Bugfix/allow reading groups anonymous user (#1615)

sanderegg · web-flow · commit 153e9b258059 · 2020-07-08T10:59:20.000+02:00
* add groups.read secutiry role
* test that groups right are correctly setup
diff --git a/services/web/server/src/simcore_service_webserver/groups_handlers.py b/services/web/server/src/simcore_service_webserver/groups_handlers.py
@@ -20,7 +20,7 @@
 
 # groups/ ------------------------------------------------------
 @login_required
-@permission_required("groups.*")
+@permission_required("groups.read")
 async def list_groups(request: web.Request):
     user_id = request[RQT_USERID_KEY]
     primary_group, user_groups, all_group = await groups_api.list_user_groups(
@@ -30,7 +30,7 @@ async def list_groups(request: web.Request):
 
 
 @login_required
-@permission_required("groups.*")
+@permission_required("groups.read")
 async def get_group(request: web.Request):
     user_id = request[RQT_USERID_KEY]
     gid = request.match_info["gid"]
diff --git a/services/web/server/src/simcore_service_webserver/security_roles.py b/services/web/server/src/simcore_service_webserver/security_roles.py
@@ -27,6 +27,7 @@
             "project.update",
             "storage.locations.*",  # "storage.datcore.read"
             "storage.files.*",
+            "groups.read",
             "project.open",
             "project.read",  # "studies.user.read",
             # "studies.templates.read"
diff --git a/services/web/server/tests/unit/with_dbs/test_groups.py b/services/web/server/tests/unit/with_dbs/test_groups.py
@@ -119,7 +119,9 @@ async def test_list_groups(
     assert str(url) == f"{PREFIX}"
 
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPOk
+    )
 
     if not error:
         assert isinstance(data, dict)
@@ -198,16 +200,20 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     assert str(url) == f"{PREFIX}"
 
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
-    if not error:
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPOk
+    )
+    if not error and user_role != UserRole.GUEST:
         assert len(data["organizations"]) == 1
         assert data["organizations"][0] == assigned_group
 
     # check getting one group
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
     if not error:
         assert data == assigned_group
 
@@ -226,7 +232,9 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
     if not error:
         _assert_group(data)
         assert data == assigned_group
@@ -249,7 +257,9 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.not_found)
+    data, error = await assert_status(
+        resp, expected.not_found if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
 
 
 @pytest.mark.parametrize(*standard_role_response())
