diff --git a/docs/03-apis/api-admin/permissions.md b/docs/03-apis/api-admin/permissions.md index eea9d13c64..ab4270e655 100644 --- a/docs/03-apis/api-admin/permissions.md +++ b/docs/03-apis/api-admin/permissions.md @@ -39,7 +39,7 @@ for the group is returned. permissions for a project. As a response, all `default_object_acces_permissions` of a project are returned. -### Creating New Permissions: +### Creating New Administrative Permissions: - `POST: /admin/permissions/ap`: create a new administrative permission. The type of permissions, the project and group to which the permission should be added must be @@ -79,11 +79,40 @@ As a response, the created administrative permission and its IRI are returned as } } ``` +`hasPermissions` contains permission types that must be granted. See [the complete description of administrative +permission types](../../05-internals/design/api-admin/administration.md#administrative-permissions). +In summary, each permission should contain followings: +- `name` : indicates the type of the permission that can be one of the followings: + - `ProjectAdminAllPermission`: gives the user the permission to do anything + on project level, i.e. create new groups, modify all + existing groups + - `ProjectAdminGroupAllPermission`: gives the user the permission to modify + *group info* and *group membership* on *all* groups + belonging to the project. + - `ProjectAdminGroupRestrictedPermission`: gives the user the permission to modify + *group info* and *group membership* on *certain* groups + belonging to the project. + - `ProjectAdminRightsAllPermission`: gives the user the permission to change the + *permissions* on all objects belonging to the project + (e.g., default permissions attached to groups and + permissions on objects). + - `ProjectResourceCreateAllPermission`: gives the permission to create resources + inside the project. + - `ProjectResourceCreateRestrictedPermission`: gives restricted resource creation permission + inside the project. + +- `additionalInformation`: should be left empty, otherwise will be ignored. +- `permissionCode`: should be left empty, otherwise will be ignored. + + Note that during the creation of a new project, a default set of administrative permissions are added to its ProjectAdmin and ProjectMember groups (See [Default set of permissions for a new project](./projects.md#default-set-of-permissions-for-a-new-project)). Therefore, it is not possible to create new administrative permissions for the ProjectAdmin and ProjectMember groups of a project. However, the default permissions set for these groups can be modified (See [update permission](./permissions.md#updating-a-permissions-scope)). + +### Creating New Default Object Access Permissions: + - `POST: /admin/permissions/doap` : create a new default object access permission. A single instance of `knora-admin:DefaultObjectAccessPermission` must always reference a project, but can only reference **either** a group @@ -101,6 +130,25 @@ default object access permission for a group of a project the request body would "hasPermissions":[{"additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember","name":"D","permissionCode":7}] } ``` +`hasPermissions` contains permission types that must be granted. See [a complete description of object access +permission types](../../05-internals/design/api-admin/administration.md#default-object-access-permissions). +In summary, each permission should contain followings: +- `additionalInformation`: To whom the permission should be granted: project members, known users, unknown users, etc. +- `name` : indicates the type of the permission that can be one of the followings. + - `RV`: restricted view permission (least privileged) + - `V`: view permission + - `M` modify permission + - `D`: delete permission + - `CR`: change rights permission (most privileged) +- `permissionCode`: The code assigned to a permission indicating its hierarchical level. These codes are as below: + - `1`: for restricted view permission (least privileged) + - `2`: for view permission + - `6`: for modify permission + - `7`: for delete permission + - `8`: for change rights permission (most privileged) + +Note that, at least either `name` or `permissionCode` must be provided. If one is missing, it will be extrapolated from the other. +For example, if `permissionCode= 1` is given but `name` was left empty, its value will be set to `name = RV`. Similar to the previous case a custom IRI can be assigned to a permission specified by the `id` in the request body. The example below shows the request body to create a new default object access permission with a custom IRI defined for @@ -166,6 +214,11 @@ the combination of both, the permission will be defined for the newly specified "hasPermissions":[{"additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember","name":"D","permissionCode":7}] } ``` +Each permission item given in `hasPermissions`, must contain the necessary parameters with respect to the type of the +permission. For example, if you wish to change the scope of an administrative permission, follow the +[guidelines](#creating-new-administrative-permissions) for the +content of its `hasPermissions` property. Similarly, if you wish to change the scope of a default object access permission, +follow the [guidelines](#creating-new-default-object-access-permissions) given about the content of its `hasPermissions` property. ### Updating a Default Object Access Permission's Resource Class: - `PUT: /admin/permissions//resourceClass` to change the resource class for which a default object diff --git a/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADM.scala b/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADM.scala index 41cb620c28..0cc454d2a6 100644 --- a/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADM.scala +++ b/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADM.scala @@ -20,13 +20,14 @@ package org.knora.webapi.messages.admin.responder.permissionsmessages import java.util.UUID - import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport import org.knora.webapi._ import org.knora.webapi.exceptions.{BadRequestException, ForbiddenException, InconsistentRepositoryDataException} import org.knora.webapi.feature.FeatureFactoryConfig +import org.knora.webapi.messages.OntologyConstants.KnoraBase.EntityPermissionAbbreviations import org.knora.webapi.messages.{OntologyConstants, StringFormatter} import org.knora.webapi.messages.admin.responder.permissionsmessages.PermissionDataType.PermissionProfileType +import org.knora.webapi.messages.admin.responder.permissionsmessages.PermissionsMessagesUtilADM.PermissionTypeAndCodes import org.knora.webapi.messages.admin.responder.projectsmessages.ProjectsADMJsonProtocol import org.knora.webapi.messages.admin.responder.usersmessages.UserADM import org.knora.webapi.messages.admin.responder.{KnoraRequestADM, KnoraResponseADM} @@ -59,9 +60,16 @@ case class CreateAdministrativePermissionAPIRequestADM(id: Option[IRI] = None, id, throw BadRequestException(s"Invalid permission IRI ${id.get} is given.")) if (hasPermissions.isEmpty) throw BadRequestException("Permissions needs to be supplied.") + if (!OntologyConstants.KnoraAdmin.BuiltInGroups.contains(forGroup)) { stringFormatter.validateGroupIri(forGroup, throw BadRequestException(s"Invalid group IRI $forGroup")) } + + def prepareHasPermissions: CreateAdministrativePermissionAPIRequestADM = { + copy( + hasPermissions = PermissionsMessagesUtilADM.verifyHasPermissionsAP(hasPermissions) + ) + } } /** @@ -123,8 +131,14 @@ case class CreateDefaultObjectAccessPermissionAPIRequestADM(id: Option[IRI] = No } case None => None } + if (hasPermissions.isEmpty) throw BadRequestException("Permissions needs to be supplied.") + def prepareHasPermissions: CreateDefaultObjectAccessPermissionAPIRequestADM = { + copy( + hasPermissions = PermissionsMessagesUtilADM.verifyHasPermissionsDOAP(hasPermissions) + ) + } } /** @@ -155,6 +169,7 @@ case class ChangePermissionHasPermissionsApiRequestADM(hasPermissions: Set[Permi } def toJsValue: JsValue = changePermissionHasPermissionsApiRequestADMFormat.write(this) + } /** @@ -1138,6 +1153,7 @@ object PermissionADM { permissionCode = Some(1) ) } + } /** diff --git a/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesUtilADM.scala b/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesUtilADM.scala index 150545d72e..ebbfbd918a 100644 --- a/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesUtilADM.scala +++ b/webapi/src/main/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesUtilADM.scala @@ -20,7 +20,16 @@ package org.knora.webapi.messages.admin.responder.permissionsmessages import org.knora.webapi.IRI -import org.knora.webapi.exceptions.ApplicationCacheException +import org.knora.webapi.exceptions.{ApplicationCacheException, BadRequestException} +import org.knora.webapi.messages.OntologyConstants.KnoraAdmin.AdministrativePermissionAbbreviations +import org.knora.webapi.messages.OntologyConstants.KnoraBase.{ + ChangeRightsPermission, + DeletePermission, + EntityPermissionAbbreviations, + ModifyPermission, + RestrictedViewPermission, + ViewPermission +} import org.knora.webapi.util.cache.CacheUtil /** @@ -30,6 +39,14 @@ object PermissionsMessagesUtilADM { val PermissionsCacheName = "permissionsCache" + val PermissionTypeAndCodes: Map[String, Int] = Map( + RestrictedViewPermission -> 1, + ViewPermission -> 2, + ModifyPermission -> 6, + DeletePermission -> 7, + ChangeRightsPermission -> 8 + ) + //////////////////// // Helper Methods // //////////////////// @@ -88,4 +105,92 @@ object PermissionsMessagesUtilADM { CacheUtil.remove(PermissionsCacheName, key) } + + /** + * Validates the parameters of the `hasPermissions` collections of a DOAP. + * + * @param hasPermissions Set of the permissions. + */ + def validateDOAPHasPermissions(hasPermissions: Set[PermissionADM]) = { + + hasPermissions.foreach { permission => + if (permission.additionalInformation.isEmpty) { + throw BadRequestException(s"additionalInformation of a default object access permission type cannot be empty.") + } + if (permission.name.nonEmpty && !EntityPermissionAbbreviations.contains(permission.name)) + throw BadRequestException( + s"Invalid value for name parameter of hasPermissions: ${permission.name}, it should be one of " + + s"${EntityPermissionAbbreviations.toString}") + if (permission.permissionCode.nonEmpty) { + val code = permission.permissionCode.get + if (!PermissionTypeAndCodes.values.toSet.contains(code)) { + throw BadRequestException( + s"Invalid value for permissionCode parameter of hasPermissions: $code, it should be one of " + + s"${PermissionTypeAndCodes.values.toString}") + } + } + if (permission.permissionCode.isEmpty && permission.name.isEmpty) { + throw BadRequestException( + s"One of permission code or permission name must be provided for a default object access permission.") + } + if (permission.permissionCode.nonEmpty && permission.name.nonEmpty) { + val code = permission.permissionCode.get + if (PermissionTypeAndCodes(permission.name) != code) { + throw BadRequestException( + s"Given permission code $code and permission name ${permission.name} are not consistent.") + } + } + } + } + + /** + * For administrative permission we only need the name parameter of each PermissionADM given in hasPermissions collection. + * This method, validates the content of hasPermissions collection by only keeping the values of name params. + * @param hasPermissions Set of the permissions. + */ + def verifyHasPermissionsAP(hasPermissions: Set[PermissionADM]): Set[PermissionADM] = { + val updatedPermissions = hasPermissions.map { permission => + if (!AdministrativePermissionAbbreviations.contains(permission.name)) + throw BadRequestException( + s"Invalid value for name parameter of hasPermissions: ${permission.name}, it should be one of " + + s"${AdministrativePermissionAbbreviations.toString}") + PermissionADM( + name = permission.name, + additionalInformation = None, + permissionCode = None + ) + } + updatedPermissions + } + + /** + * For default object access permission, we need to make sure that the value given for the permissionCode matches + * the value of name parameter. + * This method, validates the content of hasPermissions collection by verifying that both permissionCode and name + * indicate the same type of permission. + * + * @param hasPermissions Set of the permissions. + */ + def verifyHasPermissionsDOAP(hasPermissions: Set[PermissionADM]): Set[PermissionADM] = { + validateDOAPHasPermissions(hasPermissions) + hasPermissions.map { permission => + val code: Int = permission.permissionCode match { + case None => PermissionTypeAndCodes(permission.name) + case Some(code) => code + } + val name = permission.name.isEmpty match { + case true => + val nameCodeSet: Option[(String, Int)] = PermissionTypeAndCodes.find { + case (name, code) => code == permission.permissionCode.get + } + nameCodeSet.get._1 + case false => permission.name + } + PermissionADM( + name = name, + additionalInformation = permission.additionalInformation, + permissionCode = Some(code) + ) + } + } } diff --git a/webapi/src/main/scala/org/knora/webapi/responders/admin/PermissionsResponderADM.scala b/webapi/src/main/scala/org/knora/webapi/responders/admin/PermissionsResponderADM.scala index ee38d4614e..66d95b1103 100644 --- a/webapi/src/main/scala/org/knora/webapi/responders/admin/PermissionsResponderADM.scala +++ b/webapi/src/main/scala/org/knora/webapi/responders/admin/PermissionsResponderADM.scala @@ -82,7 +82,7 @@ class PermissionsResponderADM(responderData: ResponderData) extends Responder(re featureFactoryConfig, requestingUser, apiRequestID) => - administrativePermissionCreateRequestADM(newAdministrativePermission, + administrativePermissionCreateRequestADM(newAdministrativePermission.prepareHasPermissions, featureFactoryConfig, requestingUser, apiRequestID) @@ -127,7 +127,10 @@ class PermissionsResponderADM(responderData: ResponderData) extends Responder(re featureFactoryConfig, requestingUser, apiRequestID) => - defaultObjectAccessPermissionCreateRequestADM(createRequest, featureFactoryConfig, requestingUser, apiRequestID) + defaultObjectAccessPermissionCreateRequestADM(createRequest.prepareHasPermissions, + featureFactoryConfig, + requestingUser, + apiRequestID) case PermissionsForProjectGetRequestADM(projectIri, groupIri, featureFactoryConfig, requestingUser) => permissionsForProjectGetRequestADM(projectIri, groupIri, featureFactoryConfig, requestingUser) case PermissionByIriGetRequestADM(permissionIri, requestingUser) => @@ -1688,18 +1691,18 @@ class PermissionsResponderADM(responderData: ResponderData) extends Responder(re apiRequestID: UUID): Future[PermissionGetResponseADM] = { /*Verify that hasPermissions is updated successfully*/ - def verifyUpdateOfHasPermissions: Future[PermissionItemADM] = + def verifyUpdateOfHasPermissions(expectedPermissions: Set[PermissionADM]): Future[PermissionItemADM] = for { updatedPermission <- permissionGetADM(permissionIri, requestingUser) /*Verify that update was successful*/ _ = updatedPermission match { case ap: AdministrativePermissionADM => - if (!ap.hasPermissions.equals(changeHasPermissionsRequest.hasPermissions)) + if (!ap.hasPermissions.equals(expectedPermissions)) throw UpdateNotPerformedException( s"The hasPermissions set of permission $permissionIri was not updated. Please report this as a bug.") case doap: DefaultObjectAccessPermissionADM => - if (!doap.hasPermissions.equals(changeHasPermissionsRequest.hasPermissions)) { + if (!doap.hasPermissions.equals(expectedPermissions)) { throw UpdateNotPerformedException( s"The hasPermissions set of permission $permissionIri was not updated. Please report this as a bug.") } @@ -1720,19 +1723,23 @@ class PermissionsResponderADM(responderData: ResponderData) extends Responder(re // Is permission an administrative permission? case ap: AdministrativePermissionADM => // Yes. + val verifiedPermissions = + PermissionsMessagesUtilADM.verifyHasPermissionsAP(changeHasPermissionsRequest.hasPermissions) for { formattedPermissions <- Future( - PermissionUtilADM.formatPermissionADMs(changeHasPermissionsRequest.hasPermissions, PermissionType.AP)) + PermissionUtilADM.formatPermissionADMs(verifiedPermissions, PermissionType.AP)) _ <- updatePermission(permissionIri = ap.iri, maybeHasPermissions = Some(formattedPermissions)) - updatedPermission <- verifyUpdateOfHasPermissions + updatedPermission <- verifyUpdateOfHasPermissions(verifiedPermissions) } yield AdministrativePermissionGetResponseADM(updatedPermission.asInstanceOf[AdministrativePermissionADM]) case doap: DefaultObjectAccessPermissionADM => //No. It is a default object access permission. + val verifiedPermissions = + PermissionsMessagesUtilADM.verifyHasPermissionsDOAP(changeHasPermissionsRequest.hasPermissions) for { formattedPermissions <- Future( - PermissionUtilADM.formatPermissionADMs(changeHasPermissionsRequest.hasPermissions, PermissionType.OAP)) + PermissionUtilADM.formatPermissionADMs(verifiedPermissions, PermissionType.OAP)) _ <- updatePermission(permissionIri = doap.iri, maybeHasPermissions = Some(formattedPermissions)) - updatedPermission <- verifyUpdateOfHasPermissions + updatedPermission <- verifyUpdateOfHasPermissions(verifiedPermissions) } yield DefaultObjectAccessPermissionGetResponseADM( updatedPermission.asInstanceOf[DefaultObjectAccessPermissionADM]) diff --git a/webapi/src/main/scala/org/knora/webapi/responders/admin/ProjectsResponderADM.scala b/webapi/src/main/scala/org/knora/webapi/responders/admin/ProjectsResponderADM.scala index eca746d819..df80f95896 100644 --- a/webapi/src/main/scala/org/knora/webapi/responders/admin/ProjectsResponderADM.scala +++ b/webapi/src/main/scala/org/knora/webapi/responders/admin/ProjectsResponderADM.scala @@ -991,7 +991,7 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo forGroup = OntologyConstants.KnoraAdmin.ProjectAdmin, hasPermissions = Set(PermissionADM.ProjectAdminAllPermission, PermissionADM.ProjectResourceCreateAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = featureFactoryConfig, requestingUser = requestingUser, apiRequestID = UUID.randomUUID() @@ -1003,7 +1003,7 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo forProject = projectIri, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = featureFactoryConfig, requestingUser = requestingUser, apiRequestID = UUID.randomUUID() @@ -1022,7 +1022,7 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin), PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin) ) - ), + ).prepareHasPermissions, featureFactoryConfig = featureFactoryConfig, requestingUser = requestingUser, apiRequestID = UUID.randomUUID() @@ -1039,7 +1039,7 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectMember), PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectMember) ) - ), + ).prepareHasPermissions, featureFactoryConfig = featureFactoryConfig, requestingUser = requestingUser, apiRequestID = UUID.randomUUID() diff --git a/webapi/src/test/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADMSpec.scala b/webapi/src/test/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADMSpec.scala index 71239c8552..0e5b14dce4 100644 --- a/webapi/src/test/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADMSpec.scala +++ b/webapi/src/test/scala/org/knora/webapi/messages/admin/responder/permissionsmessages/PermissionsMessagesADMSpec.scala @@ -20,10 +20,12 @@ package org.knora.webapi.messages.admin.responder.permissionsmessages import java.util.UUID - import org.knora.webapi.CoreSpec import org.knora.webapi.exceptions.{BadRequestException, ForbiddenException} import org.knora.webapi.messages.OntologyConstants +import org.knora.webapi.messages.OntologyConstants.KnoraAdmin.AdministrativePermissionAbbreviations +import org.knora.webapi.messages.OntologyConstants.KnoraBase.EntityPermissionAbbreviations +import org.knora.webapi.messages.admin.responder.permissionsmessages.PermissionsMessagesUtilADM.PermissionTypeAndCodes import org.knora.webapi.sharedtestdata.SharedOntologyTestDataADM._ import org.knora.webapi.sharedtestdata.SharedTestDataV1._ import org.knora.webapi.sharedtestdata._ @@ -113,7 +115,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = forProject, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set(PermissionADM.ProjectAdminAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -130,7 +132,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = groupIri, hasPermissions = Set(PermissionADM.ProjectAdminAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -148,7 +150,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set(PermissionADM.ProjectAdminAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -158,13 +160,38 @@ class PermissionsMessagesADMSpec extends CoreSpec() { } "return 'BadRequest' if the no permissions supplied for AdministrativePermissionCreateRequestADM" in { + val invalidName = "Delete" + val hasPermissions = Set( + PermissionADM( + name = invalidName, + additionalInformation = None, + permissionCode = None + )) + val caught = intercept[BadRequestException]( + AdministrativePermissionCreateRequestADM( + createRequest = CreateAdministrativePermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forGroup = OntologyConstants.KnoraAdmin.ProjectMember, + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.imagesUser01, + apiRequestID = UUID.randomUUID() + ) + ) + assert( + caught.getMessage === s"Invalid value for name parameter of hasPermissions: $invalidName, it should be one of " + + s"${AdministrativePermissionAbbreviations.toString}") + } + + "return 'BadRequest' if the a permissions supplied for AdministrativePermissionCreateRequestADM had invalid name" in { val caught = intercept[BadRequestException]( AdministrativePermissionCreateRequestADM( createRequest = CreateAdministrativePermissionAPIRequestADM( forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set.empty[PermissionADM] - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -180,7 +207,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set(PermissionADM.ProjectAdminAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesReviewerUser, apiRequestID = UUID.randomUUID() @@ -463,7 +490,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = forProject, forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -480,7 +507,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(groupIri), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -498,7 +525,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -514,7 +541,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(SharedTestDataADM.thingSearcherGroup.id), hasPermissions = Set.empty[PermissionADM] - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.anythingAdminUser, apiRequestID = UUID.randomUUID() @@ -523,6 +550,127 @@ class PermissionsMessagesADMSpec extends CoreSpec() { assert(caught.getMessage === "Permissions needs to be supplied.") } + "not create a DefaultObjectAccessPermission for project and property if hasPermissions set contained permission with invalid name" in { + val invalidName = "invalid" + val hasPermissions = Set( + PermissionADM( + name = invalidName, + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = Some(8) + )) + val caught = intercept[BadRequestException]( + DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.anythingAdminUser, + apiRequestID = UUID.randomUUID() + )) + assert( + caught.getMessage === + s"Invalid value for name parameter of hasPermissions: $invalidName, it should be one of " + + s"${EntityPermissionAbbreviations.toString}") + } + + "not create a DefaultObjectAccessPermission for project and property if hasPermissions set contained permission with invalid code" in { + val invalidCode = 10 + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.ChangeRightsPermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = Some(invalidCode) + )) + val caught = intercept[BadRequestException]( + DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.anythingAdminUser, + apiRequestID = UUID.randomUUID() + )) + assert( + caught.getMessage === + s"Invalid value for permissionCode parameter of hasPermissions: $invalidCode, it should be one of " + + s"${PermissionTypeAndCodes.values.toString}") + } + + "not create a DefaultObjectAccessPermission for project and property if hasPermissions set contained permission with inconsistent code and name" in { + val code = 2 + val name = OntologyConstants.KnoraBase.ChangeRightsPermission + val hasPermissions = Set( + PermissionADM( + name = name, + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = Some(code) + )) + val caught = intercept[BadRequestException]( + DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.anythingAdminUser, + apiRequestID = UUID.randomUUID() + )) + assert(caught.getMessage === s"Given permission code $code and permission name $name are not consistent.") + } + + "not create a DefaultObjectAccessPermission for project and property if hasPermissions set contained permission without any code or name" in { + + val hasPermissions = Set( + PermissionADM( + name = "", + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = None + )) + val caught = intercept[BadRequestException]( + DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.anythingAdminUser, + apiRequestID = UUID.randomUUID() + )) + assert( + caught.getMessage === + s"One of permission code or permission name must be provided for a default object access permission.") + } + + "not create a DefaultObjectAccessPermission for project and property if hasPermissions set contained permission without additionalInformation parameter" in { + + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.ChangeRightsPermission, + additionalInformation = None, + permissionCode = Some(8) + )) + val caught = intercept[BadRequestException]( + DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = SharedTestDataADM.anythingAdminUser, + apiRequestID = UUID.randomUUID() + )) + assert( + caught.getMessage === + s"additionalInformation of a default object access permission type cannot be empty.") + } + "return 'ForbiddenException' if the user requesting DefaultObjectAccessPermissionCreateRequestADM is not system or project Admin" in { val caught = intercept[ForbiddenException]( DefaultObjectAccessPermissionCreateRequestADM( @@ -530,7 +678,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(SharedTestDataADM.thingSearcherGroup.id), hasPermissions = Set(PermissionADM.restrictedViewPermission(SharedTestDataADM.thingSearcherGroup.id)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.anythingUser2, apiRequestID = UUID.randomUUID() @@ -547,7 +695,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), forResourceClass = Some(ANYTHING_THING_RESOURCE_CLASS_LocalHost), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -564,7 +712,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), forProperty = Some(ANYTHING_HasDate_PROPERTY_LocalHost), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -580,7 +728,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = ANYTHING_PROJECT_IRI, forProperty = Some(SharedTestDataADM.customValueIRI), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -596,7 +744,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { forProject = ANYTHING_PROJECT_IRI, forResourceClass = Some(ANYTHING_THING_RESOURCE_CLASS_LocalHost), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() @@ -611,7 +759,7 @@ class PermissionsMessagesADMSpec extends CoreSpec() { createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( forProject = ANYTHING_PROJECT_IRI, hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = SharedTestDataADM.imagesUser01, apiRequestID = UUID.randomUUID() diff --git a/webapi/src/test/scala/org/knora/webapi/responders/admin/PermissionsResponderADMSpec.scala b/webapi/src/test/scala/org/knora/webapi/responders/admin/PermissionsResponderADMSpec.scala index e8cff4f441..2049ba375b 100644 --- a/webapi/src/test/scala/org/knora/webapi/responders/admin/PermissionsResponderADMSpec.scala +++ b/webapi/src/test/scala/org/knora/webapi/responders/admin/PermissionsResponderADMSpec.scala @@ -20,12 +20,13 @@ package org.knora.webapi.responders.admin import java.util.UUID - import akka.actor.Status.Failure import akka.testkit.ImplicitSender import com.typesafe.config.{Config, ConfigFactory} import org.knora.webapi._ import org.knora.webapi.exceptions.{BadRequestException, DuplicateValueException, ForbiddenException, NotFoundException} +import org.knora.webapi.messages.OntologyConstants.KnoraBase.EntityPermissionAbbreviations +import org.knora.webapi.messages.admin.responder.permissionsmessages.PermissionsMessagesUtilADM.PermissionTypeAndCodes import org.knora.webapi.messages.admin.responder.permissionsmessages._ import org.knora.webapi.messages.store.triplestoremessages.RdfDataObject import org.knora.webapi.messages.util.{KnoraSystemInstances, PermissionUtilADM} @@ -227,7 +228,7 @@ class PermissionsResponderADMSpec s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) } } -// + "asked to create an administrative permission" should { "fail and return a 'DuplicateValueException' when permission for project and group combination already exists" in { responderManager ! AdministrativePermissionCreateRequestADM( @@ -235,7 +236,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forGroup = OntologyConstants.KnoraAdmin.ProjectMember, hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -255,7 +256,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = SharedTestDataADM.thingSearcherGroup.id, hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -266,6 +267,39 @@ class PermissionsResponderADMSpec assert(received.administrativePermission.forProject == SharedTestDataADM.ANYTHING_PROJECT_IRI) assert(received.administrativePermission.forGroup == SharedTestDataADM.thingSearcherGroup.id) } + + "create and return an administrative permission even if irrelevant values were given for name and code of its permission" in { + val customIri = "http://rdfh.ch/permissions/0001/cEVBtj2JpzsdJQBJN1J-vg" + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraAdmin.ProjectResourceCreateAllPermission, + additionalInformation = Some("blabla"), + permissionCode = Some(8) + )) + val expectedHasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraAdmin.ProjectResourceCreateAllPermission, + additionalInformation = None, + permissionCode = None + )) + responderManager ! AdministrativePermissionCreateRequestADM( + createRequest = CreateAdministrativePermissionAPIRequestADM( + id = Some(customIri), + forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, + forGroup = OntologyConstants.KnoraAdmin.KnownUser, + hasPermissions = hasPermissions + ).prepareHasPermissions, + featureFactoryConfig = defaultFeatureFactoryConfig, + requestingUser = rootUser, + apiRequestID = UUID.randomUUID() + ) + val received: AdministrativePermissionCreateResponseADM = + expectMsgType[AdministrativePermissionCreateResponseADM] + assert(received.administrativePermission.iri == customIri) + assert(received.administrativePermission.forProject == SharedTestDataADM.ANYTHING_PROJECT_IRI) + assert(received.administrativePermission.forGroup == OntologyConstants.KnoraAdmin.KnownUser) + assert(received.administrativePermission.hasPermissions.equals(expectedHasPermissions)) + } } "ask to query about object access permissions " should { @@ -416,7 +450,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(SharedTestDataADM.thingSearcherGroup.id), hasPermissions = Set(PermissionADM.restrictedViewPermission(SharedTestDataADM.thingSearcherGroup.id)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -438,7 +472,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.ANYTHING_PROJECT_IRI, forGroup = Some(OntologyConstants.KnoraAdmin.UnknownUser), hasPermissions = Set(PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.UnknownUser)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -459,7 +493,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forResourceClass = Some(SharedOntologyTestDataADM.IMAGES_BILD_RESOURCE_CLASS), hasPermissions = Set(PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.KnownUser)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -482,7 +516,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, forProperty = Some(SharedOntologyTestDataADM.IMAGES_TITEL_PROPERTY), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -503,7 +537,7 @@ class PermissionsResponderADMSpec forProject = SharedTestDataV1.INCUNABULA_PROJECT_IRI, forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), hasPermissions = Set(PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectMember)) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -525,7 +559,7 @@ class PermissionsResponderADMSpec PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) ) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -546,7 +580,7 @@ class PermissionsResponderADMSpec hasPermissions = Set( PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.KnownUser) ) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -569,7 +603,7 @@ class PermissionsResponderADMSpec PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) ) - ), + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -583,221 +617,409 @@ class PermissionsResponderADMSpec .formatPermissionADMs(perm003_d5.p.hasPermissions, PermissionType.OAP)}'. " + s"Use its IRI ${perm003_d5.iri} to modify it, if necessary."))) } - } - - "ask to get all permissions" should { - "return all permissions for 'image' project " in { - responderManager ! PermissionsForProjectGetRequestADM( - projectIri = SharedTestDataADM.IMAGES_PROJECT_IRI, + "create a DefaultObjectAccessPermission for project and property even if name of a permission was missing" in { + val hasPermissions = Set( + PermissionADM( + name = "", + additionalInformation = Some(OntologyConstants.KnoraAdmin.UnknownUser), + permissionCode = Some(1) + )) + responderManager ! DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forGroup = Some(OntologyConstants.KnoraAdmin.UnknownUser), + hasPermissions = hasPermissions + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() ) - val received: PermissionsForProjectGetResponseADM = expectMsgType[PermissionsForProjectGetResponseADM] - received.allPermissions.size should be(8) + val received: DefaultObjectAccessPermissionCreateResponseADM = + expectMsgType[DefaultObjectAccessPermissionCreateResponseADM] + assert(received.defaultObjectAccessPermission.forProject == SharedTestDataADM.IMAGES_PROJECT_IRI) + assert(received.defaultObjectAccessPermission.forGroup == Some(OntologyConstants.KnoraAdmin.UnknownUser)) + assert( + received.defaultObjectAccessPermission.hasPermissions + .contains(PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.UnknownUser))) } - "return all permissions for 'incunabula' project " in { - responderManager ! PermissionsForProjectGetRequestADM( - projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, + "create a DefaultObjectAccessPermission for project and property even if permissionCode of a permission was missing" in { + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.DeletePermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = None + )) + val expectedPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.DeletePermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = Some(7) + )) + responderManager ! DefaultObjectAccessPermissionCreateRequestADM( + createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( + forProject = SharedTestDataADM.IMAGES_PROJECT_IRI, + forGroup = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + hasPermissions = hasPermissions + ).prepareHasPermissions, featureFactoryConfig = defaultFeatureFactoryConfig, requestingUser = rootUser, apiRequestID = UUID.randomUUID() ) - expectMsg( - PermissionsForProjectGetResponseADM(allPermissions = Set( - PermissionInfoADM(perm003_a1.iri, OntologyConstants.KnoraAdmin.AdministrativePermission), - PermissionInfoADM(perm003_a2.iri, OntologyConstants.KnoraAdmin.AdministrativePermission), - PermissionInfoADM(perm003_d1.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), - PermissionInfoADM(perm003_d2.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), - PermissionInfoADM(perm003_d3.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), - PermissionInfoADM(perm003_d4.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), - PermissionInfoADM(perm003_d5.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission) - ))) - } - } - - "ask for default object access permissions 'string'" should { - - "return the default object access permissions 'string' for the 'knora-base:LinkObj' resource class (system resource class)" in { - responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( - projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, - resourceClassIri = OntologyConstants.KnoraBase.LinkObj, - targetUser = SharedTestDataADM.incunabulaProjectAdminUser, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "M knora-admin:ProjectMember|V knora-admin:KnownUser,knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'knora-base:hasStillImageFileValue' property (system property)" in { - responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( - projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, - resourceClassIri = OntologyConstants.KnoraBase.StillImageRepresentation, - propertyIri = OntologyConstants.KnoraBase.HasStillImageFileValue, - targetUser = SharedTestDataADM.incunabulaProjectAdminUser, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "M knora-admin:Creator,knora-admin:ProjectMember|V knora-admin:KnownUser,knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'incunabula:book' resource class (project resource class)" in { - responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( - projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, - resourceClassIri = SharedOntologyTestDataADM.INCUNABULA_BOOK_RESOURCE_CLASS, - targetUser = SharedTestDataADM.incunabulaProjectAdminUser, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'incunabula:page' resource class (project resource class)" in { - responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( - projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, - resourceClassIri = SharedOntologyTestDataADM.INCUNABULA_PAGE_RESOURCE_CLASS, - targetUser = SharedTestDataADM.incunabulaProjectAdminUser, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'images:jahreszeit' property" in { - responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( - projectIri = SharedTestDataADM.IMAGES_PROJECT_IRI, - resourceClassIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#bild", - propertyIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#jahreszeit", - targetUser = SharedTestDataADM.imagesUser01, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser")) - } - - "return the default object access permissions 'string' for the 'anything:hasInterval' property" in { - responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( - projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, - resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", - propertyIri = "http://www.knora.org/ontology/0001/anything#hasInterval", - targetUser = SharedTestDataADM.anythingUser2, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'anything:Thing' class" in { - responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( - projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, - resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", - targetUser = SharedTestDataADM.anythingUser2, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'anything:Thing' class and 'anything:hasText' property" in { - responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( - projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, - resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", - propertyIri = "http://www.knora.org/ontology/0001/anything#hasText", - targetUser = SharedTestDataADM.anythingUser1, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg(DefaultObjectAccessPermissionsStringResponseADM("CR knora-admin:Creator")) - } - - "return the default object access permissions 'string' for the 'images:Bild' class and 'anything:hasText' property" in { - responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( - projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, - resourceClassIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#bild", - propertyIri = "http://www.knora.org/ontology/0001/anything#hasText", - targetUser = SharedTestDataADM.anythingUser2, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return the default object access permissions 'string' for the 'anything:Thing' resource class for the root user (system admin and not member of project)" in { - responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( - projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, - resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", - targetUser = SharedTestDataADM.rootUser, - requestingUser = KnoraSystemInstances.Users.SystemUser - ) - expectMsg( - DefaultObjectAccessPermissionsStringResponseADM( - "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) - } - - "return a combined and max set of permissions (default object access permissions) defined on the supplied groups (helper method used in queries before)" in { - val groups = List("http://rdfh.ch/groups/images-reviewer", - s"${OntologyConstants.KnoraAdmin.ProjectMember}", - s"${OntologyConstants.KnoraAdmin.ProjectAdmin}") - val expected = Set( - PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), - PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.KnownUser), - PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) - ) - val f - : Future[Set[PermissionADM]] = responderUnderTest invokePrivate defaultObjectAccessPermissionsForGroupsGetADM( - SharedTestDataADM.IMAGES_PROJECT_IRI, - groups) - val result: Set[PermissionADM] = Await.result(f, 1.seconds) - result should equal(expected) - } - } - - "ask to get the permission by IRI" should { - "not return the permission if requesting user does not have permission to see it" in { - val permissionIri = perm002_a1.iri - responderManager ! PermissionByIriGetRequestADM( - permissionIri = perm002_a1.iri, - requestingUser = SharedTestDataADM.imagesUser02 - ) - expectMsg( - Failure(ForbiddenException( - s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) - } - - "return an administrative permission" in { - responderManager ! PermissionByIriGetRequestADM( - permissionIri = perm002_a1.iri, - requestingUser = rootUser - ) - expectMsg(AdministrativePermissionGetResponseADM(perm002_a1.p)) - } - - "return a default object access permission" in { - responderManager ! PermissionByIriGetRequestADM( - permissionIri = perm002_d1.iri, - requestingUser = rootUser - ) - expectMsg(DefaultObjectAccessPermissionGetResponseADM(perm002_d1.p)) + val received: DefaultObjectAccessPermissionCreateResponseADM = + expectMsgType[DefaultObjectAccessPermissionCreateResponseADM] + assert(received.defaultObjectAccessPermission.forProject == SharedTestDataADM.IMAGES_PROJECT_IRI) + assert(received.defaultObjectAccessPermission.forGroup == Some(OntologyConstants.KnoraAdmin.ProjectAdmin)) + assert(received.defaultObjectAccessPermission.hasPermissions.equals(expectedPermissions)) } } +// +// "ask to get all permissions" should { +// +// "return all permissions for 'image' project " in { +// responderManager ! PermissionsForProjectGetRequestADM( +// projectIri = SharedTestDataADM.IMAGES_PROJECT_IRI, +// featureFactoryConfig = defaultFeatureFactoryConfig, +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: PermissionsForProjectGetResponseADM = expectMsgType[PermissionsForProjectGetResponseADM] +// received.allPermissions.size should be(8) +// } +// +// "return all permissions for 'incunabula' project " in { +// responderManager ! PermissionsForProjectGetRequestADM( +// projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, +// featureFactoryConfig = defaultFeatureFactoryConfig, +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// expectMsg( +// PermissionsForProjectGetResponseADM(allPermissions = Set( +// PermissionInfoADM(perm003_a1.iri, OntologyConstants.KnoraAdmin.AdministrativePermission), +// PermissionInfoADM(perm003_a2.iri, OntologyConstants.KnoraAdmin.AdministrativePermission), +// PermissionInfoADM(perm003_d1.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), +// PermissionInfoADM(perm003_d2.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), +// PermissionInfoADM(perm003_d3.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), +// PermissionInfoADM(perm003_d4.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission), +// PermissionInfoADM(perm003_d5.iri, OntologyConstants.KnoraAdmin.DefaultObjectAccessPermission) +// ))) +// } +// } +// +// "ask for default object access permissions 'string'" should { +// +// "return the default object access permissions 'string' for the 'knora-base:LinkObj' resource class (system resource class)" in { +// responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( +// projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, +// resourceClassIri = OntologyConstants.KnoraBase.LinkObj, +// targetUser = SharedTestDataADM.incunabulaProjectAdminUser, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "M knora-admin:ProjectMember|V knora-admin:KnownUser,knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'knora-base:hasStillImageFileValue' property (system property)" in { +// responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( +// projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, +// resourceClassIri = OntologyConstants.KnoraBase.StillImageRepresentation, +// propertyIri = OntologyConstants.KnoraBase.HasStillImageFileValue, +// targetUser = SharedTestDataADM.incunabulaProjectAdminUser, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "M knora-admin:Creator,knora-admin:ProjectMember|V knora-admin:KnownUser,knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'incunabula:book' resource class (project resource class)" in { +// responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( +// projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, +// resourceClassIri = SharedOntologyTestDataADM.INCUNABULA_BOOK_RESOURCE_CLASS, +// targetUser = SharedTestDataADM.incunabulaProjectAdminUser, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'incunabula:page' resource class (project resource class)" in { +// responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( +// projectIri = SharedTestDataADM.INCUNABULA_PROJECT_IRI, +// resourceClassIri = SharedOntologyTestDataADM.INCUNABULA_PAGE_RESOURCE_CLASS, +// targetUser = SharedTestDataADM.incunabulaProjectAdminUser, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'images:jahreszeit' property" in { +// responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( +// projectIri = SharedTestDataADM.IMAGES_PROJECT_IRI, +// resourceClassIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#bild", +// propertyIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#jahreszeit", +// targetUser = SharedTestDataADM.imagesUser01, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser")) +// } +// +// "return the default object access permissions 'string' for the 'anything:hasInterval' property" in { +// responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( +// projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, +// resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", +// propertyIri = "http://www.knora.org/ontology/0001/anything#hasInterval", +// targetUser = SharedTestDataADM.anythingUser2, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'anything:Thing' class" in { +// responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( +// projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, +// resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", +// targetUser = SharedTestDataADM.anythingUser2, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'anything:Thing' class and 'anything:hasText' property" in { +// responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( +// projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, +// resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", +// propertyIri = "http://www.knora.org/ontology/0001/anything#hasText", +// targetUser = SharedTestDataADM.anythingUser1, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg(DefaultObjectAccessPermissionsStringResponseADM("CR knora-admin:Creator")) +// } +// +// "return the default object access permissions 'string' for the 'images:Bild' class and 'anything:hasText' property" in { +// responderManager ! DefaultObjectAccessPermissionsStringForPropertyGetADM( +// projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, +// resourceClassIri = s"${SharedOntologyTestDataADM.IMAGES_ONTOLOGY_IRI}#bild", +// propertyIri = "http://www.knora.org/ontology/0001/anything#hasText", +// targetUser = SharedTestDataADM.anythingUser2, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return the default object access permissions 'string' for the 'anything:Thing' resource class for the root user (system admin and not member of project)" in { +// responderManager ! DefaultObjectAccessPermissionsStringForResourceClassGetADM( +// projectIri = SharedTestDataADM.ANYTHING_PROJECT_IRI, +// resourceClassIri = "http://www.knora.org/ontology/0001/anything#Thing", +// targetUser = SharedTestDataADM.rootUser, +// requestingUser = KnoraSystemInstances.Users.SystemUser +// ) +// expectMsg( +// DefaultObjectAccessPermissionsStringResponseADM( +// "CR knora-admin:Creator|M knora-admin:ProjectMember|V knora-admin:KnownUser|RV knora-admin:UnknownUser")) +// } +// +// "return a combined and max set of permissions (default object access permissions) defined on the supplied groups (helper method used in queries before)" in { +// val groups = List("http://rdfh.ch/groups/images-reviewer", +// s"${OntologyConstants.KnoraAdmin.ProjectMember}", +// s"${OntologyConstants.KnoraAdmin.ProjectAdmin}") +// val expected = Set( +// PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), +// PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.KnownUser), +// PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) +// ) +// val f +// : Future[Set[PermissionADM]] = responderUnderTest invokePrivate defaultObjectAccessPermissionsForGroupsGetADM( +// SharedTestDataADM.IMAGES_PROJECT_IRI, +// groups) +// val result: Set[PermissionADM] = Await.result(f, 1.seconds) +// result should equal(expected) +// } +// } +// +// "ask to get the permission by IRI" should { +// "not return the permission if requesting user does not have permission to see it" in { +// val permissionIri = perm002_a1.iri +// responderManager ! PermissionByIriGetRequestADM( +// permissionIri = perm002_a1.iri, +// requestingUser = SharedTestDataADM.imagesUser02 +// ) +// expectMsg( +// Failure(ForbiddenException( +// s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) +// } +// +// "return an administrative permission" in { +// responderManager ! PermissionByIriGetRequestADM( +// permissionIri = perm002_a1.iri, +// requestingUser = rootUser +// ) +// expectMsg(AdministrativePermissionGetResponseADM(perm002_a1.p)) +// } +// +// "return a default object access permission" in { +// responderManager ! PermissionByIriGetRequestADM( +// permissionIri = perm002_d1.iri, +// requestingUser = rootUser +// ) +// expectMsg(DefaultObjectAccessPermissionGetResponseADM(perm002_d1.p)) +// } +// } +// +// "ask to update group of a permission" should { +// "update group of an administrative permission" in { +// val permissionIri = "http://rdfh.ch/permissions/00FF/a2" +// val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" +// responderManager ! PermissionChangeGroupRequestADM( +// permissionIri = permissionIri, +// changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( +// forGroup = newGroupIri +// ), +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: AdministrativePermissionGetResponseADM = expectMsgType[AdministrativePermissionGetResponseADM] +// val ap = received.administrativePermission +// assert(ap.iri == permissionIri) +// assert(ap.forGroup == newGroupIri) +// } +// +// "throw ForbiddenException for PermissionChangeGroupRequestADM if requesting user is not system or project Admin" in { +// val permissionIri = "http://rdfh.ch/permissions/00FF/a2" +// val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" +// responderManager ! PermissionChangeGroupRequestADM( +// permissionIri = permissionIri, +// changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( +// forGroup = newGroupIri +// ), +// requestingUser = SharedTestDataADM.imagesUser02, +// apiRequestID = UUID.randomUUID() +// ) +// expectMsg( +// Failure(ForbiddenException( +// s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) +// } +// +// "update group of a default object access permission" in { +// val permissionIri = "http://rdfh.ch/permissions/00FF/d1" +// val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" +// responderManager ! PermissionChangeGroupRequestADM( +// permissionIri = permissionIri, +// changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( +// forGroup = newGroupIri +// ), +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: DefaultObjectAccessPermissionGetResponseADM = +// expectMsgType[DefaultObjectAccessPermissionGetResponseADM] +// val doap = received.defaultObjectAccessPermission +// assert(doap.iri == permissionIri) +// assert(doap.forGroup.get == newGroupIri) +// } +// +// "update group of a default object access permission, resource class must be deleted" in { +// val permissionIri = "http://rdfh.ch/permissions/0803/003-d2" +// val newGroupIri = "http://www.knora.org/ontology/knora-admin#ProjectMember" +// responderManager ! PermissionChangeGroupRequestADM( +// permissionIri = permissionIri, +// changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( +// forGroup = newGroupIri +// ), +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: DefaultObjectAccessPermissionGetResponseADM = +// expectMsgType[DefaultObjectAccessPermissionGetResponseADM] +// val doap = received.defaultObjectAccessPermission +// assert(doap.iri == permissionIri) +// assert(doap.forGroup.get == newGroupIri) +// assert(doap.forResourceClass.isEmpty) +// } +// +// "update group of a default object access permission, property must be deleted" in { +// val permissionIri = "http://rdfh.ch/permissions/0000/001-d3" +// val newGroupIri = "http://www.knora.org/ontology/knora-admin#ProjectMember" +// responderManager ! PermissionChangeGroupRequestADM( +// permissionIri = permissionIri, +// changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( +// forGroup = newGroupIri +// ), +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: DefaultObjectAccessPermissionGetResponseADM = +// expectMsgType[DefaultObjectAccessPermissionGetResponseADM] +// val doap = received.defaultObjectAccessPermission +// assert(doap.iri == permissionIri) +// assert(doap.forGroup.get == newGroupIri) +// assert(doap.forProperty.isEmpty) +// } +// } - "ask to update group of a permission" should { - "update group of an administrative permission" in { + "ask to update hasPermissions of a permission" should { +// "throw ForbiddenException for PermissionChangeHasPermissionsRequestADM if requesting user is not system or project Admin" in { +// val permissionIri = "http://rdfh.ch/permissions/00FF/a2" +// val hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) +// +// responderManager ! PermissionChangeHasPermissionsRequestADM( +// permissionIri = permissionIri, +// changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( +// hasPermissions = hasPermissions +// ), +// requestingUser = SharedTestDataADM.imagesUser02, +// apiRequestID = UUID.randomUUID() +// ) +// expectMsg( +// Failure(ForbiddenException( +// s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) +// } +// +// "update hasPermissions of an administrative permission" in { +// val permissionIri = "http://rdfh.ch/permissions/00FF/a2" +// val hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) +// +// responderManager ! PermissionChangeHasPermissionsRequestADM( +// permissionIri = permissionIri, +// changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( +// hasPermissions = hasPermissions +// ), +// requestingUser = rootUser, +// apiRequestID = UUID.randomUUID() +// ) +// val received: AdministrativePermissionGetResponseADM = expectMsgType[AdministrativePermissionGetResponseADM] +// val ap = received.administrativePermission +// assert(ap.iri == permissionIri) +// ap.hasPermissions.size should be(1) +// assert(ap.hasPermissions.equals(hasPermissions)) +// } + + "ignore irrelevant parameters given in ChangePermissionHasPermissionsApiRequestADM for an administrative permission" in { val permissionIri = "http://rdfh.ch/permissions/00FF/a2" - val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" - responderManager ! PermissionChangeGroupRequestADM( + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraAdmin.ProjectAdminAllPermission, + additionalInformation = Some("aIRI"), + permissionCode = Some(1) + )) + responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, - changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( - forGroup = newGroupIri + changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( + hasPermissions = hasPermissions ), requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -805,32 +1027,22 @@ class PermissionsResponderADMSpec val received: AdministrativePermissionGetResponseADM = expectMsgType[AdministrativePermissionGetResponseADM] val ap = received.administrativePermission assert(ap.iri == permissionIri) - assert(ap.forGroup == newGroupIri) + ap.hasPermissions.size should be(1) + val expectedSetOfPermissions = Set(PermissionADM.ProjectAdminAllPermission) + assert(ap.hasPermissions.equals(expectedSetOfPermissions)) } - "throw ForbiddenException for PermissionChangeGroupRequestADM if requesting user is not system or project Admin" in { - val permissionIri = "http://rdfh.ch/permissions/00FF/a2" - val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" - responderManager ! PermissionChangeGroupRequestADM( - permissionIri = permissionIri, - changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( - forGroup = newGroupIri - ), - requestingUser = SharedTestDataADM.imagesUser02, - apiRequestID = UUID.randomUUID() + "update hasPermissions of a default object access permission" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val hasPermissions = Set( + PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), + PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) ) - expectMsg( - Failure(ForbiddenException( - s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) - } - "update group of a default object access permission" in { - val permissionIri = "http://rdfh.ch/permissions/00FF/d1" - val newGroupIri = "http://rdfh.ch/groups/00FF/images-reviewer" - responderManager ! PermissionChangeGroupRequestADM( + responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, - changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( - forGroup = newGroupIri + changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( + hasPermissions = hasPermissions ), requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -839,16 +1051,30 @@ class PermissionsResponderADMSpec expectMsgType[DefaultObjectAccessPermissionGetResponseADM] val doap = received.defaultObjectAccessPermission assert(doap.iri == permissionIri) - assert(doap.forGroup.get == newGroupIri) + doap.hasPermissions.size should be(2) + assert(doap.hasPermissions.equals(hasPermissions)) } - "update group of a default object access permission, resource class must be deleted" in { - val permissionIri = "http://rdfh.ch/permissions/0803/003-d2" - val newGroupIri = "http://www.knora.org/ontology/knora-admin#ProjectMember" - responderManager ! PermissionChangeGroupRequestADM( + "add missing name of the permission, if permissionCode of permission was given in hasPermissions of a default object access permission" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val hasPermissions = Set( + PermissionADM( + name = "", + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = Some(8) + )) + + val expectedHasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.ChangeRightsPermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.Creator), + permissionCode = Some(8) + )) + + responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, - changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( - forGroup = newGroupIri + changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( + hasPermissions = hasPermissions ), requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -857,17 +1083,29 @@ class PermissionsResponderADMSpec expectMsgType[DefaultObjectAccessPermissionGetResponseADM] val doap = received.defaultObjectAccessPermission assert(doap.iri == permissionIri) - assert(doap.forGroup.get == newGroupIri) - assert(doap.forResourceClass.isEmpty) + assert(doap.hasPermissions.equals(expectedHasPermissions)) } - "update group of a default object access permission, property must be deleted" in { - val permissionIri = "http://rdfh.ch/permissions/0000/001-d3" - val newGroupIri = "http://www.knora.org/ontology/knora-admin#ProjectMember" - responderManager ! PermissionChangeGroupRequestADM( + "add missing permissionCode of the permission, if name of permission was given in hasPermissions of a default object access permission" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val hasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.DeletePermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = None + )) + + val expectedHasPermissions = Set( + PermissionADM( + name = OntologyConstants.KnoraBase.DeletePermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = Some(7) + )) + + responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, - changePermissionGroupRequest = ChangePermissionGroupApiRequestADM( - forGroup = newGroupIri + changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( + hasPermissions = hasPermissions ), requestingUser = rootUser, apiRequestID = UUID.randomUUID() @@ -876,31 +1114,42 @@ class PermissionsResponderADMSpec expectMsgType[DefaultObjectAccessPermissionGetResponseADM] val doap = received.defaultObjectAccessPermission assert(doap.iri == permissionIri) - assert(doap.forGroup.get == newGroupIri) - assert(doap.forProperty.isEmpty) + assert(doap.hasPermissions.equals(expectedHasPermissions)) } - } - "ask to update hasPermissions of a permission" should { - "throw ForbiddenException for PermissionChangeHasPermissionsRequestADM if requesting user is not system or project Admin" in { - val permissionIri = "http://rdfh.ch/permissions/00FF/a2" - val hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) + "not update hasPermissions of a default object access permission, if both name and project code of a permission were missing" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val code = 1 + val name = OntologyConstants.KnoraBase.DeletePermission + val hasPermissions = Set( + PermissionADM( + name = name, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = Some(code) + )) responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( hasPermissions = hasPermissions ), - requestingUser = SharedTestDataADM.imagesUser02, + requestingUser = rootUser, apiRequestID = UUID.randomUUID() ) expectMsg( - Failure(ForbiddenException( - s"Permission $permissionIri can only be queried/updated/deleted by system or project admin."))) + Failure(BadRequestException(s"Given permission code $code and permission name $name are not consistent."))) + } - "update hasPermissions of an administrative permission" in { - val permissionIri = "http://rdfh.ch/permissions/00FF/a2" - val hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) + + "not update hasPermissions of a default object access permission, if an invalid name was given for a permission" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val name = "invalidName" + val hasPermissions = Set( + PermissionADM( + name = name, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = None + )) responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, @@ -910,19 +1159,47 @@ class PermissionsResponderADMSpec requestingUser = rootUser, apiRequestID = UUID.randomUUID() ) - val received: AdministrativePermissionGetResponseADM = expectMsgType[AdministrativePermissionGetResponseADM] - val ap = received.administrativePermission - assert(ap.iri == permissionIri) - ap.hasPermissions.size should be(1) - assert(ap.hasPermissions.equals(hasPermissions)) + expectMsg( + Failure( + BadRequestException(s"Invalid value for name parameter of hasPermissions: $name, it should be one of " + + s"${EntityPermissionAbbreviations.toString}"))) + } - "update hasPermissions of a default object access permission" in { + "not update hasPermissions of a default object access permission, if an invalid code was given for a permission" in { val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val code = 10 val hasPermissions = Set( - PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.Creator), - PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember) + PermissionADM( + name = OntologyConstants.KnoraBase.DeletePermission, + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = Some(code) + )) + + responderManager ! PermissionChangeHasPermissionsRequestADM( + permissionIri = permissionIri, + changePermissionHasPermissionsRequest = ChangePermissionHasPermissionsApiRequestADM( + hasPermissions = hasPermissions + ), + requestingUser = rootUser, + apiRequestID = UUID.randomUUID() ) + expectMsg( + Failure( + BadRequestException( + s"Invalid value for permissionCode parameter of hasPermissions: $code, it should be one of " + + s"${PermissionTypeAndCodes.values.toString}"))) + + } + + "not update hasPermissions of a default object access permission, if given name and project code are not consistent" in { + val permissionIri = "http://rdfh.ch/permissions/0803/003-d1" + val hasPermissions = Set( + PermissionADM( + name = "", + additionalInformation = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), + permissionCode = None + )) responderManager ! PermissionChangeHasPermissionsRequestADM( permissionIri = permissionIri, @@ -932,12 +1209,10 @@ class PermissionsResponderADMSpec requestingUser = rootUser, apiRequestID = UUID.randomUUID() ) - val received: DefaultObjectAccessPermissionGetResponseADM = - expectMsgType[DefaultObjectAccessPermissionGetResponseADM] - val doap = received.defaultObjectAccessPermission - assert(doap.iri == permissionIri) - doap.hasPermissions.size should be(2) - assert(doap.hasPermissions.equals(hasPermissions)) + expectMsg( + Failure(BadRequestException( + s"One of permission code or permission name must be provided for a default object access permission."))) + } } "ask to update resource class of a permission" should {