From 2064890ea56e856cf7ce602561b1b95a93047d0a Mon Sep 17 00:00:00 2001
From: evilchili <evilchili@gmail.com>
Date: Tue, 7 Oct 2025 01:30:46 -0700
Subject: [PATCH] WIP

---
 test/test_db.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/test/test_db.py b/test/test_db.py
index e654881..5c782e0 100644
--- a/test/test_db.py
+++ b/test/test_db.py
@@ -43,6 +43,7 @@ def test_permissions(app):
     john = app.db.save(schema.User(name="john", email="john@foo", password="powerfulCat"))
     players = app.db.save(schema.Group(name="players", members=[john]))
     notes = app.db.save(schema.Page(name="notes"))
+    note0 = notes.add_member(schema.Page(name="note0"))
 
     # default no access
     assert not players.can_read(notes)
@@ -51,6 +52,8 @@ def test_permissions(app):
     assert not john.can_read(notes)
     assert not john.can_write(notes)
     assert not john.can_delete(notes)
+    assert not players.can_read(note0)
+    assert not john.can_read(note0)
 
     # set to rw, no delete
     notes.set_permissions(players, [schema.Permissions.READ, schema.Permissions.WRITE])
@@ -60,15 +63,33 @@ def test_permissions(app):
     assert players.can_write(notes)
     assert not players.can_delete(notes)
 
+    # propagated
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
+    assert players.can_read(note0)
+    assert players.can_write(note0)
+    assert not players.can_delete(note0)
+    assert not john.can_delete(note0)
+
     # members of the group inherit group permissions
     assert john.can_read(notes)
+    assert john.can_read(note0)
     assert john.can_write(notes)
-    assert not john.can_delete(notes)
+    assert john.can_write(note0)
 
     # permissions are the union of user + group permissions
     notes.set_permissions(john, [schema.Permissions.DELETE])
+    notes = app.db.Page.get(doc_id=notes.doc_id)
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
     assert not players.can_delete(notes)
+    assert not players.can_delete(note0)
     assert john.can_delete(notes)
+    assert john.can_delete(note0)
+
+    # user perms always override inherited permissions
+    note0.set_permissions(john, [])
+    note0 = app.db.Page.get(doc_id=note0.doc_id)
+    assert not john.can_read(note0)
+    assert players.can_read(note0)
 
 
 def test_bootstrap(app):