def test_authenticateduser():
"""Test Generator AuthenticatedUser."""
generator = AuthenticatedUser()
assert generator.needs() == [authenticated_user]
assert generator.excludes() == []
assert generator.query_filter().to_dict() == {"match_all": {}}
def test_ifrestricted_needs(field, record_fun, expected_needs_fun):
"""Test the IfRestricted generator."""
generator = IfRestricted(field,
then_=[AuthenticatedUser(),
SystemProcess()],
else_=[AnyUser(), SystemProcess()])
assert generator.needs(record=record_fun()) == expected_needs_fun()
assert generator.excludes(record=record_fun()) == set()
def test_ifrestricted_query():
"""Test the query generation."""
generator = IfRestricted(
"record",
then_=[AuthenticatedUser()],
else_=[AnyUser()]
)
assert generator.query_filter(identity=any_user).to_dict() == {
'bool': {
'should': [
{'match': {'access.record': 'restricted'}},
{'match': {'access.record': 'public'}}
]
}
}
class TodoPermissionPolicy(Permission):
# Jump over the __init__ - it's a small helper method, to avoid
# initializing the full Invenio-Access.
def __init__(self, action, item=None):
generators = getattr(self, f"can_{action}")
needs = []
for g in generators:
for n in g.needs(item=item):
needs.append(n)
super().__init__(*needs)
# A permission policy defines a declarative way of writing the permissions.
# The "can_create" requires that a user is authenticated, thus if you don't
# pass "?user=1" in the URL query string this permission check will fail.
can_create = [AuthenticatedUser()]
# The "can_read" requires that the user reading the object is the one who
# created it.
can_read = [Owner()]
# Anyone can search
can_search = []
class TestRDMPermissionPolicy(RecordPermissionPolicy):
"""Define permission policies for RDM Records."""
can_search = [AnyUser(), SystemProcess()]
can_create = [AuthenticatedUser(), SystemProcess()]
can_update = [Disable()]
can_delete = [Disable()]
can_read = [
IfRestricted('record',
then_=[RecordOwners()],
else_=[AnyUser(), SystemProcess()])
]
can_read_files = [
IfRestricted('files',
then_=[RecordOwners()],
else_=[AnyUser(), SystemProcess()])
]
can_update_files = [Disable()]
can_read_draft = [RecordOwners()]
can_update_draft = [RecordOwners()]
can_delete_draft = [RecordOwners()]
can_read_draft_files = [RecordOwners()]
can_read_update_files = [RecordOwners()]
can_publish = [RecordOwners()]
can_manage = [RecordOwners()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy):
"""Access control configuration for records.
Note that even if the array is empty, the invenio_access Permission class
always adds the ``superuser-access``, so admins will always be allowed.
"""
NEED_LABEL_TO_ACTION = {
'bucket-update': 'update_files',
'bucket-read': 'read_files',
'object-read': 'read_files',
}
#
# High-level permissions (used by low-level)
#
can_manage = [RecordOwners(), SystemProcess()]
can_curate = can_manage + [SecretLinks("edit")]
can_preview = can_manage + [SecretLinks("preview")]
can_view = can_manage + [SecretLinks("view")]
can_authenticated = [AuthenticatedUser(), SystemProcess()]
can_all = [AnyUser(), SystemProcess()]
#
# Records
#
# Allow searching of records
can_search = can_all
# Allow reading metadata of a record
can_read = [IfRestricted('record', then_=can_view, else_=can_all)]
# Allow reading the files of a record
can_read_files = [IfRestricted('files', then_=can_view, else_=can_all)]
# Allow submitting new record
can_create = can_authenticated
#
# Drafts
#
# Allow ability to search drafts
can_search_drafts = can_authenticated
# Allow reading metadata of a draft
can_read_draft = can_preview
# Allow reading files of a draft
can_draft_read_files = can_preview
# Allow updating metadata of a draft
can_update_draft = can_curate
# Allow uploading, updating and deleting files in drafts
can_draft_create_files = can_curate
can_draft_update_files = can_curate
can_draft_delete_files = can_curate
#
# PIDs
#
can_pid_reserve = can_curate
can_pid_delete = can_curate
#
# Actions
#
# Allow to put a record in edit mode (create a draft from record)
can_edit = can_curate
# Allow deleting/discarding a draft and all associated files
can_delete_draft = can_curate
# Allow creating a new version of an existing published record.
can_new_version = can_curate
# Allow publishing a new record or changes to an existing record.
can_publish = can_curate
# Allow lifting a record or draft.
can_lift_embargo = can_manage
#
# Disabled actions (these should not be used or changed)
#
# - Records/files are updated/deleted via drafts so we don't support
# using below actions.
can_update = [Disable()]
can_delete = [Disable()]
can_create_files = [Disable()]
can_update_files = [Disable()]
can_delete_files = [Disable()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy):
"""Access control configuration for records.
Note that even if the array is empty, the invenio_access Permission class
always adds the ``superuser-access``, so admins will always be allowed.
- Create action given to everyone for now.
- Read access given to everyone if public record and given to owners
always. (inherited)
- Update access given to record owners. (inherited)
- Delete access given to admins only. (inherited)
"""
NEED_LABEL_TO_ACTION = {
'bucket-update': 'update_files',
'bucket-read': 'read_files',
'object-read': 'read_files',
}
# Records
can_search = [AnyUser(), SystemProcess()]
can_read = [
IfRestricted('record', then_=[RecordOwners()], else_=[AnyUser()]),
SystemProcess(),
SecretLinks("read"),
]
can_update = [Disable()]
can_delete = [Disable()]
# Drafts
can_create = [AuthenticatedUser(), SystemProcess()]
can_search_drafts = [AuthenticatedUser(), SystemProcess()]
can_read_draft = [RecordOwners(), SystemProcess()]
can_update_draft = [RecordOwners(), SystemProcess()]
can_delete_draft = [RecordOwners(), SystemProcess()]
can_manage = [RecordOwners(), SystemProcess()]
can_new_version = [RecordOwners(), SystemProcess()]
can_edit = [RecordOwners(), SystemProcess()]
can_publish = [RecordOwners(), SystemProcess()]
# Files
# For now, can_read_files means:
# - can list files
# - can read a file metadata
# - can download the file
can_read_files = [
IfRestricted(
'files',
then_=[RecordOwners()],
else_=[
IfDraft(
then_=[RecordOwners()],
else_=[AnyUser()]
),
]
),
SystemProcess(),
SecretLinks("read_files"),
]
# Records - files
can_create_files = [Disable()]
# update_files is for updating files options
can_update_files = [Disable()]
can_delete_files = [Disable()]
# Drafts - files
# create_files is for 3-step file upload
can_draft_create_files = [RecordOwners(), SystemProcess()]
# update_files is for updating files options
can_draft_update_files = [RecordOwners(), SystemProcess()]
can_draft_delete_files = [RecordOwners(), SystemProcess()]