From b2c4ca6eceb9100ecb4bbc26e459a7dbd8451042 Mon Sep 17 00:00:00 2001
From: Michael DeHaan <michael@ansibleworks.com>
Date: Fri, 26 Apr 2013 18:12:12 -0400
Subject: [PATCH] Complete tests and permission API REST exposure.  Note
 permission objects are found through user and teams, not a permissions
 collection.

---
 lib/main/tests/projects.py | 31 +++++++++++++++++++++++--------
 lib/main/views.py          |  9 ++++++---
 2 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/lib/main/tests/projects.py b/lib/main/tests/projects.py
index 4e012a1f9e..fb6437ae5c 100644
--- a/lib/main/tests/projects.py
+++ b/lib/main/tests/projects.py
@@ -415,25 +415,40 @@ class ProjectsTest(BaseTest):
         )
 
         url = '/api/v1/users/%s/permissions/' % user.pk
-        self.post(url, user_permission, expect=201, auth=self.get_super_credentials())
-
+        posted = self.post(url, user_permission, expect=201, auth=self.get_super_credentials())
+        url2 = posted['url']
+        got = self.get(url2, expect=200, auth=self.get_other_credentials())
+        
         # can add permissions on a team
         url = '/api/v1/teams/%s/permissions/' % team.pk
-        self.post(url, team_permission, expect=201, auth=self.get_super_credentials())
+        posted = self.post(url, team_permission, expect=201, auth=self.get_super_credentials())
+        url2 = posted['url']
+        # check we can get that permission back
+        got = self.get(url2, expect=200, auth=self.get_other_credentials())
 
         # can list permissions on a user
         url = '/api/v1/users/%s/permissions/' % user.pk
+        got = self.get(url, expect=200, auth=self.get_super_credentials())
+        got = self.get(url, expect=200, auth=self.get_other_credentials())
+        got = self.get(url, expect=403, auth=self.get_nobody_credentials())
 
         # can list permissions on a team
         url = '/api/v1/teams/%s/permissions/' % team.pk
+        got = self.get(url, expect=200, auth=self.get_super_credentials())
+        got = self.get(url, expect=200, auth=self.get_other_credentials())
+        got = self.get(url, expect=403, auth=self.get_nobody_credentials())
 
-        # can edit a permission
+        # can edit a permission -- reducing the permission level
+        team_permission['permission_type'] = PERM_INVENTORY_CHECK
+        self.put(url2, team_permission, expect=200, auth=self.get_super_credentials())
+        self.put(url2, team_permission, expect=403, auth=self.get_other_credentials())
 
-        # can remove permissions from a user
-        # do need to disassociate, just delete it 
+        # can remove permissions
+        # do need to disassociate, just delete it
+        self.delete(url2, expect=403, auth=self.get_other_credentials())
+        self.delete(url2, expect=204, auth=self.get_super_credentials())
+        self.delete(url2, expect=404, auth=self.get_other_credentials())
 
-        # can remove permissions from a team
-        # do need to disassociate, just delete it 
 
         
 
diff --git a/lib/main/views.py b/lib/main/views.py
index a154d306be..4a45bee704 100644
--- a/lib/main/views.py
+++ b/lib/main/views.py
@@ -279,9 +279,12 @@ class TeamsPermissionsList(BaseSubList):
 
     def _get_queryset(self):
         team = Team.objects.get(pk=self.kwargs['pk'])
-        if not Team.can_user_administrate(self.request.user, team, None):
-            raise PermissionDenied()
-        return Permission.objects.filter(team = team)
+        base = Permission.objects.filter(team = team)
+        if Team.can_user_administrate(self.request.user, team, None):
+            return base
+        elif team.users.filter(pk=self.request.user.pk).count() > 0:
+            return base
+        raise PermissionDenied()
 
 
 class TeamsProjectsList(BaseSubList):