Unit tests of API-level authorization when getting multiple score sets

jstone-dev · jstone-dev · commit 3aaecfa5eac6 · 2026-03-19T10:31:23.000-07:00
diff --git a/tests/routers/test_score_set.py b/tests/routers/test_score_set.py
@@ -713,6 +713,97 @@ def test_get_own_private_score_set(client, setup_router_db):
         assert (key, expected_response[key]) == (key, response_data[key])
 
 
+def test_cannot_get_other_user_private_score_set(session, client, setup_router_db):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+    change_ownership(session, score_set["urn"], ScoreSetDbModel)
+    response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+    assert response.status_code == 404
+    response_data = response.json()
+    assert f"score set with URN '{score_set['urn']}' not found" in response_data["detail"]
+
+
+def test_anonymous_user_cannot_get_user_private_score_set(session, client, setup_router_db, anonymous_app_overrides):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+    change_ownership(session, score_set["urn"], ScoreSetDbModel)
+    with DependencyOverrider(anonymous_app_overrides):
+        response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+
+    assert response.status_code == 404
+    response_data = response.json()
+    assert f"score set with URN '{score_set['urn']}' not found" in response_data["detail"]
+
+
+def test_contributor_can_get_other_users_private_score_set(session, client, setup_router_db):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+    change_ownership(session, score_set["urn"], ScoreSetDbModel)
+    add_contributor(
+        session,
+        score_set["urn"],
+        ScoreSetDbModel,
+        TEST_USER["username"],
+        TEST_USER["first_name"],
+        TEST_USER["last_name"],
+    )
+
+    expected_response = update_expected_response_for_created_resources(
+        deepcopy(TEST_MINIMAL_SEQ_SCORESET_RESPONSE), experiment, score_set
+    )
+    expected_response["contributors"] = [
+        {
+            "recordType": "Contributor",
+            "orcidId": TEST_USER["username"],
+            "givenName": TEST_USER["first_name"],
+            "familyName": TEST_USER["last_name"],
+        }
+    ]
+    expected_response["createdBy"] = {
+        "recordType": "User",
+        "orcidId": EXTRA_USER["username"],
+        "firstName": EXTRA_USER["first_name"],
+        "lastName": EXTRA_USER["last_name"],
+    }
+    expected_response["modifiedBy"] = {
+        "recordType": "User",
+        "orcidId": EXTRA_USER["username"],
+        "firstName": EXTRA_USER["first_name"],
+        "lastName": EXTRA_USER["last_name"],
+    }
+    expected_response["experiment"].update({"numScoreSets": 1})
+
+    response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+    assert response.status_code == 200
+    response_data = response.json()
+
+    assert sorted(expected_response.keys()) == sorted(response_data.keys())
+    for key in expected_response:
+        assert (key, expected_response[key]) == (key, response_data[key])
+
+
+def test_admin_can_get_other_user_private_score_set(session, client, admin_app_overrides, setup_router_db):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+    expected_response = update_expected_response_for_created_resources(
+        deepcopy(TEST_MINIMAL_SEQ_SCORESET_RESPONSE), experiment, score_set
+    )
+    expected_response["experiment"].update({"numScoreSets": 1})
+    with DependencyOverrider(admin_app_overrides):
+        response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+
+    assert response.status_code == 200
+    response_data = response.json()
+    assert sorted(expected_response.keys()) == sorted(response_data.keys())
+    for key in expected_response:
+        assert (key, expected_response[key]) == (key, response_data[key])
+
+
+########################################################################################################################
+# Multiple score set fetching
+########################################################################################################################
+
+
 def test_get_score_sets_by_comma_separated_urns(client, setup_router_db):
     experiment = create_experiment(client)
     first_score_set = create_seq_score_set(client, experiment["urn"])
@@ -763,26 +854,94 @@ def test_get_score_sets_with_whitespace_around_urns_in_mixed_list_returns_404(cl
     assert response.json()["detail"] == f"score set with URN '{missing_urn}' not found"
 
 
-def test_cannot_get_other_user_private_score_set(session, client, setup_router_db):
+def test_show_score_sets_anonymous_can_fetch_public_score_sets(
+    session, client, setup_router_db, anonymous_app_overrides, data_provider, data_files
+):
     experiment = create_experiment(client)
     score_set = create_seq_score_set(client, experiment["urn"])
+    score_set = mock_worker_variant_insertion(client, session, data_provider, score_set, data_files / "scores.csv")
+    with patch.object(arq.ArqRedis, "enqueue_job", return_value=None):
+        published_score_set = publish_score_set(client, score_set["urn"])
+
+    with DependencyOverrider(anonymous_app_overrides):
+        response = client.get(
+            "/api/v1/score-sets/",
+            params={"urns": published_score_set["urn"]},
+        )
+
+    assert response.status_code == 200
+    response_data = response.json()
+    assert len(response_data) == 1
+    assert response_data[0]["urn"] == published_score_set["urn"]
+
+
+def test_show_score_sets_anonymous_cannot_fetch_private_score_sets(session, client, setup_router_db, anonymous_app_overrides):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+    # Score set is private (not published); change ownership so it belongs to another user
     change_ownership(session, score_set["urn"], ScoreSetDbModel)
-    response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+
+    with DependencyOverrider(anonymous_app_overrides):
+        response = client.get(
+            "/api/v1/score-sets/",
+            params={"urns": score_set["urn"]},
+        )
+
     assert response.status_code == 404
+    assert f"score set with URN '{score_set['urn']}' not found" in response.json()["detail"]
+
+
+def test_show_score_sets_authenticated_user_can_fetch_own_private_score_sets(client, setup_router_db):
+    experiment = create_experiment(client)
+    score_set = create_seq_score_set(client, experiment["urn"])
+
+    response = client.get(
+        "/api/v1/score-sets/",
+        params={"urns": score_set["urn"]},
+    )
+
+    assert response.status_code == 200
     response_data = response.json()
-    assert f"score set with URN '{score_set['urn']}' not found" in response_data["detail"]
+    assert len(response_data) == 1
+    assert response_data[0]["urn"] == score_set["urn"]
 
 
-def test_anonymous_user_cannot_get_user_private_score_set(session, client, setup_router_db, anonymous_app_overrides):
+def test_show_score_sets_authenticated_user_cannot_fetch_other_users_private_score_sets(
+    session, client, setup_router_db
+):
     experiment = create_experiment(client)
     score_set = create_seq_score_set(client, experiment["urn"])
     change_ownership(session, score_set["urn"], ScoreSetDbModel)
+
+    response = client.get(
+        "/api/v1/score-sets/",
+        params={"urns": score_set["urn"]},
+    )
+
+    assert response.status_code == 404
+    assert f"score set with URN '{score_set['urn']}' not found" in response.json()["detail"]
+
+
+def test_show_score_sets_mixed_public_and_private_returns_404(
+    session, client, setup_router_db, anonymous_app_overrides, data_provider, data_files
+):
+    experiment = create_experiment(client)
+    public_score_set = create_seq_score_set(client, experiment["urn"])
+    public_score_set = mock_worker_variant_insertion(client, session, data_provider, public_score_set, data_files / "scores.csv")
+    private_score_set = create_seq_score_set(client, experiment["urn"])
+    with patch.object(arq.ArqRedis, "enqueue_job", return_value=None):
+        published_score_set = publish_score_set(client, public_score_set["urn"])
+    # Make private_score_set belong to a different user to make it inaccessible anonymously
+    change_ownership(session, private_score_set["urn"], ScoreSetDbModel)
+
     with DependencyOverrider(anonymous_app_overrides):
-        response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
+        response = client.get(
+            "/api/v1/score-sets/",
+            params={"urns": f"{published_score_set['urn']},{private_score_set['urn']}"},
+        )
 
     assert response.status_code == 404
-    response_data = response.json()
-    assert f"score set with URN '{score_set['urn']}' not found" in response_data["detail"]
+    assert f"score set with URN '{private_score_set['urn']}' not found" in response.json()["detail"]
 
 
 def test_can_add_contributor_in_both_experiment_and_score_set(session, client, setup_router_db):
@@ -818,70 +977,6 @@ def test_can_add_contributor_in_both_experiment_and_score_set(session, client, s
     assert any(c["orcidId"] == TEST_USER["username"] for c in exp_response_data["contributors"])
 
 
-def test_contributor_can_get_other_users_private_score_set(session, client, setup_router_db):
-    experiment = create_experiment(client)
-    score_set = create_seq_score_set(client, experiment["urn"])
-    change_ownership(session, score_set["urn"], ScoreSetDbModel)
-    add_contributor(
-        session,
-        score_set["urn"],
-        ScoreSetDbModel,
-        TEST_USER["username"],
-        TEST_USER["first_name"],
-        TEST_USER["last_name"],
-    )
-
-    expected_response = update_expected_response_for_created_resources(
-        deepcopy(TEST_MINIMAL_SEQ_SCORESET_RESPONSE), experiment, score_set
-    )
-    expected_response["contributors"] = [
-        {
-            "recordType": "Contributor",
-            "orcidId": TEST_USER["username"],
-            "givenName": TEST_USER["first_name"],
-            "familyName": TEST_USER["last_name"],
-        }
-    ]
-    expected_response["createdBy"] = {
-        "recordType": "User",
-        "orcidId": EXTRA_USER["username"],
-        "firstName": EXTRA_USER["first_name"],
-        "lastName": EXTRA_USER["last_name"],
-    }
-    expected_response["modifiedBy"] = {
-        "recordType": "User",
-        "orcidId": EXTRA_USER["username"],
-        "firstName": EXTRA_USER["first_name"],
-        "lastName": EXTRA_USER["last_name"],
-    }
-    expected_response["experiment"].update({"numScoreSets": 1})
-
-    response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
-    assert response.status_code == 200
-    response_data = response.json()
-
-    assert sorted(expected_response.keys()) == sorted(response_data.keys())
-    for key in expected_response:
-        assert (key, expected_response[key]) == (key, response_data[key])
-
-
-def test_admin_can_get_other_user_private_score_set(session, client, admin_app_overrides, setup_router_db):
-    experiment = create_experiment(client)
-    score_set = create_seq_score_set(client, experiment["urn"])
-    expected_response = update_expected_response_for_created_resources(
-        deepcopy(TEST_MINIMAL_SEQ_SCORESET_RESPONSE), experiment, score_set
-    )
-    expected_response["experiment"].update({"numScoreSets": 1})
-    with DependencyOverrider(admin_app_overrides):
-        response = client.get(f"/api/v1/score-sets/{score_set['urn']}")
-
-    assert response.status_code == 200
-    response_data = response.json()
-    assert sorted(expected_response.keys()) == sorted(response_data.keys())
-    for key in expected_response:
-        assert (key, expected_response[key]) == (key, response_data[key])
-
-
 @pytest.mark.parametrize(
     "mock_publication_fetch",
     [
