def test_require_any(record: ExampleRecord):
assert not require_any(
state_required('new'),
state_required('editing'),
)(record).can()
assert require_any(
state_required('closed'),
state_required('editing'),
)(record).can()
assert not require_any()(record).can()
def read_permission_factory(record, *args, **kwargs):
f"""Read permission factory that takes secondary communities into account.
Allows access to record in one of the following cases:
* Record is PUBLISHED
* Current user is the OWNER of the record
* User's role has allowed READ action in one of record's communities AND:
1) User is in one of the roles of the community from the request path AND record is atleast APPROVED. OR
2) User is CURATOR in the community from the request path
:param record: An instance of :class:`oarepo_communities.record.CommunityRecordMixin`
or ``None`` if the action is global.
:raises RuntimeError: If the object is unknown.
:returns: A :class:`invenio_access.permissions.Permission` instance.
"""
if isinstance(record, Record):
communities = [record.primary_community, *record.secondary_communities]
return require_any(
#: Anyone can read published records
state_required(STATE_PUBLISHED),
require_all(
require_action_allowed(COMMUNITY_READ),
require_any(
#: Record AUTHOR can READ his own records
owner_permission_impl,
require_all(
#: User's role has granted READ permissions in record's communities
Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]),
require_any(
#: Community MEMBERS can READ APPROVED community records
require_all(
state_required(STATE_APPROVED),
require_any(
community_member_permission_impl,
community_publisher_permission_impl
)
),
#: Community CURATORS can READ ALL community records
community_curator_permission_impl
)
)
)
)
)(record, *args, **kwargs)
else:
raise RuntimeError('Unknown or missing object')
def update_permission_factory(record, *args, **kwargs):
f"""Records REST update permission factory.
Permission is granted if:
* Record is a DRAFT AND
* Current user is the OWNER of the record and record is not submitted for APPROVAL yet. OR
* Current user is in role that has UPDATE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING, STATE_PENDING_APPROVAL),
require_any(
require_all(
state_required(None, STATE_EDITING),
owner_permission_impl
),
action_permission_factory(COMMUNITY_UPDATE)(record, *args, **kwargs)
)
)(record, *args, **kwargs)
def unpublish_permission_factory(record, *args, **kwargs):
f"""Unpublish action permissions factory.
Permission is granted if:
* Record is PUBLISHED. AND
* Current user is in role that has UNPUBLISH action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PUBLISHED),
action_permission_factory(COMMUNITY_UNPUBLISH)(record, *args, **kwargs)
)(record, *args, **kwargs)
def revert_approval_permission_factory(record, *args, **kwargs):
f"""Revert approval action permissions factory.
Permission is granted if:
* Record is APPROVED. AND
* Current user is in role that has REVERT APPROVE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_APPROVED),
action_permission_factory(COMMUNITY_REVERT_APPROVE)(record, *args, **kwargs)
)(record, *args, **kwargs)
def approve_permission_factory(record, *args, **kwargs):
f"""Approve action permissions factory.
Permission is granted if:
* Record is submitted for approval. AND
* Current user is in role that has APPROVE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PENDING_APPROVAL),
action_permission_factory(COMMUNITY_APPROVE)(record, *args, **kwargs)
)(record, *args, **kwargs)
def request_changes_permission_factory(record, *args, **kwargs):
f"""Request changes action permissions factory.
Permission is granted if:
* Record is submitted for approval. AND
* Current user is in role that has REQUEST CHANGES action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PENDING_APPROVAL),
action_permission_factory(COMMUNITY_REQUEST_CHANGES)(record, *args, **kwargs)
)(record, *args, **kwargs)
def delete_permission_factory(record, *args, **kwargs):
"""Records REST delete permission factory.
Permission is granted if:
* Record is a DRAFT record AND
* Current user is the owner of the record. OR
* Current user is in role that has DELETE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING),
owner_or_role_action_permission_factory(COMMUNITY_DELETE, record, *args, **kwargs)
)(record, *args, **kwargs)
def request_approval_permission_factory(record, *args, **kwargs):
f"""Request approval action permissions factory.
Permission is granted if:
* Record an EDITED DRAFT record. AND
* Current user is the owner of the record. OR
* Current user is in role that has REQUEST APPROVAL action allowed
in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING),
owner_or_role_action_permission_factory(COMMUNITY_REQUEST_APPROVAL, record)
)(record, *args, **kwargs)
def test_state_required(record: ExampleRecord, users):
assert state_required('closed')(record).can()
assert not state_required('editing')(record).can()