SSDM-5299 : Project Authorization - modify @RolesAllowed annotations at experiment related methods

SVN: 38500

datastore_server/sourceTest/java/ch/systemsx/cisd/openbis/datastoreserver/systemtests/authorization/predicate/project/ProjectIdentifierExistingSpacePredicateSystemTest.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.datastoreserver.systemtests.authorization.predicate.project;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.datastoreserver.systemtests.authorization.predicate.CommonPredicateSystemTest;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.ProjectIdentifier;
+import ch.systemsx.cisd.openbis.systemtest.authorization.predicate.project.ProjectPredicateTestService;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectIdentifierExistingSpacePredicateSystemTest extends CommonPredicateSystemTest<ProjectIdentifier>
+{
+
+    @Override
+    protected ProjectIdentifier createNonexistentObject()
+    {
+        return new ProjectIdentifier("IDONTEXIST", "IDONTEXIST");
+    }
+
+    @Override
+    protected ProjectIdentifier createObject(SpacePE spacePE, ProjectPE projectPE)
+    {
+        return new ProjectIdentifier(spacePE.getCode(), projectPE.getCode());
+    }
+
+    @Override
+    protected void evaluateObjects(IAuthSessionProvider sessionProvider, List<ProjectIdentifier> objects)
+    {
+        getBean(ProjectPredicateTestService.class).testProjectIdentifierExistingSpacePredicate(sessionProvider, objects.get(0));
+    }
+
+    @Override
+    protected void assertWithNull(PersonPE person, Throwable t)
+    {
+        assertException(t, UserFailureException.class, "No project specified.");
+    }
+
+    @Override
+    protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+    {
+        assertNoException(t);
+    }
+
+}

datastore_server/sourceTest/java/ch/systemsx/cisd/openbis/datastoreserver/systemtests/authorization/predicate/project/ProjectPermIdStringPredicateSystemTest.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.datastoreserver.systemtests.authorization.predicate.project;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.datastoreserver.systemtests.authorization.predicate.CommonPredicateSystemTest;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.systemtest.authorization.predicate.project.ProjectPredicateTestService;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectPermIdStringPredicateSystemTest extends CommonPredicateSystemTest<String>
+{
+
+    @Override
+    protected String createNonexistentObject()
+    {
+        return "IDONTEXIST";
+    }
+
+    @Override
+    protected String createObject(SpacePE spacePE, ProjectPE projectPE)
+    {
+        return projectPE.getPermId();
+    }
+
+    @Override
+    protected void evaluateObjects(IAuthSessionProvider sessionProvider, List<String> objects)
+    {
+        getBean(ProjectPredicateTestService.class).testProjectPermIdStringPredicate(sessionProvider, objects.get(0));
+    }
+
+    @Override
+    protected void assertWithNull(PersonPE person, Throwable t)
+    {
+        assertException(t, UserFailureException.class, "No project perm id specified.");
+    }
+
+    @Override
+    protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+    {
+        assertNoException(t);
+    }
+
+}

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/CommonServer.java

@@ -70,6 +70,7 @@ import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.DeletionT
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ExperimentUpdatesPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ListSampleCriteriaPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdentifierPredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPermIdStringPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectUpdatesPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.RevertDeletionPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.SampleTechIdCollectionPredicate;
@@ -921,7 +922,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public List<Experiment> listMetaprojectExperiments(final String sessionToken,
             IMetaprojectId metaprojectId)
     {
@@ -958,10 +959,10 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public List<Experiment> listExperiments(final String sessionToken,
             ExperimentType experimentType,
-            @AuthorizationGuard(guardClass = SpaceIdentifierPredicate.class) ProjectIdentifier projectIdentifier)
+            @AuthorizationGuard(guardClass = ProjectIdentifierPredicate.class) ProjectIdentifier projectIdentifier)
     {
         List<ProjectIdentifier> projectIdentifiers = projectIdentifier != null ? Collections.singletonList(projectIdentifier) : null;
         return listExperiments(sessionToken, experimentType, null, projectIdentifiers, false, false);
@@ -2246,9 +2247,10 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_USER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_USER)
     @Capability("WRITE_EXPERIMENT_ATTACHMENT")
-    public void updateExperimentAttachments(String sessionToken, TechId experimentId,
+    public void updateExperimentAttachments(String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId,
             Attachment attachment)
     {
         Session session = getSession(sessionToken);
@@ -2260,9 +2262,9 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_USER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_USER)
     @Capability("WRITE_EXPERIMENT_ATTACHMENT")
-    public void addExperimentAttachment(String sessionToken, TechId experimentId,
+    public void addExperimentAttachment(String sessionToken, @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId,
             NewAttachment attachment)
     {
         Session session = getSession(sessionToken);
@@ -2530,7 +2532,8 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
 
     @Override
     @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
-    public IIdHolder getProjectIdHolder(String sessionToken, String projectPermId)
+    public IIdHolder getProjectIdHolder(String sessionToken,
+            @AuthorizationGuard(guardClass = ProjectPermIdStringPredicate.class) String projectPermId)
     {
         final Session session = getSession(sessionToken);
         final IProjectBO bo = businessObjectFactory.createProjectBO(session);
@@ -2946,7 +2949,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     @Override
     @RolesAllowed({ RoleWithHierarchy.SPACE_POWER_USER, RoleWithHierarchy.PROJECT_ADMIN })
     @Capability("WRITE_PROJECT_ATTACHMENT")
-    public void updateProjectAttachments(String sessionToken, TechId projectId,
+    public void updateProjectAttachments(String sessionToken, @AuthorizationGuard(guardClass = ProjectTechIdPredicate.class) TechId projectId,
             Attachment attachment)
     {
         Session session = getSession(sessionToken);
@@ -2960,7 +2963,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     @Override
     @RolesAllowed({ RoleWithHierarchy.SPACE_POWER_USER, RoleWithHierarchy.PROJECT_ADMIN })
     @Capability("WRITE_PROJECT_ATTACHMENT")
-    public void addProjectAttachments(String sessionToken, TechId projectId,
+    public void addProjectAttachments(String sessionToken, @AuthorizationGuard(guardClass = ProjectTechIdPredicate.class) TechId projectId,
             NewAttachment attachment)
     {
         Session session = getSession(sessionToken);
@@ -3588,7 +3591,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_USER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_USER)
     public void updateManagedPropertyOnExperiment(String sessionToken, TechId experimentId,
             IManagedProperty managedProperty, IManagedUiAction updateAction)
     {
@@ -4248,7 +4251,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public void addToMetaproject(String sessionToken, IMetaprojectId metaprojectId,
             MetaprojectAssignmentsIds assignmentsToAdd)
     {
@@ -4341,7 +4344,7 @@ public final class CommonServer extends AbstractCommonServer<ICommonServerForInt
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public Metaproject registerMetaproject(String sessionToken,
             IMetaprojectRegistration registration)
     {

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceForDataStoreServer.java

@@ -86,6 +86,8 @@ import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ListSampl
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.NewExperimentPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.NewSamplePredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.NewSamplesWithTypePredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdentifierExistingSpacePredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdentifierPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPermIdPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.SampleOwnerIdentifierPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.SamplePermIdPredicate;
@@ -553,7 +555,7 @@ public class ServiceForDataStoreServer extends AbstractCommonServer<IServiceForD
     @Override
     @RolesAllowed({ RoleWithHierarchy.PROJECT_OBSERVER, RoleWithHierarchy.SPACE_ETL_SERVER })
     public List<Experiment> listExperimentsForProjects(String sessionToken,
-            @AuthorizationGuard(guardClass = SpaceIdentifierPredicate.class) List<ProjectIdentifier> projectIdentifiers,
+            @AuthorizationGuard(guardClass = ProjectIdentifierPredicate.class) List<ProjectIdentifier> projectIdentifiers,
             ExperimentFetchOptions experimentFetchOptions)
     {
         if (sessionToken == null)
@@ -953,7 +955,7 @@ public class ServiceForDataStoreServer extends AbstractCommonServer<IServiceForD
         Set<SamplePropertyPE> properties = top.getProperties();
         HibernateUtils.initialize(properties);
         return EntityPropertyTranslator.translate(properties.toArray(new SamplePropertyPE[0]),
-                new HashMap<MaterialTypePE, MaterialType>(), new HashMap<PropertyTypePE, PropertyType>(), 
+                new HashMap<MaterialTypePE, MaterialType>(), new HashMap<PropertyTypePE, PropertyType>(),
                 managedPropertyEvaluatorFactory);
     }
 
@@ -976,7 +978,7 @@ public class ServiceForDataStoreServer extends AbstractCommonServer<IServiceForD
         Set<SamplePropertyPE> properties = sample.getProperties();
         HibernateUtils.initialize(properties);
         return EntityPropertyTranslator.translate(properties.toArray(new SamplePropertyPE[0]),
-                new HashMap<MaterialTypePE, MaterialType>(), new HashMap<PropertyTypePE, PropertyType>(), 
+                new HashMap<MaterialTypePE, MaterialType>(), new HashMap<PropertyTypePE, PropertyType>(),
                 managedPropertyEvaluatorFactory);
     }
 
@@ -1694,7 +1696,7 @@ public class ServiceForDataStoreServer extends AbstractCommonServer<IServiceForD
     @Override
     @RolesAllowed({ RoleWithHierarchy.PROJECT_OBSERVER, RoleWithHierarchy.SPACE_ETL_SERVER })
     public Project tryGetProject(String sessionToken,
-            @AuthorizationGuard(guardClass = ExistingSpaceIdentifierPredicate.class) ProjectIdentifier projectIdentifier)
+            @AuthorizationGuard(guardClass = ProjectIdentifierExistingSpacePredicate.class) ProjectIdentifier projectIdentifier)
     {
         final Session session = getSession(sessionToken);
         final IProjectBO bo = businessObjectFactory.createProjectBO(session);

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/predicate/ProjectIdentifierExistingSpacePredicate.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.generic.server.authorization.predicate;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectIdentifierExistingSpacePredicate extends ProjectIdentifierPredicate
+{
+
+    public ProjectIdentifierExistingSpacePredicate()
+    {
+        super(true);
+    }
+
+}

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/predicate/ProjectIdentifierPredicate.java

@@ -34,9 +34,15 @@ import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.SpaceIdentifier;
  */
 public class ProjectIdentifierPredicate extends DelegatedPredicate<SpaceIdentifier, ProjectIdentifier>
 {
+
     public ProjectIdentifierPredicate()
     {
-        super(new SpaceIdentifierPredicate(false));
+        this(false);
+    }
+
+    public ProjectIdentifierPredicate(boolean okForNonExistentSpaces)
+    {
+        super(new SpaceIdentifierPredicate(okForNonExistentSpaces));
     }
 
     @Override

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/predicate/ProjectPermIdStringPredicate.java

+/*
+ * Copyright 2012 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.generic.server.authorization.predicate;
+
+import ch.systemsx.cisd.openbis.generic.shared.dto.PermId;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectPermIdStringPredicate extends DelegatedPredicate<PermId, String>
+{
+    public ProjectPermIdStringPredicate()
+    {
+        super(new ProjectPermIdPredicate());
+    }
+
+    @Override
+    public PermId tryConvert(String value)
+    {
+        return value != null ? new PermId(value) : null;
+    }
+
+    @Override
+    public String getCandidateDescription()
+    {
+        return "project perm id";
+    }
+
+}

openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/ServiceForDataStoreServerTest.java

@@ -16,18 +16,30 @@
 
 package ch.systemsx.cisd.openbis.generic.server;
 
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.fail;
+
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import junit.framework.Assert;
-
 import org.testng.annotations.Test;
 
+import ch.systemsx.cisd.common.exceptions.AuthorizationFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.AbstractExternalData;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Experiment;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.ExperimentFetchOptions;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Project;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PermId;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SessionContextDTO;
 import ch.systemsx.cisd.openbis.generic.shared.dto.SimpleDataSetInformationDTO;
+import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.ProjectIdentifier;
 import ch.systemsx.cisd.openbis.systemtest.SystemTestCase;
+import ch.systemsx.cisd.openbis.systemtest.authorization.ProjectAuthorizationUser;
+
+import junit.framework.Assert;
 
 /**
  * @author pkupczyk
@@ -83,4 +95,149 @@ public class ServiceForDataStoreServerTest extends SystemTestCase
         Assert.assertEquals(Long.valueOf(123L), updatedDataSets.get(0).getSize());
     }
 
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testListExperimentsForProjectsWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        ProjectIdentifier projectIdentifier = new ProjectIdentifier("TEST-SPACE", "TEST-PROJECT");
+        ExperimentFetchOptions fetchOptions = new ExperimentFetchOptions();
+
+        if (user.isTestSpaceUser() || (user.isTestProjectUser() && user.hasPAEnabled()))
+        {
+            List<Experiment> experiments =
+                    etlService.listExperimentsForProjects(session.getSessionToken(), Arrays.asList(projectIdentifier), fetchOptions);
+            assertEquals(experiments.size(), 1);
+            assertEquals(experiments.get(0).getIdentifier(), "/TEST-SPACE/TEST-PROJECT/EXP-SPACE-TEST");
+        } else
+        {
+            try
+            {
+                etlService.listExperimentsForProjects(session.getSessionToken(), Arrays.asList(projectIdentifier), fetchOptions);
+                fail();
+            } catch (AuthorizationFailureException e)
+            {
+                // expected
+            }
+        }
+    }
+
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testListProjectsWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        List<Project> projects = etlService.listProjects(session.getSessionToken());
+
+        if (user.isTestSpaceUser())
+        {
+            assertEntities("[/TEST-SPACE/NOE, /TEST-SPACE/PROJECT-TO-DELETE, /TEST-SPACE/TEST-PROJECT]", projects);
+        } else if (user.isTestGroupUser())
+        {
+            assertEntities("[/TESTGROUP/TESTPROJ]", projects);
+        } else if (user.isTestProjectUser() && user.hasPAEnabled())
+        {
+            assertEntities("[/TEST-SPACE/PROJECT-TO-DELETE, /TEST-SPACE/TEST-PROJECT]", projects);
+        } else
+        {
+            assertEntities("[]", projects);
+        }
+    }
+
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testTryGetProjectWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        ProjectIdentifier projectIdentifier = new ProjectIdentifier("TEST-SPACE", "TEST-PROJECT");
+
+        if (user.isTestSpaceUser() || (user.isTestProjectUser() && user.hasPAEnabled()))
+        {
+            Project project = etlService.tryGetProject(session.getSessionToken(), projectIdentifier);
+            assertEquals(project.getIdentifier(), "/TEST-SPACE/TEST-PROJECT");
+        } else
+        {
+            try
+            {
+                etlService.tryGetProject(session.getSessionToken(), projectIdentifier);
+                fail();
+            } catch (AuthorizationFailureException e)
+            {
+                // expected
+            }
+        }
+    }
+
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testTryGetProjectByPermIdWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        PermId projectPermId = new PermId("20120814110011738-105"); // /TEST-SPACE/TEST-PROJECT
+
+        if (user.isTestSpaceUser() || (user.isTestProjectUser() && user.hasPAEnabled()))
+        {
+            Project project = etlService.tryGetProjectByPermId(session.getSessionToken(), projectPermId);
+            assertEquals(project.getIdentifier(), "/TEST-SPACE/TEST-PROJECT");
+        } else
+        {
+            try
+            {
+                etlService.tryGetProjectByPermId(session.getSessionToken(), projectPermId);
+                fail();
+            } catch (AuthorizationFailureException e)
+            {
+                // expected
+            }
+        }
+    }
+
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testTryGetExperimentByPermIdWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        PermId experimentPermId = new PermId("201206190940555-1032"); // /TEST-SPACE/TEST-PROJECT/EXP-SPACE-TEST
+
+        if (user.isTestSpaceUser() || (user.isTestProjectUser() && user.hasPAEnabled()))
+        {
+            Experiment experiment = etlService.tryGetExperimentByPermId(session.getSessionToken(), experimentPermId);
+            assertEquals(experiment.getIdentifier(), "/TEST-SPACE/TEST-PROJECT/EXP-SPACE-TEST");
+        } else
+        {
+            try
+            {
+                etlService.tryGetExperimentByPermId(session.getSessionToken(), experimentPermId);
+                fail();
+            } catch (AuthorizationFailureException e)
+            {
+                // expected
+            }
+        }
+    }
+
+    @Test(dataProviderClass = ProjectAuthorizationUser.class, dataProvider = ProjectAuthorizationUser.PROVIDER)
+    public void testListDataSetsByExperimentIDWithProjectAuthorization(ProjectAuthorizationUser user)
+    {
+        SessionContextDTO session = etlService.tryAuthenticate(user.getUserId(), PASSWORD);
+
+        TechId experimentId = new TechId(23L); // /TEST-SPACE/TEST-PROJECT/EXP-SPACE-TEST
+
+        if (user.isTestSpaceUser() || (user.isTestProjectUser() && user.hasPAEnabled()))
+        {
+            List<AbstractExternalData> dataSets = etlService.listDataSetsByExperimentID(session.getSessionToken(), experimentId);
+            assertEquals(dataSets.size(), 9);
+        } else
+        {
+            try
+            {
+                etlService.listDataSetsByExperimentID(session.getSessionToken(), experimentId);
+                fail();
+            } catch (AuthorizationFailureException e)
+            {
+                // expected
+            }
+        }
+    }
+
 }

openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/authorization/predicate/project/ProjectPredicateTestService.java

@@ -28,9 +28,11 @@ import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.AbstractT
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.NewProjectPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectAugmentedCodePredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdPredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdentifierExistingSpacePredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectIdentifierPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPEPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPermIdPredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPermIdStringPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectPredicate;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.ProjectUpdatesPredicate;
 import ch.systemsx.cisd.openbis.generic.shared.api.v1.dto.Project;
@@ -113,6 +115,13 @@ public class ProjectPredicateTestService
     {
     }
 
+    @Transactional
+    @RolesAllowed(value = { RoleWithHierarchy.PROJECT_OBSERVER })
+    public void testProjectPermIdStringPredicate(IAuthSessionProvider sessionProvider,
+            @AuthorizationGuard(guardClass = ProjectPermIdStringPredicate.class) String projectPermIdString)
+    {
+    }
+
     @Transactional
     @RolesAllowed(value = { RoleWithHierarchy.PROJECT_OBSERVER })
     public void testProjectTechIdCollectionPredicate(IAuthSessionProvider sessionProvider,
@@ -120,4 +129,11 @@ public class ProjectPredicateTestService
     {
     }
 
+    @Transactional
+    @RolesAllowed(value = { RoleWithHierarchy.PROJECT_OBSERVER })
+    public void testProjectIdentifierExistingSpacePredicate(IAuthSessionProvider sessionProvider,
+            @AuthorizationGuard(guardClass = ProjectIdentifierExistingSpacePredicate.class) ProjectIdentifier projectIdentifier)
+    {
+    }
+
 }

openbis/sourceTest/sql/postgresql/162/001=attachment_contents.tsv

@@ -8,3 +8,4 @@
 8	\\x33564350310a33564350320a3356435033
 9	\\x33564350310a33564350320a3356435033
 10	\\x33564350310a33564350320a3356435033
+11	\\x33564350310a33564350320a3356435033

openbis/sourceTest/sql/postgresql/162/002=attachments.tsv

@@ -8,3 +8,4 @@
 8	22	cellPlates.txt	2008-12-10 13:51:10.050748+01	1	2	8	\N	\N	\N	\N
 9	\N	projectDescription.txt	2012-01-03 08:27:57.123+01	1	2	9	\N	3	The Project	All about it.
 10	23	testExperiment.txt	2012-01-03 08:27:57.123+01	1	2	10	\N	\N	\N	\N
+11	\N	testProject.txt	2012-01-03 08:27:57.123+01	1	2	11	\N	5	\N	\N

openbis/sourceTest/sql/postgresql/162/025=experiment_properties.tsv

@@ -15,3 +15,4 @@
 20	22	1	A simple experiment	\N	2	2008-11-05 09:22:37.246+01	2009-03-18 10:50:19.475958+01	\N	1
 21	24	3	2009-02-10 01:00:00 +0200	\N	2	2009-02-09 12:17:55.058768+01	2009-03-18 10:50:19.475958+01	\N	1
 22	22	8	\N	\N	2	2008-11-05 09:22:37.246+01	2009-03-18 10:50:19.475958+01	35	1
+23	23	1	A test experiment	\N	2	2008-11-05 09:22:37.246+01	2009-03-18 10:50:19.475958+01	\N	1