LayerManager · jirik · Dec 20, 2023 · Dec 18, 2023 · Dec 18, 2023 · Dec 18, 2023
diff --git a/src/layman/common/prime_db_schema/publications.py b/src/layman/common/prime_db_schema/publications.py
@@ -394,7 +394,12 @@ def who_can_write_can_read(can_read, can_write):
 
 
 def i_can_still_write(actor_name, can_write):
-    if ROLE_EVERYONE not in can_write and actor_name not in can_write:
+    if ROLE_EVERYONE not in can_write and (
+            (not actor_name) or (
+                actor_name not in can_write
+                and not any(role in can_write for role in role_service.get_user_roles(actor_name))
+            )
+    ):
         raise LaymanError(43, f'After the operation, the actor has to have write right.')
 
 

diff --git a/src/layman/common/prime_db_schema/publications_test.py b/src/layman/common/prime_db_schema/publications_test.py
@@ -3,7 +3,7 @@
 
 from layman import settings, app as app, LaymanError
 from layman.map import MAP_TYPE
-from test_tools.role_service import ensure_role, delete_role
+from test_tools.role_service import ensure_role, delete_role, ensure_user_role, delete_user_role
 from . import publications, workspaces, users
 
 DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA
@@ -121,110 +121,135 @@ def test_at_least_one_can_write():
     assert exc_info.value.code == 43
 
 
-def test_who_can_write_can_read():
-    workspace_name = 'test_who_can_write_can_read_workspace'
+class TestWhoCanWriteCanRead:
     username = 'test_who_can_write_can_read_user'
+    username2 = 'test_who_can_write_can_read_user2'
+    role1 = 'test_who_can_write_can_read_role1'
+    role2 = 'test_who_can_write_can_read_role2'
 
-    publications.who_can_write_can_read(set(), set())
-    publications.who_can_write_can_read({username, }, {username, })
-    publications.who_can_write_can_read({username, workspace_name}, {username, })
-    publications.who_can_write_can_read({username, settings.RIGHTS_EVERYONE_ROLE}, {username, })
-    publications.who_can_write_can_read({username, settings.RIGHTS_EVERYONE_ROLE}, {username, settings.RIGHTS_EVERYONE_ROLE, })
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, }, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, }, {settings.RIGHTS_EVERYONE_ROLE, username, })
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, }, {settings.RIGHTS_EVERYONE_ROLE, workspace_name, })
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, username, }, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, username, }, set())
-    publications.who_can_write_can_read({workspace_name, }, {workspace_name, })
-    publications.who_can_write_can_read({'ROLE1'}, {'ROLE1'})
-    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE}, {'ROLE1'})
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read(set(), {workspace_name, })
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read(set(), {username, })
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read(set(), {settings.RIGHTS_EVERYONE_ROLE, })
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read({username}, {settings.RIGHTS_EVERYONE_ROLE, })
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read({username}, {workspace_name, })
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read({username}, {'ROLE1'})
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read({'ROLE2'}, {'ROLE1'})
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.who_can_write_can_read({'ROLE2'}, {settings.RIGHTS_EVERYONE_ROLE})
-    assert exc_info.value.code == 43
-
-
-def test_i_can_still_write():
-    workspace_name = 'test_i_can_still_write_workspace'
-    username = 'test_who_can_write_can_read_user'
+    @pytest.fixture(scope="class", autouse=True)
+    def provide_data(self, request):
+        with app.app_context():
+            ensure_user(self.username, '13')
+            ensure_role(self.role1)
+            ensure_user_role(self.username, self.role1)
+        yield
+        if request.node.session.testsfailed == 0:
+            with app.app_context():
+                delete_user_role(self.username, self.role1)
+                delete_role(self.role1)
+                users.delete_user(self.username)
 
-    publications.i_can_still_write(None, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.i_can_still_write(None, {username, settings.RIGHTS_EVERYONE_ROLE, })
-    publications.i_can_still_write(username, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.i_can_still_write(username, {workspace_name, settings.RIGHTS_EVERYONE_ROLE, })
-    publications.i_can_still_write(username, {workspace_name, username, })
+    @pytest.mark.parametrize("can_read, can_write", [
+        pytest.param(set(), set(), id='read-empty-write-empty'),
+        pytest.param({username}, {username}, id='read-user-write-user'),
+        pytest.param({username, username2}, {username}, id='read-two-users-write-user'),
+        pytest.param({username, settings.RIGHTS_EVERYONE_ROLE}, {username}, id='read-user-everyone-write-user'),
+        pytest.param({username, settings.RIGHTS_EVERYONE_ROLE}, {username, settings.RIGHTS_EVERYONE_ROLE},
+                     id='read-user-everyone-write-user-everyone'),
+        pytest.param({settings.RIGHTS_EVERYONE_ROLE}, {settings.RIGHTS_EVERYONE_ROLE},
+                     id='read-everyone-write-everyone'),
+        pytest.param({settings.RIGHTS_EVERYONE_ROLE}, {settings.RIGHTS_EVERYONE_ROLE, username},
+                     id='read-everyone-write-user-everyone'),
+        pytest.param({settings.RIGHTS_EVERYONE_ROLE, username}, {settings.RIGHTS_EVERYONE_ROLE},
+                     id='read-user-everyone-write-everyone'),
+        pytest.param({settings.RIGHTS_EVERYONE_ROLE, username}, set(), id='read-user-everyone-write-empty'),
+        pytest.param({role1}, {role1}, id='read-role-write-role'),
+        pytest.param({settings.RIGHTS_EVERYONE_ROLE}, {role1}, id='read-everyone-write-role'),
+    ])
+    def test_ok(self, can_read, can_write):
+        publications.who_can_write_can_read(can_read, can_write)
+
+    @pytest.mark.parametrize("can_read, can_write", [
+        pytest.param(set(), {username}, id='read-empty-write-user'),
+        pytest.param(set(), {settings.RIGHTS_EVERYONE_ROLE}, id='read-empty-write-everyone'),
+        pytest.param({username}, {settings.RIGHTS_EVERYONE_ROLE}, id='read-user-write-everyone'),
+        pytest.param({username}, {username2}, id='read-user-write-user2'),
+        pytest.param({username}, {role1}, id='read-user-write-role'),
+        pytest.param({role1}, {username}, id='read-role-write-user'),
+        pytest.param({role1}, {role2}, id='read-role1-write-role2'),
+        pytest.param({role1}, {settings.RIGHTS_EVERYONE_ROLE}, id='read-role1-write-everyone'),
+    ])
+    def test_raises(self, can_read, can_write):
+        with pytest.raises(LaymanError) as exc_info:
+            publications.who_can_write_can_read(can_read, can_write)
+        assert exc_info.value.code == 43
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.i_can_still_write(None, set())
-    assert exc_info.value.code == 43
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.i_can_still_write(None, {workspace_name, })
-    assert exc_info.value.code == 43
+class TestICanStillWrite:
+    username = 'test_i_can_still_write_user'
+    username2 = 'test_i_can_still_write_user2'
+    role1 = 'ROLE1'
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.i_can_still_write(username, set())
-    assert exc_info.value.code == 43
+    @pytest.fixture(scope="function", autouse=True)
+    def provide_data(self, request):
+        with app.app_context():
+            ensure_user(self.username, '15')
+            ensure_user(self.username2, '16')
+            ensure_role(self.role1)
+            ensure_user_role(self.username, self.role1)
+        yield
+        if request.node.session.testsfailed == 0:
+            with app.app_context():
+                delete_user_role(self.username, self.role1)
+                delete_role(self.role1)
+                users.delete_user(self.username)
+                users.delete_user(self.username2)
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.i_can_still_write(username, {workspace_name, })
-    assert exc_info.value.code == 43
+    @classmethod
+    @pytest.mark.parametrize("actor_name, can_write", [
+        pytest.param(None, {settings.RIGHTS_EVERYONE_ROLE}, id='noname-rights-everyone'),
+        pytest.param(None, {username, settings.RIGHTS_EVERYONE_ROLE}, id='noname-rights-everyone-and-user'),
+        pytest.param(username, {settings.RIGHTS_EVERYONE_ROLE}, id='user-rights-everyone'),
+        pytest.param(username, {username2, settings.RIGHTS_EVERYONE_ROLE}, id='user-rights-other-user-and-everyone'),
+        pytest.param(username, {username, username2}, id='user-rights-user-and-other-user'),
+        pytest.param(username, {role1}, id='user-rights-role-of-user'),
+    ])
+    def test_ok(cls, actor_name, can_write):
+        publications.i_can_still_write(actor_name, can_write)
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.i_can_still_write(username, {'ROLE1'})
-    assert exc_info.value.code == 43
+    @classmethod
+    @pytest.mark.parametrize("actor_name, can_write", [
+        pytest.param(None, set(), id='noname-empty-rights'),
+        pytest.param(None, {username2}, id='noname-rights-other-user'),
+        pytest.param(username, set(), id='user-empty-rights'),
+        pytest.param(username, {username2}, id='user-rights-other-user'),
+        pytest.param(username2, {role1}, id='user-rights-other-role'),
+    ])
+    def test_raises(cls, actor_name, can_write):
+        with pytest.raises(LaymanError) as exc_info:
+            publications.i_can_still_write(actor_name, can_write)
+        assert exc_info.value.code == 43
 
 
-def test_owner_can_still_write():
-    workspace_name = 'test_owner_can_still_write_workspace'
+class TestOwnerCanStillWrite:
     username = 'test_owner_can_still_write_user'
+    username2 = 'test_owner_can_still_write_user2'
+    role1 = 'ROLE1'
 
-    publications.owner_can_still_write(None, set())
-    publications.owner_can_still_write(None, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.owner_can_still_write(None, {username, })
-    publications.owner_can_still_write(username, {settings.RIGHTS_EVERYONE_ROLE, })
-    publications.owner_can_still_write(username, {username, })
-    publications.owner_can_still_write(username, {username, workspace_name, })
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.owner_can_still_write(username, set())
-    assert exc_info.value.code == 43
-
-    with pytest.raises(LaymanError) as exc_info:
-        publications.owner_can_still_write(username, {workspace_name, })
-    assert exc_info.value.code == 43
+    @classmethod
+    @pytest.mark.parametrize("owner, can_write", [
+        pytest.param(None, set(), id='no-owner-empty-rights'),
+        pytest.param(None, {settings.RIGHTS_EVERYONE_ROLE}, id='no-owner-rights-everyone'),
+        pytest.param(None, {username}, id='no-owner-rights-user'),
+        pytest.param(username, {settings.RIGHTS_EVERYONE_ROLE}, id='owner-rights-everyone'),
+        pytest.param(username, {username}, id='owner-rights-owner'),
+        pytest.param(username, {username, username2}, id='owner-rights-owner-and-other-user'),
+        pytest.param(username, {username, role1}, id='owner-rights-owner-and-role'),
+    ])
+    def test_ok(cls, owner, can_write):
+        publications.owner_can_still_write(owner, can_write)
 
-    with pytest.raises(LaymanError) as exc_info:
-        publications.owner_can_still_write(username, {'ROLE1'})
-    assert exc_info.value.code == 43
+    @classmethod
+    @pytest.mark.parametrize("owner, can_write", [
+        pytest.param(username, set(), id='owner-empty-rights'),
+        pytest.param(username, {username2}, id='owner-rights-other-user'),
+        pytest.param(username, {role1}, id='owner-rights-role'),
+    ])
+    def test_raises(cls, owner, can_write):
+        with pytest.raises(LaymanError) as exc_info:
+            publications.owner_can_still_write(owner, can_write)
+        assert exc_info.value.code == 43
 
 
 def test_get_user_and_role_names_for_db():