def test_record_create(db, app, community, client, users, es, test_blueprint):
# Non-community members cannot create records in a community.
recdata = {
'title': 'Test record',
'oarepo:primaryCommunity': community[0],
'state': '',
'oarepo:secondaryCommunities': ['B'],
'access': {
'owned_by': [1]
}
}
resp = client.post('https://localhost/comtest/', json=recdata)
assert resp.status_code == 401
role = Role.query.all()[0]
user = User.query.all()[0]
community[1].allow_action(role, COMMUNITY_READ)
community[1].allow_action(role, COMMUNITY_CREATE)
current_datastore.add_role_to_user(user, role)
with app.test_client() as client:
resp = client.get(
url_for('_tests.test_login_{}'.format(user.id), _external=True))
assert resp.status_code == 200
# Create with correct primary community data succeeds
resp = client.post('https://localhost/comtest/', json=recdata)
assert resp.status_code == 201
def create_user(self, email, entry):
"""Load a single user."""
# when the user's password is set in the configuration, then
# this overrides everything else
password = current_app.config.get("RDM_RECORDS_USER_FIXTURE_PASSWORDS",
{}).get(email)
if not password:
# for auto-generated passwords use letters, digits,
# and some punctuation marks
alphabet = string.ascii_letters + string.digits + "+,-_."
gen_passwd = "".join(secrets.choice(alphabet) for i in range(20))
password = entry.get("password") or gen_passwd
user_data = {
"email": email,
"active": entry.get("active", False),
"password": hash_password(password),
}
user = current_datastore.create_user(**user_data)
for role in entry.get("roles", []):
current_datastore.add_role_to_user(user, role)
for action in entry.get("allow", []):
action = current_access.actions[action]
db.session.add(ActionUsers.allow(action, user_id=user.id))
db.session.commit()
def community_publisher(db, community):
"""Curator user."""
user = create_test_user('*****@*****.**')
member = OARepoCommunity.get_role(community[1], 'member')
publisher = OARepoCommunity.get_role(community[1], 'publisher')
current_datastore.add_role_to_user(user, member)
current_datastore.add_role_to_user(user, publisher)
yield publisher
def admin_user(users, roles):
"""Give admin rights to a user."""
user = users["user1"]
role = roles["admin"]
current_datastore.add_role_to_user(user, role)
action = current_access.actions["superuser-access"]
db.session.add(ActionUsers.allow(action, user_id=user.id))
return user
def test_cli_action_allow(app, script_info, community, authenticated_user, db):
runner = CliRunner()
app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv(
'SQLALCHEMY_DATABASE_URI', 'sqlite://')
role = community[1].roles[0]
current_datastore.add_role_to_user(authenticated_user, role)
read_need = action_factory(COMMUNITY_READ, parameter=True)
login_user(authenticated_user)
assert not Permission(read_need(community[0])).allows(g.identity)
def client_with_credentials(db, client, user, role):
"""Log in a user to the client."""
current_datastore.add_role_to_user(user, role)
action = current_access.actions["superuser-access"]
db.session.add(ActionUsers.allow(action, user_id=user.id))
login_user(user, remember=True)
login_user_via_session(client, email=user.email)
return client
def test_action_needs(app, db, community, community_curator):
"""Test action needs creation."""
role = current_datastore.find_role('community:comtest:member')
current_datastore.add_role_to_user(community_curator, role)
ar = ActionRoles(action=COMMUNITY_READ, argument=community[1].id, role=role)
db.session.add(ar)
db.session.commit()
login_user(community_curator)
assert Permission(ParameterizedActionNeed(COMMUNITY_READ, community[1].id)).can()
def test_cli_action_deny(app, community, authenticated_user, db):
runner = CliRunner()
script_info = ScriptInfo(create_app=lambda info: app)
app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv(
'SQLALCHEMY_DATABASE_URI', 'sqlite://')
role = community[1].roles[0]
current_datastore.add_role_to_user(authenticated_user, role)
login_user(authenticated_user)
db.session.add(
ActionRoles(action=COMMUNITY_READ, argument=community[0], role=role))
assert Permission(ParameterizedActionNeed(COMMUNITY_READ,
community[0])).allows(g.identity)
def create_user(self, email, entry):
"""Load a single user."""
password = self._get_password(email, entry)
user_data = {
"email": email,
"active": entry.get("active", False),
"password": hash_password(password),
}
user = current_datastore.create_user(**user_data)
for role in entry.get("roles", []) or []:
current_datastore.add_role_to_user(user, role)
for action in entry.get("allow", []) or []:
action = current_access.actions[action]
db.session.add(ActionUsers.allow(action, user_id=user.id))
db.session.commit()
def create(self, entry):
"""Load a single user."""
email = entry.pop("email")
password = self._get_password(email, entry)
user_data = {
"email": email,
"active": entry.get("active", False),
"password": hash_password(password),
}
try:
user = current_datastore.create_user(**user_data)
for role in entry.get("roles", []) or []:
current_datastore.add_role_to_user(user, role)
for action in entry.get("allow", []) or []:
action = current_access.actions[action]
db.session.add(ActionUsers.allow(action, user_id=user.id))
db.session.commit()
except IntegrityError:
current_app.logger.info(
f"skipping creation of {email}, already existing")
def test_records_get(db, app, community, client, users, es, sample_records,
test_blueprint):
# Non-community members cannot read on primary neither secondary community
resp = client.get('https://localhost/B/7')
assert resp.status_code == 401
resp = client.get('https://localhost/comtest/7')
assert resp.status_code == 401
role = Role.query.all()[0]
user = User.query.all()[0]
community[1].allow_action(role, COMMUNITY_READ)
db.session.add(ActionRoles(action=COMMUNITY_READ, argument='B', role=role))
db.session.commit()
current_datastore.add_role_to_user(user, role)
with app.test_client() as client:
resp = client.get(
url_for('_tests.test_login_{}'.format(user.id),
_scheme='https',
_external=True))
assert resp.status_code == 200
# Record should be accessible in the primary community collection
resp = client.get('https://localhost/comtest/7')
assert resp.status_code == 200
assert resp.json['links']['self'] == 'https://localhost/comtest/7'
# Record should also be readable in the secondary community collection
resp = client.get('https://localhost/B/7')
assert resp.status_code == 200
assert resp.json['links']['self'] == 'https://localhost/comtest/7'
# Record get should return 404 on any other community
resp = client.get('https://localhost/C/7')
assert resp.status_code == 404
def permissions(db, community, sample_records):
"""Permission for users."""
users = {None: None}
user_roles = ['author', 'curator', 'publisher', 'member']
community_roles = {r.name.split(':')[-1]: r for r in community[1].roles}
for role in user_roles:
users[role] = create_test_user(
email='{0}@invenio-software.org'.format(role),
password='******',
active=True
)
if role == 'author':
current_datastore.add_role_to_user(users[role], community_roles['member'])
else:
current_datastore.add_role_to_user(users[role], community_roles['member'])
current_datastore.add_role_to_user(users[role], community_roles[role])
perms = [
(COMMUNITY_REQUEST_APPROVAL, ['author']),
(COMMUNITY_APPROVE, ['curator']),
(COMMUNITY_REQUEST_CHANGES, ['curator']),
(COMMUNITY_REVERT_APPROVE, ['curator', 'publisher']),
(COMMUNITY_PUBLISH, ['publisher']),
(COMMUNITY_UNPUBLISH, ['publisher'])
]
for action, roles in perms:
for r in roles:
if r == 'author':
db.session.add(ActionUsers(
action=action,
argument=community[1].id,
user=users[r]))
else:
role_name = current_oarepo_communities.role_name_factory(community[1], r)['name']
role = current_datastore.find_role(role_name)
db.session.add(ActionRoles(action=action, argument=community[1].id, role=role))
db.session.commit()
yield users
def community_member(db, community):
user = create_test_user('*****@*****.**')
role = OARepoCommunity.get_role(community[1], 'member')
current_datastore.add_role_to_user(user, role)
user = User.query.get(user.id)
yield user