[API] Fix PUT request for Candidates \visit endpoint and integration test #7088
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spell00
added
Area: API
spell00
added
"Help! I don't understand Travis!"
spell00
force-pushed
the
2020-10-07-FixPutVisitEndpoint
branch
from
77970fe to
9c9d96f
Compare
xlecours
requested changes
Oct 30, 2020
xlecours
approved these changes
Oct 30, 2020
spell00
added
the
State: Blocked
|
blocked by #7101 |
spell00
force-pushed
the
2020-10-07-FixPutVisitEndpoint
branch
from
7ba7074 to
ed0baf7
Compare
spell00
removed
the
State: Blocked
driusan
reviewed
Nov 5, 2020
| @@ -215,11 +215,19 @@ class Visit extends Endpoint implements \LORIS\Middleware\ETagCalculator | |||
| $this->_candidate->getListOfVisitLabels() | |||
| ); | |||
|
|
|||
| if (!in_array($this->_candidate->getCenterID(), $user->getCenterIDs())) { | |||
There was a problem hiding this comment.
The Candidate class implements the AccessibleResource interface. I think this should just be using$this->_candidate->isAccessibleBy($user) instead of duplicating the logic in slightly different ways in the API. (That would also handle Project permissions, which this is currently not doing.)
There was a problem hiding this comment.
It is now using $this->_candidate->isAccessibleBy($user)
|
@driusan I did the correction, this is ready for re-review |
driusan
reviewed
Nov 6, 2020
| @@ -215,11 +215,18 @@ class Visit extends Endpoint implements \LORIS\Middleware\ETagCalculator | |||
| $this->_candidate->getListOfVisitLabels() | |||
| ); | |||
|
|
|||
| if (!$this->_candidate->isAccessibleBy($user)) { | |||
| return new \LORIS\Http\Response\JSON\Forbidden( | |||
| 'You can`t create or modify that candidate' | |||
There was a problem hiding this comment.
Suggested change
| 'You can`t create or modify that candidate' | |
| "You can't create or modify that candidate" |
"can't" doesn't have a backtick in it.
driusan
reviewed
Nov 6, 2020
| $centerid = array_search($visitinfo['Site'], \Utility::getSiteList()); | ||
|
|
||
| if (!in_array($centerid, $user->getCenterIDs())) { | ||
| return new \LORIS\Http\Response\JSON\Forbidden( | ||
| 'You can`t create candidates visit for that site' | ||
| 'You can`t create or modify candidates visit for the site ' . |
There was a problem hiding this comment.
Suggested change
| 'You can`t create or modify candidates visit for the site ' . | |
| "You can't create or modify candidates visit for the site " . |
|
@driusan I did all the corrections |
|
@driusan It passed Travis |
AlexandraLivadas
pushed a commit
to AlexandraLivadas/Loris
that referenced
this pull request
Jun 29, 2021
…test (aces#7088) The PUT request should never allow to edit a candidate from a Site where the User has no affiliation with. In this case, the test User has only affiliation with Data Coordinating Center (DCC). It is however possible to do so if the new Site is DCC. For example, in raisinbread, candidate 300001 (https://<hostname>.loris.ca/api/v0.0.4-dev/candidates/300001) is from site Montreal. The test user should not be able to modify this candidate, because the candidate is from Montreal, but is able to. Also adds automatic the integration tests to test the changes suggested. Resolves aces#7106
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Brief summary of changes
The PUT request should never allow to edit a candidate from a
Sitewhere the User has no affiliation with. In this case, the test User has only affiliation with Data Coordinating Center (DCC). It is however possible to do so if the newSiteis DCC.For example, in raisinbread, candidate 300001 (
https://<hostname>.loris.ca/api/v0.0.4-dev/candidates/300001) is from siteMontreal. The test user should not be able to modify this candidate, because the candidate is from Montreal, but is able to.Also adds automatic the integration tests to test the changes suggested.
Testing instructions
The testing is made automatic.
To test manually:
Before the test, make sure the User that will be used don't have affiliation with Montreal.
First get the API token using:
curl https://<hostname>/api/v0.0.3/login -d '{"username": "<username>", "password": "<password>"}'In the terminal, enter
curl -X PUT -H "Authorization: Bearer $token" https://<hostname>/api/v0.0.4-dev/candidates/300001/V3 -d '{"CandID":"300001","Visit":"V3","Site":"Montreal","Battery":"Low Yeast","Project":"Pumpernickel"}'Link(s) to related issue(s)