Merge pull request #8990 from metabase/allow-non-admins-to-create-children-of-root-collection

Fix non-admins w/ perms not able to create new collection in root

Merge pull request #8990 from metabase/allow-non-admins-to-create-children-of-root-collection
460fa22a · Cam Saul · GitHub · 98aaf954 · eb16b977 · 460fa22a
Unverified Commit 460fa22a authored 6 years ago by Cam Saul Committed by GitHub 6 years ago
--- a/src/metabase/api/collection.clj
+++ b/src/metabase/api/collection.clj
@@ -171,11 +171,9 @@
  "Check that you're allowed to write Collection with `collection-id`; if `collection-id` is `nil`, check that you have
  Root Collection perms."
  [collection-id]
-  (if collection-id
-    (api/write-check Collection collection-id)
-    ;; if the Collection is going to go in the Root Collection, for the time being we'll just check that you're a
-    ;; superuser. Once we merge in Root Collection permissions we'll need to change this !
-    (api/check-superuser)))
+  (api/write-check (if collection-id
+                     (Collection collection-id)
+                     collection/root-collection)))

 (api/defendpoint POST "/"
  "Create a new Collection."

--- a/test/metabase/api/collection_test.clj
+++ b/test/metabase/api/collection_test.clj
@@ -486,11 +486,30 @@
         {:name "Stamp Collection", :color "#123456"})
        (dissoc :id))))

-;; test that non-admins aren't allowed to create a collection
+;; test that non-admins aren't allowed to create a collection in the root collection
 (expect
  "You don't have permissions to do that."
-  ((user->client :rasta) :post 403 "collection"
-   {:name "Stamp Collection", :color "#123456"}))
+  (tu/with-non-admin-groups-no-root-collection-perms
+    ((user->client :rasta) :post 403 "collection"
+     {:name "Stamp Collection", :color "#123456"})))
+
+;; Can a non-admin user with Root Collection perms add a new collection to the Root Collection? (#8949)
+(expect
+  {:name              "Stamp Collection"
+   :description       nil
+   :color             "#123456"
+   :archived          false
+   :location          "/"
+   :personal_owner_id nil
+   :slug              "stamp_collection"}
+  (tu/with-model-cleanup [Collection]
+    (tu/with-non-admin-groups-no-root-collection-perms
+      (-> (tt/with-temp* [PermissionsGroup           [group]
+                          PermissionsGroupMembership [_ {:user_id (user->id :rasta), :group_id (u/get-id group)}]]
+            (perms/grant-collection-readwrite-permissions! group collection/root-collection)
+            ((user->client :rasta) :post 200 "collection"
+             {:name "Stamp Collection", :color "#123456"}))
+          (dissoc :id)))))

 ;; Can I create a Collection as a child of an existing collection?
 (expect