Closes #245: admin group undeletable + admin can see all

2025-12-18 12:11:40 +00:00 · 2018-10-18 18:57:06 +02:00
parent 58af2b00cb
commit 0c257b763d
10 changed files with 67 additions and 28 deletions
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java
@@ -1,17 +1,16 @@
 package com.sismics.docs.rest;

-import java.util.ArrayList;
-import java.util.List;
+import com.sismics.util.filter.TokenBasedSecurityFilter;
+import org.junit.Assert;
+import org.junit.Test;

 import javax.json.JsonArray;
 import javax.json.JsonObject;
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.core.Form;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-import com.sismics.util.filter.TokenBasedSecurityFilter;
+import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;


 /**
@@ -167,6 +166,15 @@ public class TestGroupResource extends BaseJerseyTest {
        target().path("/group/g1").request()
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                .delete(JsonObject.class);
+
+        // Delete group administrators
+        Response response = target().path("/group/administrators").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
+                .delete();
+        Assert.assertEquals(Response.Status.BAD_REQUEST, Response.Status.fromStatusCode(response.getStatus()));
+        json = response.readEntity(JsonObject.class);
+        Assert.assertEquals("ForbiddenError", json.getString("type"));
+        Assert.assertEquals("The administrators group cannot be deleted", json.getString("message"));
        
        // Check group1 groups (all computed groups)
        json = target().path("/user").request()
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestRouteResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestRouteResource.java
@@ -216,7 +216,7 @@ public class TestRouteResource extends BaseJerseyTest {
                        .param("documentId", document1Id)
                        .param("transition", "APPROVED")), JsonObject.class);
        Assert.assertFalse(json.containsKey("route_step"));
-        Assert.assertFalse(json.getBoolean("readable"));
+        Assert.assertTrue(json.getBoolean("readable")); // Admin can read everything
        Assert.assertTrue(popEmail().contains("workflow step"));

        // Get the route on document 1
@@ -239,10 +239,9 @@ public class TestRouteResource extends BaseJerseyTest {
        Assert.assertEquals("APPROVED", step.getString("transition"));

        // Get document 1 as admin
-        Response response = target().path("/document/" + document1Id).request()
+        target().path("/document/" + document1Id).request()
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
-                .get();
-        Assert.assertEquals(Response.Status.NOT_FOUND, Response.Status.fromStatusCode(response.getStatus()));
+                .get(JsonObject.class);

        // Get document 1 as route1
        json = target().path("/document/" + document1Id).request()
@@ -265,7 +264,7 @@ public class TestRouteResource extends BaseJerseyTest {
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                .get(JsonObject.class);
        documents = json.getJsonArray("documents");
-        Assert.assertEquals(0, documents.size());
+        Assert.assertEquals(1, documents.size()); // Admin can read all documents

        // Start the default route on document 1
        target().path("/route/start").request()
@@ -282,7 +281,7 @@ public class TestRouteResource extends BaseJerseyTest {
        Assert.assertTrue(json.containsKey("route_step"));

        // Get document 1 as admin
-        response = target().path("/document/" + document1Id).request()
+        Response response = target().path("/document/" + document1Id).request()
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                .get();
        Assert.assertEquals(Response.Status.OK, Response.Status.fromStatusCode(response.getStatus()));
@@ -328,10 +327,9 @@ public class TestRouteResource extends BaseJerseyTest {
        Assert.assertFalse(json.containsKey("route_step"));

        // Get document 1 as admin
-        response = target().path("/document/" + document1Id).request()
+        target().path("/document/" + document1Id).request()
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
-                .get();
-        Assert.assertEquals(Response.Status.NOT_FOUND, Response.Status.fromStatusCode(response.getStatus()));
+                .get(JsonObject.class); // Admin can see all documents

        // List all documents with route1
        json = target().path("/document/list")
@@ -348,7 +346,7 @@ public class TestRouteResource extends BaseJerseyTest {
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
                .get(JsonObject.class);
        documents = json.getJsonArray("documents");
-        Assert.assertEquals(0, documents.size());
+        Assert.assertEquals(1, documents.size());
    }

    /**