From a3bd3f59e33cddab602c855d4a7e28abd28cbd74 Mon Sep 17 00:00:00 2001
From: sanderegg <35365065+sanderegg@users.noreply.github.com>
Date: Wed, 8 Jul 2020 09:45:56 +0200
Subject: [PATCH 1/2] add groups.read secutiry role

---
 .../web/server/src/simcore_service_webserver/security_roles.py   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/web/server/src/simcore_service_webserver/security_roles.py b/services/web/server/src/simcore_service_webserver/security_roles.py
index 903056cd6b9..8e386c4a735 100644
--- a/services/web/server/src/simcore_service_webserver/security_roles.py
+++ b/services/web/server/src/simcore_service_webserver/security_roles.py
@@ -27,6 +27,7 @@
             "project.update",
             "storage.locations.*",  # "storage.datcore.read"
             "storage.files.*",
+            "groups.read",
             "project.open",
             "project.read",  # "studies.user.read",
             # "studies.templates.read"

From f339fd32bc9d9f9a5c08dd2902d9b177cf75590b Mon Sep 17 00:00:00 2001
From: sanderegg <35365065+sanderegg@users.noreply.github.com>
Date: Wed, 8 Jul 2020 09:46:10 +0200
Subject: [PATCH 2/2] test that groups right are correctly setup

---
 .../groups_handlers.py                        |  4 ++--
 .../server/tests/unit/with_dbs/test_groups.py | 22 ++++++++++++++-----
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/services/web/server/src/simcore_service_webserver/groups_handlers.py b/services/web/server/src/simcore_service_webserver/groups_handlers.py
index 4e5629ff8f9..2d20ec86873 100644
--- a/services/web/server/src/simcore_service_webserver/groups_handlers.py
+++ b/services/web/server/src/simcore_service_webserver/groups_handlers.py
@@ -20,7 +20,7 @@
 
 # groups/ ------------------------------------------------------
 @login_required
-@permission_required("groups.*")
+@permission_required("groups.read")
 async def list_groups(request: web.Request):
     user_id = request[RQT_USERID_KEY]
     primary_group, user_groups, all_group = await groups_api.list_user_groups(
@@ -30,7 +30,7 @@ async def list_groups(request: web.Request):
 
 
 @login_required
-@permission_required("groups.*")
+@permission_required("groups.read")
 async def get_group(request: web.Request):
     user_id = request[RQT_USERID_KEY]
     gid = request.match_info["gid"]
diff --git a/services/web/server/tests/unit/with_dbs/test_groups.py b/services/web/server/tests/unit/with_dbs/test_groups.py
index 884cfea7d53..72d6c87e00b 100644
--- a/services/web/server/tests/unit/with_dbs/test_groups.py
+++ b/services/web/server/tests/unit/with_dbs/test_groups.py
@@ -119,7 +119,9 @@ async def test_list_groups(
     assert str(url) == f"{PREFIX}"
 
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPOk
+    )
 
     if not error:
         assert isinstance(data, dict)
@@ -198,8 +200,10 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     assert str(url) == f"{PREFIX}"
 
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
-    if not error:
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPOk
+    )
+    if not error and user_role != UserRole.GUEST:
         assert len(data["organizations"]) == 1
         assert data["organizations"][0] == assigned_group
 
@@ -207,7 +211,9 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
     if not error:
         assert data == assigned_group
 
@@ -226,7 +232,9 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.ok)
+    data, error = await assert_status(
+        resp, expected.ok if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
     if not error:
         _assert_group(data)
         assert data == assigned_group
@@ -249,7 +257,9 @@ async def test_group_creation_workflow(client, logged_user, user_role, expected)
     url = client.app.router["get_group"].url_for(gid=str(assigned_group["gid"]))
     assert str(url) == f"{PREFIX}/{assigned_group['gid']}"
     resp = await client.get(url)
-    data, error = await assert_status(resp, expected.not_found)
+    data, error = await assert_status(
+        resp, expected.not_found if user_role != UserRole.GUEST else web.HTTPNotFound
+    )
 
 
 @pytest.mark.parametrize(*standard_role_response())