Closes #245: admin group undeletable + admin can see all

docs-web/src/main/java/com/sismics/docs/rest/resource/DocumentResource.java

@@ -377,7 +377,7 @@ public class DocumentResource extends BaseResource {
         }
 
         for (DocumentDto documentDto : paginatedList.getResultList()) {
-            // Get tags added by the current user on this document
+            // Get tags accessible by the current user on this document
             List<TagDto> tagDtoList = tagDao.findByCriteria(new TagCriteria()
                     .setTargetIdList(getTargetIdList(null))
                     .setDocumentId(documentDto.getId()), new SortCriteria(1, true));

docs-web/src/main/java/com/sismics/docs/rest/resource/GroupResource.java

@@ -1,7 +1,9 @@
 package com.sismics.docs.rest.resource;
 
 import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
 import com.sismics.docs.core.dao.GroupDao;
+import com.sismics.docs.core.dao.RoleBaseFunctionDao;
 import com.sismics.docs.core.dao.UserDao;
 import com.sismics.docs.core.dao.criteria.GroupCriteria;
 import com.sismics.docs.core.dao.criteria.UserCriteria;
@@ -24,6 +26,7 @@ import javax.ws.rs.*;
 import javax.ws.rs.core.Response;
 import java.text.MessageFormat;
 import java.util.List;
+import java.util.Set;
 
 /**
  * Group REST resources.
@@ -185,6 +188,15 @@ public class GroupResource extends BaseResource {
         if (group == null) {
             throw new NotFoundException();
         }
+
+        // Ensure that the admin group is not deleted
+        if (group.getRoleId() != null) {
+            RoleBaseFunctionDao roleBaseFunctionDao = new RoleBaseFunctionDao();
+            Set<String> baseFunctionSet = roleBaseFunctionDao.findByRoleId(Sets.newHashSet(group.getRoleId()));
+            if (baseFunctionSet.contains(BaseFunction.ADMIN.name())) {
+                throw new ClientException("ForbiddenError", "The administrators group cannot be deleted");
+            }
+        }
         
         // Delete the group
         groupDao.delete(group.getId(), principal.getId());

docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java

@@ -445,7 +445,7 @@ public class UserResource extends BaseResource {
             throw new ForbiddenClientException();
         }
         
-        // Ensure that the admin user is not deleted
+        // Ensure that the admin or guest users are not deleted
         if (hasBaseFunction(BaseFunction.ADMIN) || principal.isGuest()) {
             throw new ClientException("ForbiddenError", "This user cannot be deleted");
         }
@@ -519,8 +519,8 @@ public class UserResource extends BaseResource {
         }
         
         // Ensure that the admin user is not deleted
-        RoleBaseFunctionDao userBaseFuction = new RoleBaseFunctionDao();
-        Set<String> baseFunctionSet = userBaseFuction.findByRoleId(Sets.newHashSet(user.getRoleId()));
+        RoleBaseFunctionDao roleBaseFunctionDao = new RoleBaseFunctionDao();
+        Set<String> baseFunctionSet = roleBaseFunctionDao.findByRoleId(Sets.newHashSet(user.getRoleId()));
         if (baseFunctionSet.contains(BaseFunction.ADMIN.name())) {
             throw new ClientException("ForbiddenError", "The admin user cannot be deleted");
         }

docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java

@@ -1,17 +1,16 @@
 package com.sismics.docs.rest;
 
-import java.util.ArrayList;
-import java.util.List;
+import com.sismics.util.filter.TokenBasedSecurityFilter;
+import org.junit.Assert;
+import org.junit.Test;
 
 import javax.json.JsonArray;
 import javax.json.JsonObject;
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.core.Form;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-import com.sismics.util.filter.TokenBasedSecurityFilter;
+import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;
 
 
 /**
@@ -167,6 +166,15 @@ public class TestGroupResource extends BaseJerseyTest {
         target().path("/group/g1").request()
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                 .delete(JsonObject.class);
+
+        // Delete group administrators
+        Response response = target().path("/group/administrators").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
+                .delete();
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("ForbiddenError", json.getString("type"));
+        Assert.assertEquals("The administrators group cannot be deleted", json.getString("message"));
         
         // Check group1 groups (all computed groups)
         json = target().path("/user").request()

docs-web/src/test/java/com/sismics/docs/rest/TestRouteResource.java

@@ -216,7 +216,7 @@ public class TestRouteResource extends BaseJerseyTest {
                         .param("documentId", document1Id)
                         .param("transition", "APPROVED")), JsonObject.class);
         Assert.assertFalse(json.containsKey("route_step"));
-        Assert.assertFalse(json.getBoolean("readable"));
+        Assert.assertTrue(json.getBoolean("readable")); // Admin can read everything
         Assert.assertTrue(popEmail().contains("workflow step"));
 
         // Get the route on document 1
@@ -239,10 +239,9 @@ public class TestRouteResource extends BaseJerseyTest {
         Assert.assertEquals("APPROVED", step.getString("transition"));
 
         // Get document 1 as admin
-        Response response = target().path("/document/" + document1Id).request()
+        target().path("/document/" + document1Id).request()
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
-                .get();
-        Assert.assertEquals(Response.Status.NOT_FOUND, Response.Status.fromStatusCode(response.getStatus()));
+                .get(JsonObject.class);
 
         // Get document 1 as route1
         json = target().path("/document/" + document1Id).request()
@@ -265,7 +264,7 @@ public class TestRouteResource extends BaseJerseyTest {
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                 .get(JsonObject.class);
         documents = json.getJsonArray("documents");
-        Assert.assertEquals(0, documents.size());
+        Assert.assertEquals(1, documents.size()); // Admin can read all documents
 
         // Start the default route on document 1
         target().path("/route/start").request()
@@ -282,7 +281,7 @@ public class TestRouteResource extends BaseJerseyTest {
         Assert.assertTrue(json.containsKey("route_step"));
 
         // Get document 1 as admin
-        response = target().path("/document/" + document1Id).request()
+        Response response = target().path("/document/" + document1Id).request()
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                 .get();
         Assert.assertEquals(Response.Status.OK, Response.Status.fromStatusCode(response.getStatus()));
@@ -328,10 +327,9 @@ public class TestRouteResource extends BaseJerseyTest {
         Assert.assertFalse(json.containsKey("route_step"));
 
         // Get document 1 as admin
-        response = target().path("/document/" + document1Id).request()
+        target().path("/document/" + document1Id).request()
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
-                .get();
-        Assert.assertEquals(Response.Status.NOT_FOUND, Response.Status.fromStatusCode(response.getStatus()));
+                .get(JsonObject.class); // Admin can see all documents
 
         // List all documents with route1
         json = target().path("/document/list")
@@ -348,7 +346,7 @@ public class TestRouteResource extends BaseJerseyTest {
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                 .get(JsonObject.class);
         documents = json.getJsonArray("documents");
-        Assert.assertEquals(0, documents.size());
+        Assert.assertEquals(1, documents.size());
     }
 
     /**