def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory,
read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
admin_role = Role(name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(
target.name))
member_role = Role(name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(
target.name))
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name)
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain(member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
def test_deposit_search_permissions(app, draft_deposits, submitted_deposits,
test_users, login_user, test_communities):
"""Test deposit search permissions."""
with app.app_context():
# flush the indices so that indexed deposits are searchable
current_search_client.indices.flush('*')
admin = test_users['admin']
creator = test_users['deposits_creator']
non_creator = create_user('non-creator')
permission_to_read_all_submitted_deposits = read_deposit_need_factory(
community=str(test_communities['MyTestCommunity2']),
publication_state='submitted',
)
allowed_role = create_role(
'allowed_role',
permissions=[permission_to_read_all_submitted_deposits])
user_allowed_by_role = create_user('user-allowed-by-role',
roles=[allowed_role])
user_allowed_by_permission = create_user(
'user-allowed-by-permission',
permissions=[permission_to_read_all_submitted_deposits])
community = Community.get(test_communities['MyTestCommunity2'])
com_member = create_user('com_member', roles=[community.member_role])
com_admin = create_user('com_admin', roles=[community.admin_role])
search_deposits_url = url_for('b2share_records_rest.b2rec_list',
drafts=1,
size=100)
headers = [('Content-Type', 'application/json'),
('Accept', 'application/json')]
def test_search(status, expected_deposits, user=None):
with app.test_client() as client:
if user is not None:
login_user(user, client)
deposit_search_res = client.get(search_deposits_url,
headers=headers)
assert deposit_search_res.status_code == status
# test the response data only when the user is allowed to
# search for deposits
if status != 200:
return
deposit_search_data = json.loads(
deposit_search_res.get_data(as_text=True))
assert deposit_search_data['hits']['total'] == \
len(expected_deposits)
deposit_pids = [
hit['id'] for hit in deposit_search_data['hits']['hits']
]
expected_deposit_pids = [
dep.deposit_id.hex for dep in expected_deposits
]
deposit_pids.sort()
expected_deposit_pids.sort()
assert deposit_pids == expected_deposit_pids
test_search(200, draft_deposits + submitted_deposits, creator)
test_search(200, draft_deposits + submitted_deposits, admin)
test_search(401, [], None)
test_search(200, [], non_creator)
# search for submitted records
community2_deposits = [
dep for dep in submitted_deposits if dep.data['community'] == str(
test_communities['MyTestCommunity2'])
]
test_search(200, community2_deposits, user_allowed_by_role)
test_search(200, community2_deposits, user_allowed_by_permission)
# community admin should have access to all submitted records
# in their community
test_search(200, [], com_member)
test_search(200, community2_deposits, com_admin)
def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory,
read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory, )
from b2share.modules.users.permissions import (
assign_role_need_factory,
search_accounts_need,
)
admin_role = Role(name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(
target.name))
member_role = Role(name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(
target.name))
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name),
# permission to update the metadata of a published record
update_record_metadata_need_factory(community=str(target.id), ),
# allow to assign any role owned by this community
assign_role_need_factory(community=target.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain(member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
oaiset = OAISet(spec=str(target.id),
name=target.name,
description=target.description)
db.session.add(oaiset)
def test_deposit_search_permissions(app, draft_deposits, submitted_deposits,
test_users, login_user, test_communities):
"""Test deposit search permissions."""
with app.app_context():
# flush the indices so that indexed deposits are searchable
current_search_client.indices.flush('*')
admin = test_users['admin']
creator = test_users['deposits_creator']
non_creator = create_user('non-creator')
permission_to_read_all_submitted_deposits = read_deposit_need_factory(
community=str(test_communities['MyTestCommunity2']),
publication_state='submitted',
)
allowed_role = create_role(
'allowed_role',
permissions=[
permission_to_read_all_submitted_deposits
]
)
user_allowed_by_role = create_user('user-allowed-by-role',
roles=[allowed_role])
user_allowed_by_permission = create_user(
'user-allowed-by-permission',
permissions=[
permission_to_read_all_submitted_deposits
]
)
community = Community.get(test_communities['MyTestCommunity2'])
com_member = create_user('com_member', roles=[community.member_role])
com_admin = create_user('com_admin', roles=[community.admin_role])
search_deposits_url = url_for(
'b2share_records_rest.b2rec_list', drafts=1, size=100)
headers = [('Content-Type', 'application/json'),
('Accept', 'application/json')]
def test_search(status, expected_deposits, user=None):
with app.test_client() as client:
if user is not None:
login_user(user, client)
deposit_search_res = client.get(
search_deposits_url,
headers=headers)
assert deposit_search_res.status_code == status
# test the response data only when the user is allowed to
# search for deposits
if status != 200:
return
deposit_search_data = json.loads(
deposit_search_res.get_data(as_text=True))
assert deposit_search_data['hits']['total'] == \
len(expected_deposits)
deposit_pids = [hit['id'] for hit
in deposit_search_data['hits']['hits']]
expected_deposit_pids = [dep.deposit_id.hex for dep
in expected_deposits]
deposit_pids.sort()
expected_deposit_pids.sort()
assert deposit_pids == expected_deposit_pids
test_search(200, draft_deposits + submitted_deposits, creator)
test_search(200, draft_deposits + submitted_deposits, admin)
test_search(401, [], None)
test_search(200, [], non_creator)
# search for submitted records
community2_deposits = [dep for dep in submitted_deposits
if dep.data['community'] ==
str(test_communities['MyTestCommunity2'])]
test_search(200, community2_deposits, user_allowed_by_role)
test_search(200,
community2_deposits,
user_allowed_by_permission)
# community admin should have access to all submitted records
# in their community
test_search(200, [], com_member)
test_search(200, community2_deposits, com_admin)
def create_roles_and_permissions(community, fix=False):
"""Create community admin and member roles and add their permissions.
:param community: the community for which we add the roles and
permissions.
:param fix: Enable the fixing of the database. This function doesn't fail
if some roles or permissions already exist. It will just add the
missing ones.
"""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory, read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory,
)
from b2share.modules.users.permissions import (
assign_role_need_factory, search_accounts_need,
)
admin_role = Role(
name=_community_admin_role_name(community),
description='Admin role of the community "{}"'.format(community.name)
)
member_role = Role(
name=_community_member_role_name(community),
description='Member role of the community "{}"'.format(community.name)
)
# use a nested session so that the ids are generated by the DB.
with db.session.begin_nested():
admin_role = add_to_db(admin_role, skip_if_exists=fix)
member_role = add_to_db(member_role, skip_if_exists=fix)
member_needs = [
create_deposit_need_factory(str(community.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(community.id),
publication_state=PublicationStates.submitted.name
),
read_deposit_need_factory(
community=str(community.id),
publication_state=PublicationStates.published.name
),
update_deposit_metadata_need_factory(
community=str(community.id),
publication_state=PublicationStates.submitted.name
),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(community.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name
),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(community.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name
),
# permission to update the metadata of a published record
update_record_metadata_need_factory(
community=str(community.id),
),
# allow to assign any role owned by this community
assign_role_need_factory(community=community.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
add_to_db(ActionRoles.allow(need, role=member_role),
skip_if_exists=fix,
role_id=member_role.id)
for need in chain (member_needs, admin_needs):
add_to_db(ActionRoles.allow(need, role=admin_role),
skip_if_exists=fix,
role_id=admin_role.id)
def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory, read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory,
)
from b2share.modules.users.permissions import (
assign_role_need_factory, search_accounts_need,
)
admin_role = Role(
name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(target.name)
)
member_role = Role(
name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(target.name)
)
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name
),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name
),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name
),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name
),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name
),
# permission to update the metadata of a published record
update_record_metadata_need_factory(
community=str(target.id),
),
# allow to assign any role owned by this community
assign_role_need_factory(community=target.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain (member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
oaiset = OAISet(spec=str(target.id), name=target.name, description=target.description)
db.session.add(oaiset)