Scottx611x/handle admin users specially when determining ownership (#…

…3080) * Handle admin requester as special case for api/vx/data_sets/ * Add test coverage
refinery-platform · Nov 2, 2018 · eedf457 · eedf457
1 parent b5090bb
commit eedf457
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/refinery/core/api.py b/refinery/core/api.py
@@ -689,7 +689,10 @@ def get_by_db_id(self, request, **kwargs):
             if group.group == ExtendedGroup.objects.public_group():
                 is_public = True
 
-        is_owner = ds.get_owner() == request.user
+        if request.user.is_superuser:
+            is_owner = ds.get_owner() == request.user
+        else:
+            is_owner = request.user.has_perm('core.share_dataset', ds)
 
         try:
             user_uuid = request.user.profile.uuid

diff --git a/refinery/core/test_views.py b/refinery/core/test_views.py
@@ -727,6 +727,24 @@ def test_get_data_set_is_not_clean(self):
         get_response = self.view(self.get_request)
         self.assertFalse(get_response.data.get('data_sets')[0]["is_clean"])
 
+    def test_is_owner_reflects_actual_owner(self):
+        get_request = self.factory.get(urljoin(self.url_root,
+                                               self.user_3_data_set.uuid))
+        get_request.user = self.user_3
+        get_response = self.view(get_request)
+        data_set = get_response.data.get('data_sets')[0]
+        self.assertTrue(data_set["is_owner"])
+
+    def test_is_owner_reflects_actual_owner_with_admin_requester(self):
+        username = password = "admin"
+        admin_user = User.objects.create_superuser(username, '', password)
+        get_request = self.factory.get(urljoin(self.url_root,
+                                               self.user_3_data_set.uuid))
+        get_request.user = admin_user
+        get_response = self.view(self.get_request)
+        data_set = get_response.data.get('data_sets')[0]
+        self.assertFalse(data_set["is_owner"])
+
 
 class AnalysisApiV2Tests(APIV2TestCase):
 

diff --git a/refinery/core/views.py b/refinery/core/views.py
@@ -696,7 +696,10 @@ def get(self, request):
         for data_set in user_data_sets:
             is_public = all_public_perms.has_perm('read_meta_dataset',
                                                   data_set)
-            is_owner = data_set.get_owner() == request.user
+            if request.user.is_superuser:
+                is_owner = data_set.get_owner() == request.user
+            else:
+                is_owner = all_owner_perms.has_perm('share_dataset', data_set)
             setattr(data_set, 'public', is_public)
             setattr(data_set, 'is_owner', is_owner)