Integration tests (#2256)

* initial commit * almost done * finished 3 tests * minor refactor * built out initial permisison tests * reworked test_deletion * removed logging * all original tests have been converted * renamed user_groups to user_group * mypy * added test for doc set permissions * unified naming for manager methods * Refactored models and added new deletion test * minor additions * better logging+fixed input variables * commented out failed tests * Added readme * readme update * Added auth to IT set auth_type to basic and require_email_verification to false * Update run-it.yml * used verify and added to readme * added api key manager
2025-09-19 12:03:54 +02:00 · 2024-09-01 15:21:00 -07:00
parent 634de83d72
commit 8d443ada5b
40 changed files with 2890 additions and 612 deletions
--- a/backend/ee/danswer/db/user_group.py
+++ b/backend/ee/danswer/db/user_group.py
@@ -2,6 +2,7 @@ from collections.abc import Sequence
 from operator import and_
 from uuid import UUID

+from fastapi import HTTPException
 from sqlalchemy import delete
 from sqlalchemy import func
 from sqlalchemy import select
@@ -30,6 +31,50 @@ from ee.danswer.server.user_group.models import UserGroupUpdate
 logger = setup_logger()


+def validate_user_creation_permissions(
+    db_session: Session,
+    user: User | None,
+    target_group_ids: list[int] | None,
+    object_is_public: bool | None,
+) -> None:
+    """
+    All admin actions are allowed.
+    Prevents non-admins from creating/editing:
+    - public objects
+    - objects with no groups
+    - objects that belong to a group they don't curate
+    """
+    if not user or user.role == UserRole.ADMIN:
+        return
+
+    if object_is_public:
+        detail = "User does not have permission to create public credentials"
+        logger.error(detail)
+        raise HTTPException(
+            status_code=402,
+            detail=detail,
+        )
+    if not target_group_ids:
+        detail = "Curators must specify 1+ groups"
+        logger.error(detail)
+        raise HTTPException(
+            status_code=402,
+            detail=detail,
+        )
+    user_curated_groups = fetch_user_groups_for_user(
+        db_session=db_session, user_id=user.id, only_curator_groups=True
+    )
+    user_curated_group_ids = set([group.id for group in user_curated_groups])
+    target_group_ids_set = set(target_group_ids)
+    if not target_group_ids_set.issubset(user_curated_group_ids):
+        detail = "Curators cannot control groups they don't curate"
+        logger.error(detail)
+        raise HTTPException(
+            status_code=402,
+            detail=detail,
+        )
+
+
 def fetch_user_group(db_session: Session, user_group_id: int) -> UserGroup | None:
    stmt = select(UserGroup).where(UserGroup.id == user_group_id)
    return db_session.scalar(stmt)
--- a/backend/ee/danswer/server/user_group/api.py
+++ b/backend/ee/danswer/server/user_group/api.py
@@ -9,6 +9,7 @@ from danswer.auth.users import current_curator_or_admin_user
 from danswer.db.engine import get_session
 from danswer.db.models import User
 from danswer.db.models import UserRole
+from danswer.utils.logger import setup_logger
 from ee.danswer.db.user_group import fetch_user_groups
 from ee.danswer.db.user_group import fetch_user_groups_for_user
 from ee.danswer.db.user_group import insert_user_group
@@ -20,6 +21,8 @@ from ee.danswer.server.user_group.models import UserGroup
 from ee.danswer.server.user_group.models import UserGroupCreate
 from ee.danswer.server.user_group.models import UserGroupUpdate

+logger = setup_logger()
+
 router = APIRouter(prefix="/manage")


@@ -90,6 +93,7 @@ def set_user_curator(
            set_curator_request=set_curator_request,
        )
    except ValueError as e:
+        logger.error(f"Error setting user curator: {e}")
        raise HTTPException(status_code=404, detail=str(e))