class PermissionPolicy(RecordPermissionPolicy):
"""Permission policy."""
# TODO: restrict to not allow create/update/delete
can_search = [AnyUser()]
can_create = [AnyUser()]
can_read = [AnyUser()]
can_update = [AnyUser()]
can_delete = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy):
"""Permission policy."""
can_search = [SystemProcess(), AnyUser()]
can_read = [SystemProcess(), AnyUser()]
can_create = [SystemProcess()]
can_update = [SystemProcess()]
can_delete = [SystemProcess()]
can_manage = [SystemProcess()]
class RecordDraftPermissionPolicy(RecordPermissionPolicy):
"""Custom permission policy."""
# FIXME: Revist this along the development
# Default create should be "authenticated"?
# TODO: Subclass records-resources policy and add *_draft actions
can_create = [AnyUser()]
can_publish = [AnyUser()]
can_read_draft = [AnyUser()]
can_update_draft = [AnyUser()]
can_delete_draft = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy):
"""Permission policy."""
# TODO: restrict to not allow create/update/delete
can_search = [SystemProcess(), AnyUser()]
can_read = [SystemProcess(), AnyUser()]
can_create = [SystemProcess()]
can_update = [SystemProcess()]
can_delete = [SystemProcess()]
can_manage = [SystemProcess()]
# Type permissions
can_manage = [SystemProcess()]
class PermissionPolicy(RecordPermissionPolicy):
"""Mock permission policy. All actions allowed."""
can_search = [AnyUser(), SystemProcess()]
can_create = [AnyUser(), SystemProcess()]
can_read = [AnyUser(), SystemProcess()]
can_update = [AnyUser(), SystemProcess()]
can_delete = [AnyUser(), SystemProcess()]
can_create_files = [AnyUser(), SystemProcess()]
can_read_files = [AnyUser(), SystemProcess()]
can_update_files = [AnyUser(), SystemProcess()]
can_delete_files = [AnyUser(), SystemProcess()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy):
"""Access control configuration for records.
Note that even if the array is empty, the invenio_access Permission class
always adds the ``superuser-access``, so admins will always be allowed.
- Create action given to everyone for now.
- Read access given to everyone if public record and given to owners
always. (inherited)
- Update access given to record owners. (inherited)
- Delete access given to admins only. (inherited)
"""
# TODO: Change all below when permissions settled
can_create = [AnyUser()]
can_update_files = [AnyUser()]
def test_ifrestricted_needs(field, record_fun, expected_needs_fun):
"""Test the IfRestricted generator."""
generator = IfRestricted(field,
then_=[AuthenticatedUser(),
SystemProcess()],
else_=[AnyUser(), SystemProcess()])
assert generator.needs(record=record_fun()) == expected_needs_fun()
assert generator.excludes(record=record_fun()) == set()
class AnyUserPermissionPolicy(RecordPermissionPolicy):
"""Custom permission policy."""
can_list = [AnyUser()]
can_create = [AnyUser()]
can_read = [AnyUser()]
can_update = [AnyUser()]
can_delete = [AnyUser()]
can_read_files = [AnyUser()]
can_update_files = [AnyUser()]
can_publish = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy):
"""Permission policy."""
can_search = [AnyUser()]
can_create = [AnyUser()]
can_read = [AnyUser()]
can_update = [AnyUser()]
can_delete = [AnyUser()]
can_read_files = [AnyUser()]
can_update_files = [AnyUser()]
def test_ifrestricted_query():
"""Test the query generation."""
generator = IfRestricted(
"record",
then_=[AuthenticatedUser()],
else_=[AnyUser()]
)
assert generator.query_filter(identity=any_user).to_dict() == {
'bool': {
'should': [
{'match': {'access.record': 'restricted'}},
{'match': {'access.record': 'public'}}
]
}
}
class TestRDMPermissionPolicy(RecordPermissionPolicy):
"""Define permission policies for RDM Records."""
can_search = [AnyUser(), SystemProcess()]
can_create = [AuthenticatedUser(), SystemProcess()]
can_update = [Disable()]
can_delete = [Disable()]
can_read = [
IfRestricted('record',
then_=[RecordOwners()],
else_=[AnyUser(), SystemProcess()])
]
can_read_files = [
IfRestricted('files',
then_=[RecordOwners()],
else_=[AnyUser(), SystemProcess()])
]
can_update_files = [Disable()]
can_read_draft = [RecordOwners()]
can_update_draft = [RecordOwners()]
can_delete_draft = [RecordOwners()]
can_read_draft_files = [RecordOwners()]
can_read_update_files = [RecordOwners()]
can_publish = [RecordOwners()]
can_manage = [RecordOwners()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy):
"""Access control configuration for records.
Note that even if the array is empty, the invenio_access Permission class
always adds the ``superuser-access``, so admins will always be allowed.
- Create action given to everyone for now.
- Read access given to everyone if public record and given to owners
always. (inherited)
- Update access given to record owners. (inherited)
- Delete access given to admins only. (inherited)
"""
NEED_LABEL_TO_ACTION = {
'bucket-update': 'update_files',
'bucket-read': 'read_files',
'object-read': 'read_files',
}
# Records
can_search = [AnyUser(), SystemProcess()]
can_read = [
IfRestricted('record', then_=[RecordOwners()], else_=[AnyUser()]),
SystemProcess(),
SecretLinks("read"),
]
can_update = [Disable()]
can_delete = [Disable()]
# Drafts
can_create = [AuthenticatedUser(), SystemProcess()]
can_search_drafts = [AuthenticatedUser(), SystemProcess()]
can_read_draft = [RecordOwners(), SystemProcess()]
can_update_draft = [RecordOwners(), SystemProcess()]
can_delete_draft = [RecordOwners(), SystemProcess()]
can_manage = [RecordOwners(), SystemProcess()]
can_new_version = [RecordOwners(), SystemProcess()]
can_edit = [RecordOwners(), SystemProcess()]
can_publish = [RecordOwners(), SystemProcess()]
# Files
# For now, can_read_files means:
# - can list files
# - can read a file metadata
# - can download the file
can_read_files = [
IfRestricted(
'files',
then_=[RecordOwners()],
else_=[
IfDraft(
then_=[RecordOwners()],
else_=[AnyUser()]
),
]
),
SystemProcess(),
SecretLinks("read_files"),
]
# Records - files
can_create_files = [Disable()]
# update_files is for updating files options
can_update_files = [Disable()]
can_delete_files = [Disable()]
# Drafts - files
# create_files is for 3-step file upload
can_draft_create_files = [RecordOwners(), SystemProcess()]
# update_files is for updating files options
can_draft_update_files = [RecordOwners(), SystemProcess()]
can_draft_delete_files = [RecordOwners(), SystemProcess()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy):
"""Access control configuration for records.
Note that even if the array is empty, the invenio_access Permission class
always adds the ``superuser-access``, so admins will always be allowed.
"""
NEED_LABEL_TO_ACTION = {
'bucket-update': 'update_files',
'bucket-read': 'read_files',
'object-read': 'read_files',
}
#
# High-level permissions (used by low-level)
#
can_manage = [RecordOwners(), SystemProcess()]
can_curate = can_manage + [SecretLinks("edit")]
can_preview = can_manage + [SecretLinks("preview")]
can_view = can_manage + [SecretLinks("view")]
can_authenticated = [AuthenticatedUser(), SystemProcess()]
can_all = [AnyUser(), SystemProcess()]
#
# Records
#
# Allow searching of records
can_search = can_all
# Allow reading metadata of a record
can_read = [IfRestricted('record', then_=can_view, else_=can_all)]
# Allow reading the files of a record
can_read_files = [IfRestricted('files', then_=can_view, else_=can_all)]
# Allow submitting new record
can_create = can_authenticated
#
# Drafts
#
# Allow ability to search drafts
can_search_drafts = can_authenticated
# Allow reading metadata of a draft
can_read_draft = can_preview
# Allow reading files of a draft
can_draft_read_files = can_preview
# Allow updating metadata of a draft
can_update_draft = can_curate
# Allow uploading, updating and deleting files in drafts
can_draft_create_files = can_curate
can_draft_update_files = can_curate
can_draft_delete_files = can_curate
#
# PIDs
#
can_pid_reserve = can_curate
can_pid_delete = can_curate
#
# Actions
#
# Allow to put a record in edit mode (create a draft from record)
can_edit = can_curate
# Allow deleting/discarding a draft and all associated files
can_delete_draft = can_curate
# Allow creating a new version of an existing published record.
can_new_version = can_curate
# Allow publishing a new record or changes to an existing record.
can_publish = can_curate
# Allow lifting a record or draft.
can_lift_embargo = can_manage
#
# Disabled actions (these should not be used or changed)
#
# - Records/files are updated/deleted via drafts so we don't support
# using below actions.
can_update = [Disable()]
can_delete = [Disable()]
can_create_files = [Disable()]
can_update_files = [Disable()]
can_delete_files = [Disable()]
class TestPermissionPolicy(BasePermissionPolicy):
can_create = [AnyUser()]
can_search = [AnyUser()]
can_read = [AnyUser()]
can_foo_bar = [AnyUser()]
def test_any_user():
generator = AnyUser()
assert generator.needs() == [any_user]
assert generator.excludes() == []
assert generator.query_filter().to_dict() == {"match_all": {}}
class PermissionPolicy(RecordPermissionPolicy):
"""Mock permission policy. All actions allowed."""
can_edit = [AnyUser()]
can_new_version = [AnyUser()]
can_search = [AnyUser()]
can_create = [AnyUser()]
can_read = [AnyUser()]
can_read_draft = [AnyUser()]
can_update = [AnyUser()]
can_update_draft = [AnyUser()]
can_delete = [AnyUser()]
can_delete_draft = [AnyUser()]
can_publish = [AnyUser()]
can_read_files = [AnyUser()]
can_update_files = [AnyUser()]
class PermissionPolicy(RDMRecordPermissionPolicy):
"""TODO delet this (https://tinyurl.com/y69derx3)."""
can_update = [AnyUser()]
class DraftPermissionPolicy(RecordPermissionPolicy):
"""Custom permission policy."""
# FIXME: Revist this along the development
# Default create should be "authenticated"?
can_create = [AnyUser()]
