Merge remote-tracking branch 'origin/main' into draft-into-morphology-model

* origin/main:
  root routes should not require auth, make sure tests reflect this (#351)
  Specify permission for service admin (#342)

Author: GianlucaFicarelli

docs/API.md

@@ -14,20 +14,11 @@
 ```
 
 These have CRUD-able patterns:
-    GET /contribution/{id} to get
-    POST /contribution/ to create
+    GET /experimental-bouton-density/{id} to get
+    POST /experimental-bouton-density/ to create
+    PATCH /experimental-bouton-density/ to update
 
-
-Note: the organizations will need to be filled in; they include ones that are not yet part of the OBI, so there isn't a one-to-one relationship with what is included virtual lab service.
-Future work may include auto-additing organizations when one joins the OBI; alternatively the first time data is created, they could be added.
-Currently, `Entity`s are immutable, with the exception of the `authorized_public` property (see Authorization).
-
-TODO:
-    What are the ACLs on these operations?
-        contribution
-        organization
-        person
-        role
+API reserved for the service admin group (see [Authorization](#Authorization)) will be prefixed by /admin/ .
 
 # List views
 The endpoint for returning the listing per type; including faceting; if no query parameter is passed, the traditional list view will be returned (ie: no filtering)
@@ -363,6 +354,13 @@ Members of the owning project can set the `authorized_public` on creation, to ma
 In addition, this value can be changed by using the `PATCH` operation.
 Once an `Entity` is made public, it can not be made private, since it could be already shared/used by others.
 
+Users in the [service admin group](#service-admin-group) can read data from any project, and edit (read/update/delete) data in any project.
+
+A resource without an authorized_project_id is called a global resource.
+
+Global resources and public entities can be updated only by service admins.
+
+
 
 ### To be looked at more:
 ```

tests/routers/test_root.py

@@ -1,22 +1,22 @@
 from app.config import settings
 
 
-def test_root(client):
-    response = client.get("/", follow_redirects=False)
+def test_root(client_no_auth):
+    response = client_no_auth.get("/", follow_redirects=False)
 
     assert response.status_code == 302
     assert response.next_request.url.path == f"{settings.ROOT_PATH}/docs"
 
 
-def test_health(client):
-    response = client.get("/health")
+def test_health(client_no_auth):
+    response = client_no_auth.get("/health")
 
     assert response.status_code == 200
     assert response.json() == {"status": "OK"}
 
 
-def test_version(client):
-    response = client.get("/version")
+def test_version(client_no_auth):
+    response = client_no_auth.get("/version")
 
     assert response.status_code == 200
     response_json = response.json()
@@ -26,8 +26,8 @@ def test_version(client):
     assert response_json["commit_sha"] is not None
 
 
-def test_error(client):
-    response = client.get("/error")
+def test_error(client_no_auth):
+    response = client_no_auth.get("/error")
 
     assert response.status_code == 400
     assert response.json() == {
@@ -37,8 +37,8 @@ def test_error(client):
     }
 
 
-def test_extra_query_params(client):
-    response = client.get("/version", params={"foo": "bar"})
+def test_extra_query_params(client_no_auth):
+    response = client_no_auth.get("/version", params={"foo": "bar"})
 
     assert response.status_code == 422
     assert response.json() == {
@@ -48,7 +48,7 @@ def test_extra_query_params(client):
     }
 
 
-def test_extra_query_params_bypass(client):
-    response = client.get("/version", params={"foo": "bar", "allow_extra_params": True})
+def test_extra_query_params_bypass(client_no_auth):
+    response = client_no_auth.get("/version", params={"foo": "bar", "allow_extra_params": True})
 
     assert response.status_code == 200