From 2bcc26860f9ec3c9528ac4d812ee18c2ea54a4f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Wed, 6 Dec 2017 11:59:01 +0100
Subject: [PATCH] Removed 'subscriber' cap from 'admin' role

This allows admins to test what happens when users do not have a
subscription. To give the user subscriber capability, just grant demo role
as well.
---
 pillar/auth/__init__.py                   | 2 +-
 pillar/config.py                          | 2 +-
 tests/test_api/test_auth.py               | 2 +-
 tests/test_api/test_project_management.py | 7 ++++---
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/pillar/auth/__init__.py b/pillar/auth/__init__.py
index 9f9e3168..28b2c475 100644
--- a/pillar/auth/__init__.py
+++ b/pillar/auth/__init__.py
@@ -18,7 +18,7 @@ log = logging.getLogger(__name__)
 CAPABILITIES = collections.defaultdict(**{
     'subscriber': {'subscriber', 'home-project'},
     'demo': {'subscriber', 'home-project'},
-    'admin': {'subscriber', 'home-project', 'video-encoding', 'admin',
+    'admin': {'video-encoding', 'admin',
               'view-pending-nodes', 'edit-project-node-types'},
 }, default_factory=frozenset)
 
diff --git a/pillar/config.py b/pillar/config.py
index eb168fa7..10602ac4 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -200,7 +200,7 @@ CELERY_BEAT_SCHEDULE = {
 USER_CAPABILITIES = defaultdict(**{
     'subscriber': {'subscriber', 'home-project'},
     'demo': {'subscriber', 'home-project'},
-    'admin': {'subscriber', 'home-project', 'video-encoding', 'admin',
+    'admin': {'video-encoding', 'admin',
               'view-pending-nodes', 'edit-project-node-types', 'create-organization'},
     'org-subscriber': {'subscriber', 'home-project'},
 }, default_factory=frozenset)
diff --git a/tests/test_api/test_auth.py b/tests/test_api/test_auth.py
index 5c600cbb..13191454 100644
--- a/tests/test_api/test_auth.py
+++ b/tests/test_api/test_auth.py
@@ -677,7 +677,7 @@ class RequireRolesTest(AbstractPillarTest):
         self.assertFalse(called[0])
 
         with self.app.test_request_context():
-            self.login_api_as(ObjectId(24 * 'a'), ['admin'])
+            self.login_api_as(ObjectId(24 * 'a'), ['demo'])
             call_me()
         self.assertTrue(called[0])
 
diff --git a/tests/test_api/test_project_management.py b/tests/test_api/test_project_management.py
index 04ada87a..d35126a1 100644
--- a/tests/test_api/test_project_management.py
+++ b/tests/test_api/test_project_management.py
@@ -95,7 +95,7 @@ class ProjectCreationTest(AbstractProjectTest):
     def test_project_creation_access_admin(self):
         """Admin-created projects should be public"""
 
-        proj = self._create_user_and_project(roles={'admin'})
+        proj = self._create_user_and_project(roles={'admin', 'demo'})
         self.assertEqual(['GET'], proj['permissions']['world'])
 
     def test_project_creation_access_subscriber(self):
@@ -311,13 +311,14 @@ class ProjectEditTest(AbstractProjectTest):
 
     def test_delete_by_admin(self):
         # Create public test project.
-        project_info = self._create_user_and_project(['admin'])
+        project_info = self._create_user_and_project(['admin', 'demo'])
         project_id = project_info['_id']
         project_url = '/api/projects/%s' % project_id
 
         # Create admin user that doesn't own the project, to check that
         # non-owner admins can delete projects too.
-        self._create_user_with_token(['admin'], 'admin-token', user_id='cafef00dbeefcafef00dbeef')
+        self._create_user_with_token(['admin'], 'admin-token',
+                                     user_id='cafef00dbeefcafef00dbeef')
 
         # Admin user should be able to DELETE.
         resp = self.client.delete(project_url,