def files_permission_factory(obj, action=None):
"""Permission for files are always based on the type of bucket.
1. Community bucket: Read access for everyone
2. Record bucket: Read access only with open and restricted access.
3. Deposit bucket: Read/update with restricted access.
4. Any other bucket is restricted to admins only.
"""
# Extract bucket id
bucket_id = None
if isinstance(obj, Bucket):
bucket_id = str(obj.id)
elif isinstance(obj, ObjectVersion):
bucket_id = str(obj.bucket_id)
elif isinstance(obj, MultipartObject):
bucket_id = str(obj.bucket_id)
elif isinstance(obj, FileObject):
bucket_id = str(obj.bucket_id)
# Retrieve record
if bucket_id is not None:
# Community bucket
if str(bucket_id) == current_app.config['COMMUNITIES_BUCKET_UUID']:
return CommunityBucketPermission(action)
# Record or deposit bucket
rb = RecordsBuckets.query.filter_by(bucket_id=bucket_id).one_or_none()
if rb is not None:
record = Record.get_record(rb.record_id)
if is_record(record):
return RecordFilesPermission.create(record, action)
elif is_deposit(record):
return DepositFilesPermission.create(record, action)
return DynamicPermission(ActionNeed('admin-access'))
def has_admin_permission(user=None, record=None):
"""Check if user has admin access to record.
This function has to accept 2 parameters (as all other has_foo_permissions,
to allow for dynamic dispatch.
"""
# Allow administrators
return DynamicPermission(action_admin_access).can()
def __init__(self, template_name=None,
schema=None,
schema_form=None,
create_permission_factory=None):
self.template_name = template_name
self.schema = schema
self.schema_form = schema_form
try:
assert create_permission_factory
self._create_deposit_permission = \
DynamicPermission(*obj_or_import_string(
create_permission_factory))
except:
abort(403)
def has_admin_permission(user, record):
"""Check if user has admin access to record."""
# Allow administrators
if DynamicPermission(ActionNeed('admin-access')):
return True
def can(self):
"""Check permission."""
if self.action == 'object-read':
return True
else:
return DynamicPermission(ActionNeed('admin-access')).can()
def lhcb_permission_factory(*args):
return DynamicPermission(*lhcb_group_need)
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# CERN Analysis Preservation Framework is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with CERN Analysis Preservation Framework; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
#
# In applying this license, CERN does not
# waive the privileges and immunities granted to it by virtue of its status
# as an Intergovernmental Organization or submit itself to any jurisdiction.
"""CAP LHCb permissions"""
from cap.modules.experiments.permissions.common import get_collaboration_group_needs, get_superuser_needs
from invenio_access import DynamicPermission
lhcb_group_need = set([g for g in get_collaboration_group_needs('LHCb')])
lhcb_group_need |= set([g for g in get_superuser_needs()])
lhcb_permission = DynamicPermission(*lhcb_group_need)
def lhcb_permission_factory(*args):
return DynamicPermission(*lhcb_group_need)
static_folder='../static',
)
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
@cms_bp.before_request
@login_required
def restrict_bp_to_cms_members():
g.experiment = 'CMS'
cms_group_need = RoleNeed('collaboration_cms')
cms_permission = DynamicPermission(cms_group_need)
@cms_bp.route('/')
@cms_permission.require(403)
def cms_landing():
"""Basic CMS landing view."""
collections = Collection.query.filter(Collection.name.in_(
['CMS'])).one().drilldown_tree()
return render_template('cms/landing_page.html',
record_types=get_collections_tree(collections))
@cms_bp.route('/records')
@cms_permission.require(403)
def cms_records():
# Copyright (C) 2016 CERN.
#
# CERN Analysis Preservation Framework is free software; you can redistribute
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# CERN Analysis Preservation Framework is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with CERN Analysis Preservation Framework; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
#
# In applying this license, CERN does not
# waive the privileges and immunities granted to it by virtue of its status
# as an Intergovernmental Organization or submit itself to any jurisdiction.
"""CAP ATLAS permissions"""
from invenio_access import DynamicPermission
from cap.modules.experiments.permissions.common import get_collaboration_group_needs, get_superuser_needs
atlas_group_need = set(
[g for g in get_collaboration_group_needs('collaboration_atlas')])
atlas_group_need |= set([g for g in get_superuser_needs()])
atlas_permission = DynamicPermission(*atlas_group_need)
def atlas_permission_factory(*args):
return DynamicPermission(*atlas_group_need)
def alice_permission_factory(*args):
return DynamicPermission(*alice_group_need)
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# CERN Analysis Preservation Framework is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with CERN Analysis Preservation Framework; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
#
# In applying this license, CERN does not
# waive the privileges and immunities granted to it by virtue of its status
# as an Intergovernmental Organization or submit itself to any jurisdiction.
"""CAP ALICE permissions"""
from cap.modules.experiments.permissions.common import get_collaboration_group_needs, get_superuser_needs
from invenio_access import DynamicPermission
alice_group_need = set([g for g in get_collaboration_group_needs('ALICE')])
alice_group_need |= set([g for g in get_superuser_needs()])
alice_permission = DynamicPermission(*alice_group_need)
def alice_permission_factory(*args):
return DynamicPermission(*alice_group_need)