From a90b8bb2586b642d50febd10cccc8718a7a6153b Mon Sep 17 00:00:00 2001 From: Josh Eckels Date: Mon, 13 Jul 2026 17:21:09 -0700 Subject: [PATCH 1/2] GitHub Issue 1300: BulkUpgradeGroupAction scoping changes (#3099) ## Rationale BulkUpgradeGroupAction is inconsistent with other actions for its permission checks ## Related Pull Requests - https://github.com/LabKey/platform/pull/7836 ## Changes - Test coverage for other projects and adding users --- .../remoteapi/BulkUpdateGroupApiTest.java | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/org/labkey/test/tests/remoteapi/BulkUpdateGroupApiTest.java b/src/org/labkey/test/tests/remoteapi/BulkUpdateGroupApiTest.java index bdef4aabf0..720a3f335d 100644 --- a/src/org/labkey/test/tests/remoteapi/BulkUpdateGroupApiTest.java +++ b/src/org/labkey/test/tests/remoteapi/BulkUpdateGroupApiTest.java @@ -29,6 +29,7 @@ import org.labkey.test.util.APIUserHelper; import org.labkey.test.util.ApiPermissionsHelper; import org.labkey.test.util.DataRegionTable; +import org.labkey.test.util.PermissionsHelper; import org.labkey.test.util.PermissionsHelper.PrincipalType; import java.util.ArrayList; @@ -61,11 +62,15 @@ public class BulkUpdateGroupApiTest extends BaseWebDriverTest private static Integer group1Id; private static Integer group2Id; private static final String siteGroup = "createdSiteGroup"; + private static final String OTHER_PROJECT = "BulkUpdateGroupApiTest Other Project"; + private static final String OTHER_GROUP = "otherProjectGroup"; + private static Integer otherProjectGroupId; @Override protected void doCleanup(boolean afterTest) throws TestTimeoutException { _containerHelper.deleteProject(getProjectName(), afterTest); + _containerHelper.deleteProject(OTHER_PROJECT, afterTest); deleteTestUsers(EMAIL_SUFFIX); _permissionsHelper.deleteGroup(siteGroup); } @@ -101,6 +106,9 @@ private void doSetup() user2Id = _userHelper.createUser(USER2).getUserId(); group1Id = _permissionsHelper.createProjectGroup(GROUP1, getProjectName()); group2Id = _permissionsHelper.createProjectGroup(GROUP2, getProjectName()); + + _containerHelper.createProject(OTHER_PROJECT, null); + otherProjectGroupId = _permissionsHelper.createProjectGroup(OTHER_GROUP, OTHER_PROJECT); } @Test @@ -499,6 +507,60 @@ public void testBulkUpdateAuditing() throws Exception AuditLogTest.verifyAuditEvent(this, AuditLogTest.GROUP_AUDIT_EVENT, "Comment", GROUP1, 2); } + // A project group may only be modified through the container it belongs to; targeting another project's group must be rejected. + @Test + public void testGroupFromDifferentContainerError() throws Exception + { + // otherProjectGroupId belongs to OTHER_PROJECT, but the command targets this test's project + BulkUpdateGroupCommand command = new BulkUpdateGroupCommand(otherProjectGroupId); + command.addMemberUser(USER1); + Connection connection = createDefaultConnection(); + + try + { + String message = command.execute(connection, getProjectName()).getText(); + fail("Expected CommandException modifying a group from another container\nResponse:\n" + message); + } + catch (CommandException e) + { + assertTrue("Expected cross-container error. Actual error: " + e.getMessage(), e.getMessage().contains("does not belong to this project")); + } + + _permissionsHelper.assertUserNotInGroup(USER1, OTHER_GROUP, OTHER_PROJECT, PrincipalType.USER); + } + + // Adding an existing user to a group requires only AdminPermission, but creating a brand-new user additionally requires AddUserPermission. + @Test + public void testCreateUserWithoutAddUserPermission() throws Exception + { + // A Folder Administrator has AdminPermission (so the action's @RequiresPermission passes) but lacks AddUserPermission + String folderAdmin = genTestEmail("folderadminnoadduser"); + String newUser = genTestEmail("shouldnotbecreated"); + _userHelper.createUser(folderAdmin); + _permissionsHelper.addMemberToRole(folderAdmin, PermissionsHelper.FOLDER_ADMIN_ROLE, PermissionsHelper.MemberType.user, getProjectName()); + + Connection connection = createDefaultConnection(); + connection.impersonate(folderAdmin, getProjectName()); + try + { + BulkUpdateGroupCommand command = new BulkUpdateGroupCommand(group1Id); + command.addMemberUser(USER1); // pre-existing user: should be added successfully + command.addMemberUser(newUser); // new user: folder admin lacks AddUserPermission + BulkUpdateGroupResponse response = command.execute(connection, getProjectName()); + + List errors = collectErrors(response); + assertEquals("Expected exactly one member error:\n" + String.join("\n", errors), 1, errors.size()); + assertTrue("Expected AddUserPermission error. Actual error: " + errors.get(0), errors.get(0).contains("do not have permission to create new users")); + } + finally + { + connection.stopImpersonating(); + } + + assertNull("New user was created despite the caller lacking AddUserPermission", _userHelper.getUserId(newUser)); + _permissionsHelper.assertUserInGroup(USER1, GROUP1, getProjectName(), PrincipalType.USER); + } + protected List collectErrors(BulkUpdateGroupResponse response) { Map errors = response.getErrors(); From 8dac5eacc034d632dac4a8e40924aa0a3b44e7a5 Mon Sep 17 00:00:00 2001 From: Josh Eckels Date: Tue, 14 Jul 2026 16:00:31 -0700 Subject: [PATCH 2/2] Use the project when removing members for a project group (#3105) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Rationale Recent improvements to the APIs for adding or removing members from a project group mean that we should use the project as the target URL when making those changes. ## Changes - Pass in the correct project group when making changes ## Tasks 📍 - [x] Claude Code Review - ~Manual Testing~ - [x] Test Automation --- src/org/labkey/test/tests/UserPermissionsTest.java | 2 +- src/org/labkey/test/util/ApiPermissionsHelper.java | 10 +++++----- src/org/labkey/test/util/PermissionsHelper.java | 2 +- src/org/labkey/test/util/UIPermissionsHelper.java | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/org/labkey/test/tests/UserPermissionsTest.java b/src/org/labkey/test/tests/UserPermissionsTest.java index 3218c427fa..48ab03dc42 100644 --- a/src/org/labkey/test/tests/UserPermissionsTest.java +++ b/src/org/labkey/test/tests/UserPermissionsTest.java @@ -267,7 +267,7 @@ public void testAuditLogForGroupUpdates() log("Remove user from group and verify logs"); goToProjectHome(); - permissionsHelper.removeUserFromGroup(GAMMA_SUBMITTER_GROUP_NAME, GAMMA_SUBMITTER_USER); + permissionsHelper.removeUserFromGroup(GAMMA_SUBMITTER_GROUP_NAME, GAMMA_SUBMITTER_USER, getProjectName()); verifyAuditLog("User: " + GAMMA_SUBMITTER_USER + " was deleted from Group: " + GAMMA_SUBMITTER_GROUP_NAME); } diff --git a/src/org/labkey/test/util/ApiPermissionsHelper.java b/src/org/labkey/test/util/ApiPermissionsHelper.java index 4353faf07e..a510197c43 100644 --- a/src/org/labkey/test/util/ApiPermissionsHelper.java +++ b/src/org/labkey/test/util/ApiPermissionsHelper.java @@ -658,12 +658,12 @@ private List getGroupNames(String project) } @Override - public void removeUserFromGroup(String groupName, String userName) + public void removeUserFromGroup(String groupName, String userName, String projectPath) { Integer groupId = getGroupId(groupName); if (groupId == null) throw new IllegalArgumentException("Attempting to remove members from non-existent site group: " + groupName); - removeMembersFromGroup(groupId, userName); + removeMembersFromGroup(groupId, projectPath, userName); } @Override @@ -672,10 +672,10 @@ public void removeUserFromSiteGroup(String groupName, String userName) Integer groupId = getSiteGroupId(groupName); if (groupId == null) throw new IllegalArgumentException("Attempting to remove members from non-existent group: " + groupName); - removeMembersFromGroup(groupId, userName); + removeMembersFromGroup(groupId, "/", userName); } - private void removeMembersFromGroup(Integer groupId, String... members) + private void removeMembersFromGroup(Integer groupId, String projectPath, String... members) { BulkUpdateGroupCommand command = new BulkUpdateGroupCommand(groupId); command.setCreateGroup(false); @@ -685,7 +685,7 @@ private void removeMembersFromGroup(Integer groupId, String... members) try { Connection connection = getConnection(); - command.execute(connection, "/"); + command.execute(connection, projectPath); } catch (IOException | CommandException e) { diff --git a/src/org/labkey/test/util/PermissionsHelper.java b/src/org/labkey/test/util/PermissionsHelper.java index 3d01274dd9..319ff8d50c 100644 --- a/src/org/labkey/test/util/PermissionsHelper.java +++ b/src/org/labkey/test/util/PermissionsHelper.java @@ -161,7 +161,7 @@ public void deleteGroup(String groupName) @LogMethod(quiet = true) public abstract void deleteGroup(@LoggedParam String groupName, boolean failIfNotFound); - public abstract void removeUserFromGroup(String groupName, String userName); + public abstract void removeUserFromGroup(String groupName, String userName, String projectName); public abstract void removeUserFromSiteGroup(String groupName, String userName); public abstract boolean doesGroupExist(String groupName, String projectName); diff --git a/src/org/labkey/test/util/UIPermissionsHelper.java b/src/org/labkey/test/util/UIPermissionsHelper.java index a362b07252..eaab87422c 100644 --- a/src/org/labkey/test/util/UIPermissionsHelper.java +++ b/src/org/labkey/test/util/UIPermissionsHelper.java @@ -317,11 +317,11 @@ public void deleteGroup(@LoggedParam String groupName, boolean failIfNotFound) @Override public void removeUserFromSiteGroup(String groupName, String userEmail) { - removeUserFromGroup(groupName, userEmail); + removeUserFromGroup(groupName, userEmail, "/"); } @Override - public void removeUserFromGroup(String groupName, String userEmail) + public void removeUserFromGroup(String groupName, String userEmail, String projectPath) { if (!_driver.isTextPresent("Group " + groupName)) selectGroup(groupName);