def test_invenio_access_permission_for_users(app):
"""User can access to an action allowed/denied to the user"""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
user_can_all = User(email='*****@*****.**')
user_can_read = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_read)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.add(ActionUsers(action='read', user=user_can_all))
db.session.add(ActionUsers(action='read', user=user_can_read))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_read = DynamicPermission(ActionNeed('read'))
identity_all = FakeIdentity(UserNeed(user_can_all.id))
identity_read = FakeIdentity(UserNeed(user_can_read.id))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
assert permission_open.allows(identity_all)
assert permission_read.allows(identity_all)
assert permission_open.allows(identity_open)
assert not permission_read.allows(identity_open)
assert not permission_open.allows(identity_read)
assert permission_read.allows(identity_read)
def example_group(app):
"""
Create example groups.
:param app: An instance of :class:`~flask.Flask`.
:return: App object.
"""
with app.app_context():
admin = User(email='*****@*****.**', password='******')
member = User(email='*****@*****.**', password='******')
non_member = User(email='*****@*****.**', password='******')
db.session.add(admin)
db.session.add(member)
db.session.add(non_member)
group = Group.create(name='test_group', admins=[admin])
membership = group.invite(member)
membership.accept()
admin_id = admin.id
member_id = member.id
non_member_id = non_member.id
group_id = group.id
db.session.commit()
app.get_admin = lambda: User.query.get(admin_id)
app.get_member = lambda: User.query.get(member_id)
app.get_non_member = lambda: User.query.get(non_member_id)
app.get_group = lambda: Group.query.get(group_id)
return app
def test_permission_factory(app, db, action, permission_factory):
"""Test revisions."""
InvenioAccess(app)
rec_uuid = uuid.uuid4()
with db.session.begin_nested():
user_all = User(email='*****@*****.**')
user_one = User(email='*****@*****.**')
user_none = User(email='*****@*****.**')
db.session.add(user_all)
db.session.add(user_one)
db.session.add(user_none)
db.session.add(ActionUsers(action=action, user=user_all,
argument=None))
db.session.add(
ActionUsers(action=action, user=user_one, argument=str(rec_uuid)))
record = Record.create({'title': 'permission test'}, id_=rec_uuid)
# Create a record and assign permissions.
permission = permission_factory(record)
# Assert which permissions has access.
assert permission.allows(FakeIdentity(UserNeed(user_all.id)))
assert permission.allows(FakeIdentity(UserNeed(user_one.id)))
assert not permission.allows(FakeIdentity(UserNeed(user_none.id)))
def test_invite_by_emails(app):
"""
Test invite by emails.
:param app: The flask application.
"""
with app.app_context():
u1 = User(email='*****@*****.**', password='******')
u2 = User(email='*****@*****.**', password='******')
g = Group.create(name='test_group')
db.session.add(u1)
db.session.add(u2)
db.session.commit()
result = g.invite_by_emails(
[u1.email, u2.email, '*****@*****.**'])
assert result[0].state.code is MembershipState.PENDING_USER
assert result[1].state.code is MembershipState.PENDING_USER
assert result[2] is None
assert g.is_member(u1, with_pending=True)
assert g.is_member(u2, with_pending=True)
assert not g.is_member('*****@*****.**', with_pending=True)
def test_create_profile(app):
"""Test that userprofile can be patched using UserAccount constructor."""
with app.app_context():
user = User(
email='*****@*****.**',
)
db.session.add(user)
db.session.commit()
user_id = user.id
patch_user = User(
id=user_id,
email='*****@*****.**',
profile={'full_name': 'updated_full_name'}
)
db.session.merge(patch_user)
db.session.commit()
patch_user = User(
id=user_id,
profile={'username': '******'}
)
db.session.merge(patch_user)
db.session.commit()
user = User.query.filter(User.id == user_id).one()
assert user.profile.full_name == 'updated_full_name'
assert user.email == '*****@*****.**'
assert user.profile.username == 'test_username'
def test_group_is_member(app):
"""
Test if group is member.
:param app: The flask application.
"""
with app.app_context():
from weko_groups.models import Group
from invenio_accounts.models import User
g = Group.create(name='test_group')
u = User(email='*****@*****.**', password='******')
u2 = User(email='*****@*****.**', password='******')
u3 = User(email='*****@*****.**', password='******')
db.session.add(u)
db.session.add(u2)
db.session.add(u3)
db.session.commit()
g.add_member(u)
g.add_member(u2, state=MembershipState.PENDING_USER)
g.add_member(u3, state=MembershipState.PENDING_ADMIN)
assert g.is_member(u)
assert not g.is_member(u2)
assert g.is_member(u2, with_pending=True)
assert not g.is_member(u3)
assert g.is_member(u3, with_pending=True)
def test_membership_query_invitations(app):
"""
Test membership query invitations.
:param app: The flask application.
"""
with app.app_context():
from weko_groups.models import Group, Membership, \
MembershipState
from invenio_accounts.models import User
from flask_sqlalchemy import BaseQuery
g = Group.create(name="test")
u1 = User(email="*****@*****.**", password="******")
u2 = User(email="[email protected]", password="******")
u3 = User(email="[email protected]", password="******")
db.session.add_all([u1, u2, u3])
db.session.commit()
Membership.create(g, u1, MembershipState.ACTIVE)
Membership.create(g, u2, MembershipState.PENDING_USER)
Membership.create(g, u3, MembershipState.PENDING_ADMIN)
assert isinstance(Membership.query_by_user(u1), BaseQuery)
assert Membership.query_invitations(u1).count() == 0
assert Membership.query_invitations(u2).count() == 1
assert Membership.query_invitations(u3).count() == 0
def users(app):
# Create test users
encrypted_password = encrypt_password('123456')
user = User(
email='*****@*****.**',
password=encrypted_password,
active=True
)
user_partially_allowed = User(
email='*****@*****.**',
password=encrypted_password,
active=True,
)
user_allowed = User(
email='*****@*****.**',
password=encrypted_password,
active=True,
)
db.session.add_all(
[user, user_partially_allowed, user_allowed]
)
db.session.commit()
# Create actions for the allowed user
restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Restricted Collection',
user_id=user_allowed.id
)
another_restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Another Restricted Collection',
user_id=user_allowed.id
)
# Create actions for the partially allowed user
partial_restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Restricted Collection',
user_id=user_partially_allowed.id
)
db.session.add_all(
[
restricted_collection_action,
another_restricted_collection_action,
partial_restricted_collection_action
]
)
db.session.commit()
yield
SessionActivity.query.delete()
ActionUsers.query.filter_by(action='view-restricted-collection').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
db.session.commit()
def test_group_invite(app):
"""
Test group invite.
:param app: The flask application.
"""
with app.app_context():
from weko_groups.models import Group, Membership, \
MembershipState
from invenio_accounts.models import User
g = Group.create(name="test")
u = User(email="*****@*****.**", password="******")
u2 = User(email="*****@*****.**", password="******")
db.session.add(u)
db.session.add(u2)
db.session.commit()
m = g.invite(u)
assert Membership.query.count() == 1
assert m.state == MembershipState.PENDING_USER
a = Group.create(name="admin")
g2 = Group.create(name="test2", admins=[a])
assert g2.invite(u2, admin=g) is None
m = g2.invite(u2, admin=a)
assert Membership.query.count() == 2
assert m.state == MembershipState.PENDING_USER
def test_file_permissions(app, db, record_with_files_creation, user,
access_right, expected):
"""Test file permissions."""
pid, record, record_url = record_with_files_creation
# Create test users
admin = User(email='*****@*****.**', password='******')
owner = User(email='*****@*****.**', password='******')
auth = User(email='*****@*****.**', password='******')
db.session.add_all([admin, owner, auth])
db.session.add(ActionUsers.allow(ActionNeed('admin-access'), user=admin))
db.session.commit()
# Create test record
record['access_right'] = access_right
record['owners'] = [owner.id]
record.commit()
db.session.commit()
file_url = url_for(
'invenio_records_ui.recid_files',
pid_value=pid.pid_value,
filename='Test.pdf',
)
with app.test_client() as client:
if user:
# Login as user
with client.session_transaction() as sess:
sess['user_id'] = User.query.filter_by(
email='{}@zenodo.org'.format(user)).one().id
sess['_fresh'] = True
res = client.get(file_url)
assert res.status_code == expected
def test_dynamic_permission_needs_cache_invalidation(app):
"""Testing DynamicPermission refreshes needs.
This is important when protecting a view with
@permission.require(http_exception=403)
If cache does not get invalidated, the needs will only be refreshed when
the Python process restarts.
"""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.needs == set([Need(method='id', value=1)])
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
assert permission_open.needs == set(
[Need(method='id', value=1), Need(method='id', value=2)]
)
def users(app):
"""Create user fixtures."""
hashed_password = hash_password('123456')
user = User(email='*****@*****.**',
password=hashed_password,
active=True)
user_allowed = User(email='*****@*****.**',
password=hashed_password,
active=True)
db.session.add_all([user, user_allowed])
db.session.commit()
author_admin = ActionUsers(action='admin-holdingpen-authors',
user_id=user_allowed.id)
db.session.add(author_admin)
db.session.commit()
yield
ActionUsers.query.filter_by(action='admin-holdingpen-authors').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
db.session.commit()
def users():
"""Create users needed in this test module."""
curator = User(
email='*****@*****.**',
password=hash_password('curator'),
active=True,
)
scientist = User(
email='*****@*****.**',
password=hash_password('scientist'),
active=True,
)
db.session.add_all([curator, scientist])
db.session.commit()
curator_action = ActionUsers(
action='editor_manage_tickets',
argument=None,
user_id=curator.id,
)
db.session.add(curator_action)
db.session.commit()
yield
ActionUsers.query.filter_by(action='editor_manage_tickets').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
db.session.commit()
def test_invenio_access_permission_cache_redis(app):
"""Caching the user using redis."""
cache = RedisCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
identity_open = FakeIdentity(UserNeed(user_can_open.id))
permission_open = DynamicPermission(ActionNeed('open'))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1)]), set([]))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1),
Need(method='id', value=2)]), set([]))
def setUp(self):
super(ProviderTestCase, self).setUp()
# Set environment variable DEBUG to true, to allow testing without
# SSL in oauthlib.
if self.app.config.get('CFG_SITE_SECURE_URL').startswith('http://'):
self.os_debug = os.environ.get('OAUTHLIB_INSECURE_TRANSPORT', '')
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = 'true'
from invenio_accounts.models import User
from invenio_oauth2server.models import Client, Scope
from invenio_oauth2server.registry import scopes as scopes_registry
# Register a test scope
scopes_registry.register(Scope('test:scope'))
self.base_url = self.app.config.get('CFG_SITE_SECURE_URL')
# Create needed objects
u = User(email='*****@*****.**', nickname='tester')
u.password = "******"
u2 = User(email='*****@*****.**', nickname='tester2')
u2.password = "******"
db.session.add(u)
db.session.add(u2)
c1 = Client(client_id='dev',
client_secret='dev',
name='dev',
description='',
is_confidential=False,
user=u,
_redirect_uris='%s/oauth2test/authorized' % self.base_url,
_default_scopes="test:scope")
c2 = Client(client_id='confidential',
client_secret='confidential',
name='confidential',
description='',
is_confidential=True,
user=u,
_redirect_uris='%s/oauth2test/authorized' % self.base_url,
_default_scopes="test:scope")
db.session.add(c1)
db.session.add(c2)
db.session.commit()
self.objects = [u, u2, c1, c2]
# Create a personal access token as well.
from invenio_oauth2server.models import Token
self.personal_token = Token.create_personal('test-personal',
1,
scopes=[],
is_internal=True)
def test_invenio_access_permission_cache(app):
"""Caching the user using memory caching."""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
user_can_open_1 = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(user_can_open_1)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1)]),
set([])
)
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
db.session.add(ActionUsers(action='open', argument=1,
user=user_can_open_1))
db.session.flush()
identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id))
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_open_1)
assert permission_open_1.allows(identity_open_1)
assert current_access.get_action_cache('open::1') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=3)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
def test_verify_email_works_with_numbers_and_strings(self):
from invenio_accounts.models import User
u = User(email="*****@*****.**", password="")
u.note = 2
self.assertTrue(u.verify_email())
u2 = User(email="*****@*****.**", password="")
u2.note = "2"
self.assertTrue(u2.verify_email())
def test_invenio_access_permission_for_users(app):
"""User can access to an action allowed/denied to the user"""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
superuser = User(email='*****@*****.**')
user_can_all = User(email='*****@*****.**')
user_can_read = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(superuser)
db.session.add(user_can_all)
db.session.add(user_can_read)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='superuser-access', user=superuser))
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.add(ActionUsers(action='read', user=user_can_all))
db.session.add(ActionUsers(action='read', user=user_can_read))
db.session.add(ActionUsers(action='not_logged', user=user_can_all))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_read = DynamicPermission(ActionNeed('read'))
permission_not_logged = DynamicPermission(ActionNeed('not_logged'))
identity_superuser = FakeIdentity(UserNeed(superuser.id))
identity_all = FakeIdentity(UserNeed(user_can_all.id))
identity_read = FakeIdentity(UserNeed(user_can_read.id))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
identity_unknown = AnonymousIdentity()
# global permissions
assert permission_open.allows(identity_superuser)
assert permission_read.allows(identity_superuser)
assert permission_open.allows(identity_all)
assert permission_read.allows(identity_all)
assert permission_not_logged.allows(identity_all)
assert permission_open.allows(identity_open)
assert not permission_read.allows(identity_open)
assert not permission_not_logged.allows(identity_open)
assert not permission_open.allows(identity_read)
assert permission_read.allows(identity_read)
assert not permission_not_logged.allows(identity_read)
assert not permission_open.allows(identity_unknown)
assert not permission_read.allows(identity_unknown)
def test_case_insensitive_username(app):
"""Test case-insensitive uniqueness."""
with app.app_context():
with db.session.begin_nested():
u1 = User(email='*****@*****.**')
u2 = User(email='*****@*****.**')
db.session.add(u1, u2)
profile1 = UserProfile(user=u1, username="******")
profile2 = UserProfile(user=u2, username="******")
db.session.add(profile1)
db.session.add(profile2)
pytest.raises(IntegrityError, db.session.commit)
def setUp(self):
super(RemoteTokenTestCase, self).setUp()
from invenio_accounts.models import User
u1 = User(nickname='RemoteTokenTestCaseUser1', password='')
u2 = User(nickname='RemoteTokenTestCaseUser2', password='')
u3 = User(nickname='RemoteTokenTestCaseUser3', password='')
db.session.add(u1)
db.session.add(u2)
db.session.add(u3)
db.session.commit()
self.u1 = u1.id
self.u2 = u2.id
self.u3 = u3.id
db.session.expunge_all()
def sync_user_and_profile(cls, data):
"""Create or update the rero user with the patron data.
:param data - dict representing the patron data
"""
# start a session to be able to rollback if the data are not valid
with db.session.begin_nested():
user = cls._get_user_by_data(data)
# need to create the user
if not user:
birth_date = data.get('birth_date')
# sanity check
if not birth_date:
raise RecordValidationError('birth_date field is required')
# the default password is the birth date
user = User(email=data.get('email'),
password=hash_password(birth_date),
profile=dict(),
active=True)
db.session.add(user)
# update all common fields
for field in cls.profile_fields:
# date field need conversion
if field == 'birth_date':
setattr(user.profile, field,
datetime.strptime(data.get(field), '%Y-%m-%d'))
else:
setattr(user.profile, field, data.get(field, ''))
db.session.merge(user)
if not data.get('user_id'):
# the fresh created user
return user
def mock_user(app, request):
def teardown(app):
with app.app_context():
user = User.query.filter_by(id=2).first()
token = RemoteToken.query.filter_by(access_token='123').first()
user_identity = UserIdentity.query.filter_by(
id='0000-0001-9412-8627', method='orcid').first()
remote_account = RemoteAccount.query.filter_by(user_id=2).first()
with db.session.begin_nested():
db.session.delete(token)
db.session.delete(user_identity)
db.session.delete(remote_account)
db.session.delete(user)
db.session.commit()
request.addfinalizer(lambda: teardown(app))
user = User(id=2, )
token = RemoteToken(id_remote_account=1, access_token='123')
user_identity = UserIdentity(id='0000-0001-9412-8627',
id_user='******',
method='orcid')
remote_account = RemoteAccount(id=1,
user_id=2,
extra_data={},
client_id=1,
user=user)
with app.app_context():
with db.session.begin_nested():
db.session.add(user)
db.session.add(user_identity)
db.session.add(remote_account)
db.session.add(token)
db.session.commit()
return MockUser(app)
def system_user(app, db):
"""Create a regular system user."""
user = User(**dict(email="*****@*****.**", active=True))
db.session.add(user)
db.session.commit()
user_id = user.id
identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id))
db.session.add(identity)
profile = UserProfile(
**dict(
user_id=user_id,
_displayname="id_" + str(user_id),
full_name="System User",
)
)
db.session.add(profile)
remote_account = RemoteAccount(
client_id="CLIENT_ID",
**dict(
user_id=user_id,
extra_data=dict(person_id="1", department="Department"),
)
)
db.session.add(remote_account)
db.session.commit()
return user
def oauth_register(account_info, form_data=None):
"""Register user if possible."""
from invenio_accounts.models import User
email = account_info.get("email")
if form_data and form_data.get("email"):
email = form_data.get("email")
if email:
note = '1'
if cfg['CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT']:
note = '2'
if not User.query.filter_by(email=email).first():
# Email does not already exists. so we can proceed to register
# user.
u = User(nickname=account_info.get('nickname', ''),
email=email,
password=None,
note=note)
try:
db.session.add(u)
db.session.commit()
except Exception:
current_app.logger.exception("Cannot create user")
return None
# verify the email
if note == '2':
u.verify_email()
return UserInfo(u.id)
return None
def _import_users(users, users_identities, users_profiles,
remote_accounts):
"""Import users in db."""
click.secho('Migrating {0} users'.format(len(users)), fg='green')
for user in users:
user = User(**user)
db.session.add(user)
click.secho('Migrating {0} user identities'.format(
len(users_identities)),
fg='green')
for identity in users_identities:
user_identity = UserIdentity(**identity)
db.session.add(user_identity)
click.secho('Migrating {0} user profiles'.format(len(users_profiles)),
fg='green')
for profile in users_profiles:
user_profile = UserProfile(**profile)
db.session.add(user_profile)
click.secho('Migrating {0} remote accoutns'.format(
len(remote_accounts)),
fg='green')
client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']
for account in remote_accounts:
remote_account = RemoteAccount(client_id=client_id, **account)
db.session.add(remote_account)
db.session.commit()
def test_profiles(app):
"""Test the user profile."""
user = User(email="*****@*****.**")
profile = {
"full_name": "Invenio Admin",
}
with pytest.raises(ValueError):
# the profile doesn't expect an 'email' value
user.user_profile = {
**profile,
"email": "*****@*****.**",
}
assert user.user_profile == {}
# a valid profile should be accepted
user.user_profile = profile
assert dict(user.user_profile) == profile
# setting expected properties should work
assert len(user.user_profile) == 1
assert user.user_profile["full_name"] == "Invenio Admin"
# but setting unexpected properties should not work
with pytest.raises(ValueError):
user.user_profile["invalid"] = "value"
# similar with wrong types for expected fields
with pytest.raises(ValueError):
user.user_profile["email"] = 1
assert len(user.user_profile) == 1
assert user.user_profile["full_name"] == "Invenio Admin"
def test_get_job_recipient_internal_uid(base_app, db, es_clear):
expected_email = "*****@*****.**"
user = User()
user.email = expected_email
user.active = True
user.id = 23
db.session.add(user)
test_user = UserIdentity(id="user", method="test", id_user=user.id)
db.session.add(test_user)
job = {
"acquisition_source": {
"datetime": "2019-07-04T11:21:22.611086",
"email": "*****@*****.**",
"internal_uid": user.id,
"method": "submitter",
"orcid": "0000-0002-8672-7088",
"source": "submitter",
"submission_number": "None",
}
}
email = get_job_recipient(job)
# The email is not the one in acquisition_source but in the user account
assert email == expected_email
def setup_app(app):
with app.app_context():
db.drop_all()
db.create_all()
reindex_all(recreate=True)
ctx = app.test_request_context()
ctx.push()
user_count = User.query.filter_by(email='*****@*****.**').count()
if user_count == 0:
user = User(email=TEST_EMAIL, password='******', active=True)
admin_role = Role(name='admin')
coordinator_role = Role(name='coordinator')
user.roles.append(admin_role)
user.roles.append(coordinator_role)
db.session.add(admin_role)
db.session.add(coordinator_role)
db.session.add(user)
db.session.commit()
yield app
ctx.pop()
def patron1(app, db):
"""Create a patron user."""
user = User(**dict(email="*****@*****.**", active=True))
db.session.add(user)
db.session.commit()
user_id = user.id
identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id))
db.session.add(identity)
profile = UserProfile(
**dict(
user_id=user_id,
_displayname="id_" + str(user_id),
full_name="System User",
)
)
db.session.add(profile)
client_id = app.config["CERN_APP_OPENID_CREDENTIALS"]["consumer_key"]
remote_account = RemoteAccount(
client_id=client_id,
**dict(
user_id=user_id,
extra_data=dict(person_id="1", department="Department"),
)
)
db.session.add(remote_account)
db.session.commit()
return user
def test_invenio_access_permission_for_system_roles(app):
"""User can access to an action allowed/denied to their system roles."""
InvenioAccess(app)
with app.test_request_context():
db.session.begin(nested=True)
user = User(email='*****@*****.**')
db.session.add(user)
db.session.add(ActionSystemRoles.allow(
action=ActionNeed('open'), role=authenticated_user))
db.session.add(ActionSystemRoles.allow(
action=ActionNeed('write'), role_name='any_user'))
db.session.commit()
permission_open = DynamicPermission(ActionNeed('open'))
permission_write = DynamicPermission(ActionNeed('write'))
identity_anon_user = FakeIdentity(any_user)
identity_auth_user = FakeIdentity(authenticated_user, any_user)
assert not permission_open.allows(identity_anon_user)
assert permission_open.allows(identity_auth_user)
assert permission_write.allows(identity_anon_user)
assert permission_write.allows(identity_auth_user)
