From a845537dfc5b84a738209b428f9ef02eb1d7a379 Mon Sep 17 00:00:00 2001
From: Taras Madan <tarasmadan@google.com>
Date: Tue, 15 Oct 2024 17:17:27 +0200
Subject: [PATCH] dashboard/app: test existing code

---
 dashboard/app/access.go      | 29 ++++++++++++++++-------------
 dashboard/app/access_test.go |  4 ++++
 dashboard/app/app_test.go    |  2 +-
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/dashboard/app/access.go b/dashboard/app/access.go
index 79165bb161ea..a96425f0b96c 100644
--- a/dashboard/app/access.go
+++ b/dashboard/app/access.go
@@ -46,9 +46,6 @@ func checkAccessLevel(c context.Context, r *http.Request, level AccessLevel) err
 	return ErrAccess
 }
 
-// AuthDomain is broken in AppEngine tests.
-var isBrokenAuthDomainInTest = false
-
 func emailInAuthDomains(email string, authDomains []string) bool {
 	for _, authDomain := range authDomains {
 		if strings.HasSuffix(email, authDomain) {
@@ -59,7 +56,7 @@ func emailInAuthDomains(email string, authDomains []string) bool {
 	return false
 }
 
-func currentUser(c context.Context, r *http.Request) *user.User {
+func currentUser(c context.Context) *user.User {
 	u := user.Current(c)
 	if u != nil {
 		return u
@@ -78,8 +75,18 @@ func currentUser(c context.Context, r *http.Request) *user.User {
 // OAuth2 token is expected to be present in "Authorization" header.
 // Example: "Authorization: Bearer $(gcloud auth print-access-token)".
 func accessLevel(c context.Context, r *http.Request) AccessLevel {
-	if user.IsAdmin(c) {
-		switch r.FormValue("access") {
+	return userAccessLevel(currentUser(c), r.FormValue("access"), getConfig(c))
+
+}
+// AuthDomain is broken in AppEngine tests.
+var trustedAuthDomain = "gmail.com"
+
+func userAccessLevel(u *user.User, wantAccess string, config *GlobalConfig) AccessLevel {
+	if u == nil {
+		return AccessPublic
+	}
+	if u.Admin {
+		switch wantAccess {
 		case "public":
 			return AccessPublic
 		case "user":
@@ -87,14 +94,10 @@ func accessLevel(c context.Context, r *http.Request) AccessLevel {
 		}
 		return AccessAdmin
 	}
-	u := currentUser(c, r)
-	if u == nil ||
-		// Devappserver does not pass AuthDomain.
-		u.AuthDomain != "gmail.com" && !isBrokenAuthDomainInTest ||
-		!emailInAuthDomains(u.Email, getConfig(c).AuthDomains) {
-		return AccessPublic
+	if u.AuthDomain == trustedAuthDomain &&	emailInAuthDomains(u.Email, config.AuthDomains) {
+		return AccessUser
 	}
-	return AccessUser
+	return AccessPublic
 }
 
 func checkTextAccess(c context.Context, r *http.Request, tag string, id int64) (*Bug, *Crash, error) {
diff --git a/dashboard/app/access_test.go b/dashboard/app/access_test.go
index c2a3191c450e..0eb771af71a9 100644
--- a/dashboard/app/access_test.go
+++ b/dashboard/app/access_test.go
@@ -429,3 +429,7 @@ func TestAccess(t *testing.T) {
 		}
 	}
 }
+
+func TestUserAccessLevel(t *testing.T) {
+	assert.Equal(t, AccessAdmin, userAccessLevel(&user.User{Admin: true}, "", nil))
+}
diff --git a/dashboard/app/app_test.go b/dashboard/app/app_test.go
index 97ede2e5a684..94e6c409df41 100644
--- a/dashboard/app/app_test.go
+++ b/dashboard/app/app_test.go
@@ -31,7 +31,7 @@ func init() {
 	os.Setenv("GAE_MODULE_VERSION", "1")
 	os.Setenv("GAE_MINOR_VERSION", "1")
 
-	isBrokenAuthDomainInTest = true
+	trustedAuthDomain = "" // Devappserver environment value is "", prod value is "gmail.com".
 	obsoleteWhatWontBeFixBisected = true
 	notifyAboutUnsuccessfulBisections = true
 	ensureConfigImmutability = true