def test_permission_factory(app, db, action, permission_factory):
"""Test revisions."""
InvenioAccess(app)
rec_uuid = uuid.uuid4()
with db.session.begin_nested():
user_all = User(email='*****@*****.**')
user_one = User(email='*****@*****.**')
user_none = User(email='*****@*****.**')
db.session.add(user_all)
db.session.add(user_one)
db.session.add(user_none)
db.session.add(ActionUsers(action=action, user=user_all,
argument=None))
db.session.add(
ActionUsers(action=action, user=user_one, argument=str(rec_uuid)))
record = Record.create({'title': 'permission test'}, id_=rec_uuid)
# Create a record and assign permissions.
permission = permission_factory(record)
# Assert which permissions has access.
assert permission.allows(FakeIdentity(UserNeed(user_all.id)))
assert permission.allows(FakeIdentity(UserNeed(user_one.id)))
assert not permission.allows(FakeIdentity(UserNeed(user_none.id)))
def test_invenio_access_permission_cache_redis(app):
"""Caching the user using redis."""
cache = RedisCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
identity_open = FakeIdentity(UserNeed(user_can_open.id))
permission_open = DynamicPermission(ActionNeed('open'))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1)]), set([]))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1),
Need(method='id', value=2)]), set([]))
def test_invenio_access_permission_for_users(app):
"""User can access to an action allowed/denied to the user"""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
user_can_all = User(email='*****@*****.**')
user_can_read = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_read)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.add(ActionUsers(action='read', user=user_can_all))
db.session.add(ActionUsers(action='read', user=user_can_read))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_read = DynamicPermission(ActionNeed('read'))
identity_all = FakeIdentity(UserNeed(user_can_all.id))
identity_read = FakeIdentity(UserNeed(user_can_read.id))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
assert permission_open.allows(identity_all)
assert permission_read.allows(identity_all)
assert permission_open.allows(identity_open)
assert not permission_read.allows(identity_open)
assert not permission_open.allows(identity_read)
assert permission_read.allows(identity_read)
def base_app():
"""Flask application fixture."""
app_ = Flask('testapp')
app_.config.update(
TESTING=True,
JSON_AS_ASCII=True,
SQLALCHEMY_TRACK_MODIFICATIONS=True,
SQLALCHEMY_DATABASE_URI=os.environ.get(
'SQLALCHEMY_DATABASE_URI',
'sqlite:///:memory:'),
SERVER_NAME='localhost',
SECURITY_PASSWORD_SALT='TEST_SECURITY_PASSWORD_SALT',
SECRET_KEY='TEST_SECRET_KEY',
FILES_REST_MULTIPART_CHUNKSIZE_MIN=2,
FILES_REST_MULTIPART_CHUNKSIZE_MAX=20,
FILES_REST_MULTIPART_MAX_PARTS=100,
FILES_REST_TASK_WAIT_INTERVAL=0.1,
FILES_REST_TASK_WAIT_MAX_SECONDS=1,
)
app.test_client_class = JsonClient
InvenioDB(app_)
InvenioAccounts(app_)
InvenioAccess(app_)
InvenioJSONSchemas(app_)
return app_
def app():
"""Create fixture app."""
# Set temporary instance path for sqlite
instance_path = tempfile.mkdtemp()
_app = Flask('testapp', instance_path=instance_path)
InvenioAccess(_app)
InvenioAccounts(_app)
InvenioDB(_app)
InvenioUserProfiles(_app)
InvenioRecords(_app)
InvenioFilesREST(_app)
# UserProfile(_app)
_app.config.update(
SQLALCHEMY_DATABASE_URI=os.environ.get('SQLALCHEMY_DATABASE_URI',
'sqlite:///test.db'),
TESTING=True,
SECRET_KEY='test',
)
with _app.app_context():
yield _app
# Teardown instance path.
shutil.rmtree(instance_path)
def test_init_app(base_app):
"""Test extension initialization."""
app = base_app
ext = InvenioAccess()
assert 'invenio-access' not in app.extensions
ext.init_app(app)
assert 'invenio-access' in app.extensions
def test_load_permissions_on_request_loaded(app):
"""Checks that the needs are loaded during request in the user Identity."""
InvenioAccess(app)
with app.test_request_context():
with app.test_client() as client:
client.get('/')
assert g.identity.provides == {any_user}
def test_load_permissions_on_identity_loaded(app):
"""Check that the needs are loaded properly in the user Identity."""
InvenioAccess(app)
with app.test_request_context():
identity_changed.send(current_app._get_current_object(),
identity=AnonymousIdentity())
assert g.identity.provides == {any_user}
with app.test_request_context():
user = testutils.create_test_user('*****@*****.**')
login_user(user)
assert g.identity.provides == {
any_user, authenticated_user, UserNeed(user.id)
}
logout_user()
# FIXME: The user is still authenticatd when the identity loader
# is called during logout. We could filter on AnonymousIdentity, but
# This would be inconsistent as the UserNeed(user.id) is still there.
# This will pass even if it is unexpected:
# assert g.identity.provides == {
# any_user, authenticated_user, UserNeed(user.id)
# }
# Forcing the identity to reload again cleans the mess. In practice
# this won't be needed as the identity is reloaded between requests.
identity_changed.send(current_app._get_current_object(),
identity=AnonymousIdentity())
assert g.identity.provides == {any_user}
def test_dynamic_permission_needs_cache_invalidation(app):
"""Testing DynamicPermission refreshes needs.
This is important when protecting a view with
@permission.require(http_exception=403)
If cache does not get invalidated, the needs will only be refreshed when
the Python process restarts.
"""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.needs == set([Need(method='id', value=1)])
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
assert permission_open.needs == set(
[Need(method='id', value=1), Need(method='id', value=2)]
)
def test_actions_entrypoint():
"""Test if the entrypoint is registering actions properly."""
app = Flask('testapp')
ext = InvenioAccess(app)
assert len(ext.actions) == 2
assert ActionNeed('open') in ext.actions.values()
assert ActionNeed('close') in ext.actions.values()
def test_invenio_access_permission_for_system_roles(app):
"""User can access to an action allowed/denied to their system roles."""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
user = User(email='*****@*****.**')
db.session.add(user)
db.session.add(ActionSystemRoles.allow(
action=ActionNeed('open'), role=authenticated_user))
db.session.add(ActionSystemRoles.allow(
action=ActionNeed('write'), role_name='any_user'))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_write = DynamicPermission(ActionNeed('write'))
identity_anon_user = FakeIdentity(any_user)
identity_auth_user = FakeIdentity(authenticated_user, any_user)
assert not permission_open.allows(identity_anon_user)
assert permission_open.allows(identity_auth_user)
assert permission_write.allows(identity_anon_user)
assert permission_write.allows(identity_auth_user)
def base_app():
"""Flask application fixture."""
app_ = Flask('testapp')
app_.config.update(
TESTING=True,
JSON_AS_ASCII=True,
SQLALCHEMY_TRACK_MODIFICATIONS=True,
SQLALCHEMY_DATABASE_URI=os.environ.get(
'SQLALCHEMY_DATABASE_URI',
'sqlite:///:memory:'),
SERVER_NAME='localhost',
SECURITY_PASSWORD_SALT='TEST_SECURITY_PASSWORD_SALT',
SECRET_KEY='TEST_SECRET_KEY',
FILES_REST_MULTIPART_CHUNKSIZE_MIN=2,
FILES_REST_MULTIPART_CHUNKSIZE_MAX=20,
FILES_REST_MULTIPART_MAX_PARTS=100,
FILES_REST_TASK_WAIT_INTERVAL=0.1,
FILES_REST_TASK_WAIT_MAX_SECONDS=1,
TAXONOMY_SERVER_NAME='taxonomy-server.com',
TAXONOMY_REDIS_URL='redis://localhost:6379/15',
)
app.test_client_class = JsonClient
InvenioDB(app_)
InvenioAccounts(app_)
InvenioAccess(app_)
InvenioJSONSchemas(app_)
OARepoReferences(app_)
app_.extensions['oarepo-references'] = RecordReferencesStateMock(app_)
return app_
def app(request):
"""Flask application fixture."""
instance_path = tempfile.mkdtemp()
app = Flask('testapp', instance_path=instance_path)
app.config.update(
TESTING=True,
SERVER_NAME='localhost:5000',
SQLALCHEMY_DATABASE_URI=os.environ.get('SQLALCHEMY_DATABASE_URI',
'sqlite:///test.db'),
SQLALCHEMY_TRACK_MODIFICATIONS=True,
RECORDS_REST_ENDPOINTS=config.RECORDS_REST_ENDPOINTS,
# No permission checking
RECORDS_REST_DEFAULT_CREATE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_READ_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_UPDATE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_DELETE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_SEARCH_INDEX=ES_INDEX,
RECORDS_REST_SORT_OPTIONS={
ES_INDEX: dict(year=dict(fields=['year'], ))
},
)
app.config['RECORDS_REST_ENDPOINTS']['recid']['search_class'] = TestSearch
# update the application with the configuration provided by the test
if hasattr(request, 'param') and 'config' in request.param:
app.config.update(**request.param['config'])
FlaskCLI(app)
InvenioDB(app)
InvenioREST(app)
InvenioRecords(app)
InvenioPIDStore(app)
InvenioSearch(app)
InvenioAccess(app)
InvenioRecordsREST(app)
with app.app_context():
# Setup app
if not database_exists(str(db.engine.url)) and \
app.config['SQLALCHEMY_DATABASE_URI'] != 'sqlite://':
create_database(db.engine.url)
db.drop_all()
db.create_all()
if current_search_client.indices.exists(ES_INDEX):
current_search_client.indices.delete(ES_INDEX)
current_search_client.indices.create(ES_INDEX)
prepare_indexing(app)
with app.app_context():
# Yield app in request context
with app.test_request_context():
yield app
with app.app_context():
# Teardown app
db.drop_all()
if app.config['SQLALCHEMY_DATABASE_URI'] != 'sqlite://':
drop_database(db.engine.url)
shutil.rmtree(instance_path)
def test_actions(base_app):
"""Test if the actions are registered properly."""
InvenioAccess(base_app, entry_point_actions=None)
with base_app.app_context():
current_access.register_action(ActionNeed('action_a'))
assert len(current_access.actions) == 1
current_access.register_action(ActionNeed('action_b'))
assert len(current_access.actions) == 2
def test_system_roles(base_app):
"""Test if the system roles are registered properly."""
InvenioAccess(base_app, entry_point_system_roles=None)
with base_app.app_context():
current_access.register_system_role(SystemRoleNeed('spn_a'))
assert len(current_access.system_roles) == 1
current_access.register_system_role(SystemRoleNeed('spn_b'))
assert len(current_access.system_roles) == 2
def test_invenio_access_permissions_deny(app):
"""User without any provides can't access to a place limited to user 0"""
InvenioAccess(app)
with app.test_request_context():
permission = DynamicPermission(UserNeed(0))
fake_identity = FakeIdentity()
assert not permission.allows(fake_identity)
def test_invenio_access_permission_cache(app):
"""Caching the user using memory caching."""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
user_can_open_1 = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(user_can_open_1)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1)]),
set([])
)
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
db.session.add(ActionUsers(action='open', argument=1,
user=user_can_open_1))
db.session.flush()
identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id))
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_open_1)
assert permission_open_1.allows(identity_open_1)
assert current_access.get_action_cache('open::1') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=3)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
def app(request):
"""Flask application fixture."""
instance_path = tempfile.mkdtemp()
app = Flask('testapp', instance_path=instance_path)
es_index = 'invenio_records_rest_test_index'
app.config.update(
TESTING=True,
SERVER_NAME='localhost:5000',
SQLALCHEMY_DATABASE_URI=os.environ.get('SQLALCHEMY_DATABASE_URI',
'sqlite:///test.db'),
SQLALCHEMY_TRACK_MODIFICATIONS=True,
RECORDS_REST_ENDPOINTS=config.RECORDS_REST_ENDPOINTS,
# No permission checking
RECORDS_REST_DEFAULT_CREATE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_READ_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_UPDATE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_DELETE_PERMISSION_FACTORY=None,
RECORDS_REST_DEFAULT_SEARCH_INDEX=es_index,
RECORDS_REST_SORT_OPTIONS={
es_index: dict(year=dict(fields=['year'], ))
},
SEARCH_QUERY_ENHANCERS=[filter_record_access_query_enhancer],
)
app.config['RECORDS_REST_ENDPOINTS']['recid']['search_index'] = es_index
# update the application with the configuration provided by the test
if hasattr(request, 'param') and 'config' in request.param:
app.config.update(**request.param['config'])
FlaskCLI(app)
InvenioDB(app)
InvenioREST(app)
InvenioRecords(app)
InvenioPIDStore(app)
InvenioSearch(app)
InvenioAccess(app)
InvenioRecordsREST(app)
with app.app_context():
if not database_exists(str(db.engine.url)) and \
app.config['SQLALCHEMY_DATABASE_URI'] != 'sqlite://':
create_database(db.engine.url)
db.drop_all()
db.create_all()
if current_search_client.indices.exists(es_index):
current_search_client.indices.delete(es_index)
current_search_client.indices.create(es_index)
prepare_indexing(app)
def finalize():
with app.app_context():
db.drop_all()
if app.config['SQLALCHEMY_DATABASE_URI'] != 'sqlite://':
drop_database(db.engine.url)
shutil.rmtree(instance_path)
request.addfinalizer(finalize)
return app
def cli_app(app):
"""Get CLI app object for testing CLI."""
action_open = ActionNeed('open')
action_edit = ParameterizedActionNeed('edit', None)
ext = InvenioAccess(app)
ext.register_action(action_open)
ext.register_action(action_edit)
return app
def app(request):
"""Flask application fixture."""
app_ = Flask('testapp')
app_.config.update(
TESTING=True,
CELERY_ALWAYS_EAGER=True,
CELERY_CACHE_BACKEND="memory",
CELERY_EAGER_PROPAGATES_EXCEPTIONS=True,
CELERY_RESULT_BACKEND="cache",
SQLALCHEMY_DATABASE_URI=os.environ.get('SQLALCHEMY_DATABASE_URI',
'sqlite://'),
SQLALCHEMY_TRACK_MODIFICATIONS=False,
SECRET_KEY='mysecret',
SUPPORT_EMAIL='*****@*****.**',
WTF_CSRF_ENABLED=False,
SERVER_NAME='test.it',
RECORDS_UI_ENDPOINTS=dict(
recid=dict(
pid_type='recid',
route='/records/<pid_value>',
template='invenio_records_ui/detail.html',
),
recid_access_request=dict(
pid_type='recid',
route='/records/<pid_value>/accessrequest',
template='zenodo_accessrequests/access_request.html',
view_imp='zenodo_accessrequests.views.requests.access_request',
methods=['GET', 'POST'],
),
recid_access_request_email_confirm=dict(
pid_type='recid',
route='/records/<pid_value>/accessrequest/<token>/confirm',
# template='invenio_records_ui/detail.html',
view_imp='zenodo_accessrequests.views.requests.confirm',
),
),
)
InvenioFormatter(app_)
Babel(app_)
InvenioDB(app_)
InvenioAccounts(app_)
InvenioRecords(app_)
FlaskMenu(app_)
Mail(app_)
InvenioRecordsUI(app_)
InvenioAccess(app_)
ZenodoAccessRequests(app_)
InvenioPIDStore(app_)
app_.register_blueprint(request_blueprint)
app_.register_blueprint(settings_blueprint)
app_.register_blueprint(blueprint_user)
app_.register_blueprint(create_blueprint_from_app(app_))
with app_.app_context():
yield app_
def script_info(app):
"""Get ScriptInfo object for testing CLI."""
action_open = ActionNeed('open')
action_edit = ParameterizedActionNeed('edit', None)
ext = InvenioAccess(app)
ext.register_action(action_open)
ext.register_action(action_edit)
return ScriptInfo(create_app=lambda info: app)
def app():
"""Flask application fixture."""
instance_path = tempfile.mkdtemp()
app_ = Flask(__name__, instance_path=instance_path)
app_.config.update(
CELERY_ALWAYS_EAGER=True,
CELERY_CACHE_BACKEND='memory',
CELERY_EAGER_PROPAGATES_EXCEPTIONS=True,
CELERY_RESULT_BACKEND='cache',
JSONSCHEMAS_URL_SCHEME='http',
SECRET_KEY='CHANGE_ME',
SECURITY_PASSWORD_SALT='CHANGE_ME_ALSO',
SQLALCHEMY_DATABASE_URI=os.environ.get('SQLALCHEMY_DATABASE_URI',
'sqlite:///test.db'),
SQLALCHEMY_TRACK_MODIFICATIONS=True,
SQLALCHEMY_ECHO=False,
TESTING=True,
WTF_CSRF_ENABLED=False,
DEPOSIT_SEARCH_API='/api/search',
SECURITY_PASSWORD_HASH='plaintext',
SECURITY_PASSWORD_SCHEMES=['plaintext'],
SECURITY_DEPRECATED_PASSWORD_SCHEMES=[],
OAUTHLIB_INSECURE_TRANSPORT=True,
OAUTH2_CACHE_TYPE='simple',
)
app_.url_map.converters['pid'] = PIDConverter
FlaskCLI(app_)
Babel(app_)
FlaskCeleryExt(app_)
InvenioDB(app_)
Breadcrumbs(app_)
InvenioAccounts(app_)
InvenioAccess(app_)
app_.register_blueprint(accounts_blueprint)
InvenioAssets(app_)
InvenioJSONSchemas(app_)
InvenioSearch(app_)
InvenioRecords(app_)
app_.url_map.converters['pid'] = PIDConverter
InvenioRecordsREST(app_)
InvenioPIDStore(app_)
InvenioIndexer(app_)
InvenioDeposit(app_)
InvenioSearchUI(app_)
InvenioRecordsUI(app_)
InvenioFilesREST(app_)
OAuth2Provider(app_)
InvenioOAuth2Server(app_)
InvenioOAuth2ServerREST(app_)
app_.register_blueprint(oauth2server_settings_blueprint)
InvenioDepositREST(app_)
with app_.app_context():
yield app_
shutil.rmtree(instance_path)
def test_entrypoints():
"""Test if the entrypoints are registering actions and roles properly."""
app = Flask('testapp')
ext = InvenioAccess(app)
assert len(ext.actions) == 2
assert ActionNeed('open') in ext.actions.values()
assert ActionNeed('close') in ext.actions.values()
assert len(ext.system_roles) == 2
assert SystemRoleNeed('any_user') in ext.system_roles.values()
assert SystemRoleNeed('authenticated_user') in ext.system_roles.values()
def test_init():
"""Test extension initialization."""
app = Flask('testapp')
Babel(app)
Mail(app)
InvenioDB(app)
InvenioAccounts(app)
ext = InvenioAccess(app)
assert 'invenio-access' in app.extensions
app = Flask('testapp')
Babel(app)
Mail(app)
InvenioDB(app)
InvenioAccounts(app)
ext = InvenioAccess()
assert 'invenio-access' not in app.extensions
ext.init_app(app)
assert 'invenio-access' in app.extensions
def app(base_app):
"""Flask application fixture."""
InvenioAccounts(base_app)
InvenioAccess(base_app)
base_app.register_blueprint(accounts_blueprint)
InvenioFilesREST(base_app)
base_app.register_blueprint(blueprint)
with base_app.app_context():
yield base_app
def script_info_cli_list(base_app, request):
"""Get ScriptInfo object for testing CLI list command."""
action_open = ActionNeed('open')
action_edit = ParameterizedActionNeed('edit', None)
app_ = app(base_app, request)
ext = InvenioAccess(app_)
ext.register_action(action_open)
ext.register_action(action_edit)
return ScriptInfo(create_app=lambda info: app_)
def test_permission(app):
"""Test permission control to records."""
app.config.update(
WTF_CSRF_ENABLED=False,
SECRET_KEY='CHANGEME',
SECURITY_PASSWORD_SALT='CHANGEME',
# conftest switches off permission checking, so re-enable it for this
# app.
RECORDS_UI_DEFAULT_PERMISSION_FACTORY='helpers:'
'only_authenticated_users',
)
Menu(app)
InvenioRecordsUI(app)
accounts = InvenioAccounts(app)
app.register_blueprint(accounts_blueprint)
InvenioAccess(app)
setup_record_fixture(app)
# Create admin
with app.app_context():
accounts.datastore.create_user(
email='*****@*****.**',
password=encrypt_password('123456'),
active=True,
)
# Get record 1
r = Resolver(pid_type='recid',
object_type='rec',
getter=Record.get_record)
dummy_pid, record = r.resolve('1')
db.session.commit()
with app.test_request_context():
login_url = url_for('security.login')
record_url = url_for('invenio_records_ui.recid', pid_value='1')
# Access record 1 as admin
with app.test_client() as client:
res = client.get(record_url)
assert res.status_code == 302
res = client.post(login_url,
data={
'email': '*****@*****.**',
'password': '******'
})
assert res.status_code == 302
res = client.get(record_url)
res.status_code == 200
# Access record 1 as anonymous
with app.test_client() as client:
res = client.get(record_url)
res.status_code == 403
def test_invenio_access_permission_for_users(app):
"""User can access to an action allowed/denied to the user"""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
superuser = User(email='*****@*****.**')
user_can_all = User(email='*****@*****.**')
user_can_read = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(superuser)
db.session.add(user_can_all)
db.session.add(user_can_read)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='superuser-access', user=superuser))
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.add(ActionUsers(action='read', user=user_can_all))
db.session.add(ActionUsers(action='read', user=user_can_read))
db.session.add(ActionUsers(action='not_logged', user=user_can_all))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_read = DynamicPermission(ActionNeed('read'))
permission_not_logged = DynamicPermission(ActionNeed('not_logged'))
identity_superuser = FakeIdentity(UserNeed(superuser.id))
identity_all = FakeIdentity(UserNeed(user_can_all.id))
identity_read = FakeIdentity(UserNeed(user_can_read.id))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
identity_unknown = AnonymousIdentity()
# global permissions
assert permission_open.allows(identity_superuser)
assert permission_read.allows(identity_superuser)
assert permission_open.allows(identity_all)
assert permission_read.allows(identity_all)
assert permission_not_logged.allows(identity_all)
assert permission_open.allows(identity_open)
assert not permission_read.allows(identity_open)
assert not permission_not_logged.allows(identity_open)
assert not permission_open.allows(identity_read)
assert permission_read.allows(identity_read)
assert not permission_not_logged.allows(identity_read)
assert not permission_open.allows(identity_unknown)
assert not permission_read.allows(identity_unknown)
def test_disabled_loader(app):
"""Check that system role loading function can be disabled."""
app.config.update(ACCESS_LOAD_SYSTEM_ROLE_NEEDS=False)
InvenioAccess(app)
assert load_permissions_on_identity_loaded not in \
identity_loaded.receivers.values()
with app.test_request_context():
identity_changed.send(current_app._get_current_object(),
identity=AnonymousIdentity())
assert g.identity.provides == set()
def factory(**config):
app = Flask('testapp')
app.config.update(SERVER_NAME='localhost', **config)
InvenioDB(app)
InvenioAccounts(app)
InvenioAccess(app)
InvenioFilesREST(app)
InvenioIIIFAPI(app)
app.register_blueprint(blueprint)
return app
