archive = ArchiveFactory()
evaluation = EvaluationFactory(submission__phase__archive=archive,
submission__algorithm_image=ai)
# Fake an image upload via a session
u = UserFactory()
s = UploadSessionFactory(creator=u)
im = ImageFactory()
s.image_set.set([im])
archive.images.set([im])
create_algorithm_jobs_for_evaluation(evaluation_pk=evaluation.pk)
job = Job.objects.get()
# Only the challenge admins and job viewers should be able to view the
# job. NOTE: NOT THE ALGORITHM EDITORS, they are the participants
# to the challenge and should not be able to see the test data
assert get_groups_with_set_perms(job) == {
evaluation.submission.phase.challenge.admins_group: {"view_job"},
job.viewers: {"view_job"},
}
# No-one should be able to change the job
assert (get_users_with_perms(job,
attach_perms=True,
with_group_users=False) == {})
# No-one should be in the viewers group
assert {*job.viewers.user_set.all()} == set()
def test_job_permissions_for_archive(self):
ai = AlgorithmImageFactory(ready=True)
archive = ArchiveFactory()
# Fake an image upload via a session
u = UserFactory()
s = UploadSessionFactory(creator=u)
im = ImageFactory()
s.image_set.set([im])
archive.images.set([im])
archive.algorithms.set([ai.algorithm])
create_algorithm_jobs_for_archive(archive_pks=[archive.pk])
job = Job.objects.get()
# The archive editors, users and uploaders, algorithm editors and job
# viewers should be able to view the job
assert get_groups_with_set_perms(job) == {
archive.editors_group: {"view_job"},
archive.users_group: {"view_job"},
archive.uploaders_group: {"view_job"},
ai.algorithm.editors_group: {"view_job"},
job.viewers: {"view_job"},
}
# No-one should be able to change the job
assert (get_users_with_perms(job,
attach_perms=True,
with_group_users=False) == {})
# No-one should be in the viewers group
assert {*job.viewers.user_set.all()} == set()
def test_job_permissions_for_session(self):
ai = AlgorithmImageFactory(ready=True)
u = UserFactory()
s = UploadSessionFactory(creator=u)
im = ImageFactory()
s.image_set.set([im])
create_algorithm_jobs_for_session(upload_session_pk=s.pk,
algorithm_image_pk=ai.pk)
job = Job.objects.get()
# Editors and viewers should be able to view the job
assert get_groups_with_set_perms(job) == {
ai.algorithm.editors_group: {"view_job"},
job.viewers: {"view_job"},
}
# The Session Creator should be able to change the job
assert get_users_with_perms(job,
attach_perms=True,
with_group_users=False) == {
u: ["change_job"]
}
# The only member of the viewers group should be the creator
assert {*job.viewers.user_set.all()} == {u}
def test_archive_permissions(self, public):
a: Archive = ArchiveFactory(public=public)
expected_perms = {
a.editors_group: {
"view_archive",
"use_archive",
"upload_archive",
"change_archive",
},
a.uploaders_group: {
"view_archive",
"use_archive",
"upload_archive",
},
a.users_group: {"view_archive", "use_archive"},
}
if public:
reg_and_anon = Group.objects.get(
name=settings.REGISTERED_AND_ANON_USERS_GROUP_NAME)
expected_perms[reg_and_anon] = {"view_archive"}
assert get_groups_with_set_perms(a) == expected_perms
assert get_users_with_perms(a, with_group_users=False).count() == 0
def test_organization_permissions(self):
o: Organization = OrganizationFactory()
assert get_groups_with_set_perms(o) == {
o.editors_group: {"change_organization"}
}
assert not get_users_with_perms(o, with_group_users=False).exists()
def test_deleting_display_set_removes_permissions():
ds1, ds2 = DisplaySetFactory.create_batch(2)
im = ImageFactory()
civ = ComponentInterfaceValueFactory(image=im)
with capture_on_commit_callbacks(execute=True):
ds1.values.set([civ])
ds2.values.set([civ])
assert get_groups_with_set_perms(im) == {
ds1.reader_study.editors_group: {"view_image"},
ds1.reader_study.readers_group: {"view_image"},
ds2.reader_study.editors_group: {"view_image"},
ds2.reader_study.readers_group: {"view_image"},
}
with capture_on_commit_callbacks(execute=True):
ds1.delete()
assert get_groups_with_set_perms(im) == {
ds2.reader_study.editors_group: {"view_image"},
ds2.reader_study.readers_group: {"view_image"},
}
def test_changing_reader_study_updates_permissions():
ds = DisplaySetFactory()
im = ImageFactory()
civ = ComponentInterfaceValueFactory(image=im)
with capture_on_commit_callbacks(execute=True):
ds.values.set([civ])
assert get_groups_with_set_perms(im) == {
ds.reader_study.editors_group: {"view_image"},
ds.reader_study.readers_group: {"view_image"},
}
rs = ReaderStudyFactory(use_display_sets=False)
ds.reader_study = rs
with capture_on_commit_callbacks(execute=True):
ds.save()
assert get_groups_with_set_perms(im) == {
rs.editors_group: {"view_image"},
rs.readers_group: {"view_image"},
}
def test_archive_item_permissions_signal(client, reverse): # noqa: C901
ai1, ai2 = ArchiveItemFactory.create_batch(2)
im1, im2, im3, im4 = ImageFactory.create_batch(4)
civ1, civ2, civ3, civ4 = (
ComponentInterfaceValueFactory(image=im1),
ComponentInterfaceValueFactory(image=im2),
ComponentInterfaceValueFactory(image=im3),
ComponentInterfaceValueFactory(image=im4),
)
with capture_on_commit_callbacks(execute=True):
if reverse:
for civ in [civ1, civ2, civ3, civ4]:
civ.archive_items.add(ai1, ai2)
for civ in [civ3, civ4]:
civ.archive_items.remove(ai1, ai2)
for civ in [civ1, civ2]:
civ.archive_items.remove(ai2)
else:
# Test that adding images works
ai1.values.add(civ1, civ2, civ3, civ4)
# Test that removing images works
ai1.values.remove(civ3, civ4)
assert get_groups_with_set_perms(im1) == {
ai1.archive.editors_group: {"view_image"},
ai1.archive.uploaders_group: {"view_image"},
ai1.archive.users_group: {"view_image"},
}
assert get_groups_with_set_perms(im2) == {
ai1.archive.editors_group: {"view_image"},
ai1.archive.uploaders_group: {"view_image"},
ai1.archive.users_group: {"view_image"},
}
assert get_groups_with_set_perms(im3) == {}
assert get_groups_with_set_perms(im4) == {}
# Test clearing
with capture_on_commit_callbacks(execute=True):
if reverse:
civ1.archive_items.clear()
civ2.archive_items.clear()
else:
ai1.values.clear()
assert get_groups_with_set_perms(im1) == {}
assert get_groups_with_set_perms(im2) == {}
def test_job_permissions_for_challenge(self):
ai = AlgorithmImageFactory(ready=True)
archive = ArchiveFactory()
evaluation = EvaluationFactory(submission__phase__archive=archive,
submission__algorithm_image=ai)
# Fake an image upload via a session
u = UserFactory()
s = UploadSessionFactory(creator=u)
im = ImageFactory()
s.image_set.set([im])
civ = ComponentInterfaceValueFactory(
image=im, interface=ai.algorithm.inputs.get())
archive_item = ArchiveItemFactory(archive=archive)
with capture_on_commit_callbacks(execute=True):
archive_item.values.add(civ)
create_algorithm_jobs_for_evaluation(evaluation_pk=evaluation.pk)
job = Job.objects.get()
# Only the challenge admins and job viewers should be able to view the
# job and logs.
# NOTE: NOT THE *ALGORITHM* EDITORS, they are the participants
# to the challenge and should not be able to see the test data
assert get_groups_with_set_perms(job) == {
evaluation.submission.phase.challenge.admins_group: {
"view_job",
"view_logs",
},
job.viewers: {"view_job"},
}
# No-one should be able to change the job
assert (get_users_with_perms(job,
attach_perms=True,
with_group_users=False) == {})
# No-one should be in the viewers group
assert {*job.viewers.user_set.all()} == set()
def test_display_set_permissions_signal(client, reverse):
ds1, ds2 = DisplaySetFactory.create_batch(2)
im1, im2, im3, im4 = ImageFactory.create_batch(4)
civ1, civ2, civ3, civ4 = (
ComponentInterfaceValueFactory(image=im1),
ComponentInterfaceValueFactory(image=im2),
ComponentInterfaceValueFactory(image=im3),
ComponentInterfaceValueFactory(image=im4),
)
with capture_on_commit_callbacks(execute=True):
if reverse:
for civ in [civ1, civ2, civ3, civ4]:
civ.display_sets.add(ds1, ds2)
for civ in [civ3, civ4]:
civ.display_sets.remove(ds1, ds2)
for civ in [civ1, civ2]:
civ.display_sets.remove(ds2)
else:
# Test that adding images works
ds1.values.add(civ1, civ2, civ3, civ4)
# Test that removing images works
ds1.values.remove(civ3, civ4)
assert get_groups_with_set_perms(im1) == {
ds1.reader_study.editors_group: {"view_image"},
ds1.reader_study.readers_group: {"view_image"},
}
assert get_groups_with_set_perms(im2) == {
ds1.reader_study.editors_group: {"view_image"},
ds1.reader_study.readers_group: {"view_image"},
}
assert get_groups_with_set_perms(im3) == {}
assert get_groups_with_set_perms(im4) == {}
# Test clearing
with capture_on_commit_callbacks(execute=True):
if reverse:
civ1.display_sets.clear()
civ2.display_sets.clear()
else:
ds1.values.clear()
assert get_groups_with_set_perms(im1) == {}
assert get_groups_with_set_perms(im2) == {}
def test_job_permissions_for_archive(self):
ai = AlgorithmImageFactory(ready=True)
archive = ArchiveFactory()
# Fake an image upload via a session
u = UserFactory()
s = UploadSessionFactory(creator=u)
im = ImageFactory()
s.image_set.set([im])
civ = ComponentInterfaceValueFactory(
image=im, interface=ai.algorithm.inputs.get())
archive_item = ArchiveItemFactory(archive=archive)
with capture_on_commit_callbacks(execute=True):
archive_item.values.add(civ)
archive.algorithms.set([ai.algorithm])
create_algorithm_jobs_for_archive(archive_pks=[archive.pk])
job = Job.objects.get()
# The archive editors, users and uploaders and job
# viewers should be able to view the job.
# NOTE: NOT THE ALGORITHM EDITORS, if they need
# access the job can be shared with them.
assert get_groups_with_set_perms(job) == {
archive.editors_group: {"view_job"},
archive.users_group: {"view_job"},
archive.uploaders_group: {"view_job"},
job.viewers: {"view_job"},
}
# No-one should be able to change the job
assert (get_users_with_perms(job,
attach_perms=True,
with_group_users=False) == {})
# No-one should be in the viewers group
assert {*job.viewers.user_set.all()} == set()
