class PermissionPolicy(RecordPermissionPolicy): """Permission policy.""" # TODO: restrict to not allow create/update/delete can_search = [AnyUser()] can_create = [AnyUser()] can_read = [AnyUser()] can_update = [AnyUser()] can_delete = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy): """Permission policy.""" can_search = [SystemProcess(), AnyUser()] can_read = [SystemProcess(), AnyUser()] can_create = [SystemProcess()] can_update = [SystemProcess()] can_delete = [SystemProcess()] can_manage = [SystemProcess()]
class RecordDraftPermissionPolicy(RecordPermissionPolicy): """Custom permission policy.""" # FIXME: Revist this along the development # Default create should be "authenticated"? # TODO: Subclass records-resources policy and add *_draft actions can_create = [AnyUser()] can_publish = [AnyUser()] can_read_draft = [AnyUser()] can_update_draft = [AnyUser()] can_delete_draft = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy): """Permission policy.""" # TODO: restrict to not allow create/update/delete can_search = [SystemProcess(), AnyUser()] can_read = [SystemProcess(), AnyUser()] can_create = [SystemProcess()] can_update = [SystemProcess()] can_delete = [SystemProcess()] can_manage = [SystemProcess()] # Type permissions can_manage = [SystemProcess()]
class PermissionPolicy(RecordPermissionPolicy): """Mock permission policy. All actions allowed.""" can_search = [AnyUser(), SystemProcess()] can_create = [AnyUser(), SystemProcess()] can_read = [AnyUser(), SystemProcess()] can_update = [AnyUser(), SystemProcess()] can_delete = [AnyUser(), SystemProcess()] can_create_files = [AnyUser(), SystemProcess()] can_read_files = [AnyUser(), SystemProcess()] can_update_files = [AnyUser(), SystemProcess()] can_delete_files = [AnyUser(), SystemProcess()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy): """Access control configuration for records. Note that even if the array is empty, the invenio_access Permission class always adds the ``superuser-access``, so admins will always be allowed. - Create action given to everyone for now. - Read access given to everyone if public record and given to owners always. (inherited) - Update access given to record owners. (inherited) - Delete access given to admins only. (inherited) """ # TODO: Change all below when permissions settled can_create = [AnyUser()] can_update_files = [AnyUser()]
def test_ifrestricted_needs(field, record_fun, expected_needs_fun): """Test the IfRestricted generator.""" generator = IfRestricted(field, then_=[AuthenticatedUser(), SystemProcess()], else_=[AnyUser(), SystemProcess()]) assert generator.needs(record=record_fun()) == expected_needs_fun() assert generator.excludes(record=record_fun()) == set()
class AnyUserPermissionPolicy(RecordPermissionPolicy): """Custom permission policy.""" can_list = [AnyUser()] can_create = [AnyUser()] can_read = [AnyUser()] can_update = [AnyUser()] can_delete = [AnyUser()] can_read_files = [AnyUser()] can_update_files = [AnyUser()] can_publish = [AnyUser()]
class PermissionPolicy(RecordPermissionPolicy): """Permission policy.""" can_search = [AnyUser()] can_create = [AnyUser()] can_read = [AnyUser()] can_update = [AnyUser()] can_delete = [AnyUser()] can_read_files = [AnyUser()] can_update_files = [AnyUser()]
def test_ifrestricted_query(): """Test the query generation.""" generator = IfRestricted( "record", then_=[AuthenticatedUser()], else_=[AnyUser()] ) assert generator.query_filter(identity=any_user).to_dict() == { 'bool': { 'should': [ {'match': {'access.record': 'restricted'}}, {'match': {'access.record': 'public'}} ] } }
class TestRDMPermissionPolicy(RecordPermissionPolicy): """Define permission policies for RDM Records.""" can_search = [AnyUser(), SystemProcess()] can_create = [AuthenticatedUser(), SystemProcess()] can_update = [Disable()] can_delete = [Disable()] can_read = [ IfRestricted('record', then_=[RecordOwners()], else_=[AnyUser(), SystemProcess()]) ] can_read_files = [ IfRestricted('files', then_=[RecordOwners()], else_=[AnyUser(), SystemProcess()]) ] can_update_files = [Disable()] can_read_draft = [RecordOwners()] can_update_draft = [RecordOwners()] can_delete_draft = [RecordOwners()] can_read_draft_files = [RecordOwners()] can_read_update_files = [RecordOwners()] can_publish = [RecordOwners()] can_manage = [RecordOwners()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy): """Access control configuration for records. Note that even if the array is empty, the invenio_access Permission class always adds the ``superuser-access``, so admins will always be allowed. - Create action given to everyone for now. - Read access given to everyone if public record and given to owners always. (inherited) - Update access given to record owners. (inherited) - Delete access given to admins only. (inherited) """ NEED_LABEL_TO_ACTION = { 'bucket-update': 'update_files', 'bucket-read': 'read_files', 'object-read': 'read_files', } # Records can_search = [AnyUser(), SystemProcess()] can_read = [ IfRestricted('record', then_=[RecordOwners()], else_=[AnyUser()]), SystemProcess(), SecretLinks("read"), ] can_update = [Disable()] can_delete = [Disable()] # Drafts can_create = [AuthenticatedUser(), SystemProcess()] can_search_drafts = [AuthenticatedUser(), SystemProcess()] can_read_draft = [RecordOwners(), SystemProcess()] can_update_draft = [RecordOwners(), SystemProcess()] can_delete_draft = [RecordOwners(), SystemProcess()] can_manage = [RecordOwners(), SystemProcess()] can_new_version = [RecordOwners(), SystemProcess()] can_edit = [RecordOwners(), SystemProcess()] can_publish = [RecordOwners(), SystemProcess()] # Files # For now, can_read_files means: # - can list files # - can read a file metadata # - can download the file can_read_files = [ IfRestricted( 'files', then_=[RecordOwners()], else_=[ IfDraft( then_=[RecordOwners()], else_=[AnyUser()] ), ] ), SystemProcess(), SecretLinks("read_files"), ] # Records - files can_create_files = [Disable()] # update_files is for updating files options can_update_files = [Disable()] can_delete_files = [Disable()] # Drafts - files # create_files is for 3-step file upload can_draft_create_files = [RecordOwners(), SystemProcess()] # update_files is for updating files options can_draft_update_files = [RecordOwners(), SystemProcess()] can_draft_delete_files = [RecordOwners(), SystemProcess()]
class RDMRecordPermissionPolicy(RecordPermissionPolicy): """Access control configuration for records. Note that even if the array is empty, the invenio_access Permission class always adds the ``superuser-access``, so admins will always be allowed. """ NEED_LABEL_TO_ACTION = { 'bucket-update': 'update_files', 'bucket-read': 'read_files', 'object-read': 'read_files', } # # High-level permissions (used by low-level) # can_manage = [RecordOwners(), SystemProcess()] can_curate = can_manage + [SecretLinks("edit")] can_preview = can_manage + [SecretLinks("preview")] can_view = can_manage + [SecretLinks("view")] can_authenticated = [AuthenticatedUser(), SystemProcess()] can_all = [AnyUser(), SystemProcess()] # # Records # # Allow searching of records can_search = can_all # Allow reading metadata of a record can_read = [IfRestricted('record', then_=can_view, else_=can_all)] # Allow reading the files of a record can_read_files = [IfRestricted('files', then_=can_view, else_=can_all)] # Allow submitting new record can_create = can_authenticated # # Drafts # # Allow ability to search drafts can_search_drafts = can_authenticated # Allow reading metadata of a draft can_read_draft = can_preview # Allow reading files of a draft can_draft_read_files = can_preview # Allow updating metadata of a draft can_update_draft = can_curate # Allow uploading, updating and deleting files in drafts can_draft_create_files = can_curate can_draft_update_files = can_curate can_draft_delete_files = can_curate # # PIDs # can_pid_reserve = can_curate can_pid_delete = can_curate # # Actions # # Allow to put a record in edit mode (create a draft from record) can_edit = can_curate # Allow deleting/discarding a draft and all associated files can_delete_draft = can_curate # Allow creating a new version of an existing published record. can_new_version = can_curate # Allow publishing a new record or changes to an existing record. can_publish = can_curate # Allow lifting a record or draft. can_lift_embargo = can_manage # # Disabled actions (these should not be used or changed) # # - Records/files are updated/deleted via drafts so we don't support # using below actions. can_update = [Disable()] can_delete = [Disable()] can_create_files = [Disable()] can_update_files = [Disable()] can_delete_files = [Disable()]
class TestPermissionPolicy(BasePermissionPolicy): can_create = [AnyUser()] can_search = [AnyUser()] can_read = [AnyUser()] can_foo_bar = [AnyUser()]
def test_any_user(): generator = AnyUser() assert generator.needs() == [any_user] assert generator.excludes() == [] assert generator.query_filter().to_dict() == {"match_all": {}}
class PermissionPolicy(RecordPermissionPolicy): """Mock permission policy. All actions allowed.""" can_edit = [AnyUser()] can_new_version = [AnyUser()] can_search = [AnyUser()] can_create = [AnyUser()] can_read = [AnyUser()] can_read_draft = [AnyUser()] can_update = [AnyUser()] can_update_draft = [AnyUser()] can_delete = [AnyUser()] can_delete_draft = [AnyUser()] can_publish = [AnyUser()] can_read_files = [AnyUser()] can_update_files = [AnyUser()]
class PermissionPolicy(RDMRecordPermissionPolicy): """TODO delet this (https://tinyurl.com/y69derx3).""" can_update = [AnyUser()]
class DraftPermissionPolicy(RecordPermissionPolicy): """Custom permission policy.""" # FIXME: Revist this along the development # Default create should be "authenticated"? can_create = [AnyUser()]