예제 #1
0
파일: models.py 프로젝트: llehtine/b2share
def receive_before_insert(mapper, connection, target):
    """Create community admin and member roles and add their permissions."""
    from b2share.modules.deposit.permissions import (
        create_deposit_need_factory,
        read_deposit_need_factory,
        update_deposit_metadata_need_factory,
        update_deposit_publication_state_need_factory,
    )
    from b2share.modules.deposit.api import PublicationStates

    admin_role = Role(name=_community_admin_role_name(target),
                      description='Admin role of the community "{}"'.format(
                          target.name))
    member_role = Role(name=_community_member_role_name(target),
                       description='Member role of the community "{}"'.format(
                           target.name))

    db.session.add(admin_role)
    db.session.add(member_role)
    member_needs = [
        create_deposit_need_factory(str(target.id)),
    ]
    admin_needs = [
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name),
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.published.name),
        update_deposit_metadata_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name),
        # permission to publish a submission
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.published.name),
        # permission to ask the owners to fix a submission before resubmitting
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.draft.name)
    ]
    for need in member_needs:
        db.session.add(ActionRoles.allow(need, role=member_role))
    for need in chain(member_needs, admin_needs):
        db.session.add(ActionRoles.allow(need, role=admin_role))
def test_deposit_search_permissions(app, draft_deposits, submitted_deposits,
                                    test_users, login_user, test_communities):
    """Test deposit search permissions."""
    with app.app_context():
        # flush the indices so that indexed deposits are searchable
        current_search_client.indices.flush('*')

        admin = test_users['admin']
        creator = test_users['deposits_creator']
        non_creator = create_user('non-creator')

        permission_to_read_all_submitted_deposits = read_deposit_need_factory(
            community=str(test_communities['MyTestCommunity2']),
            publication_state='submitted',
        )
        allowed_role = create_role(
            'allowed_role',
            permissions=[permission_to_read_all_submitted_deposits])
        user_allowed_by_role = create_user('user-allowed-by-role',
                                           roles=[allowed_role])
        user_allowed_by_permission = create_user(
            'user-allowed-by-permission',
            permissions=[permission_to_read_all_submitted_deposits])

        community = Community.get(test_communities['MyTestCommunity2'])
        com_member = create_user('com_member', roles=[community.member_role])
        com_admin = create_user('com_admin', roles=[community.admin_role])

        search_deposits_url = url_for('b2share_records_rest.b2rec_list',
                                      drafts=1,
                                      size=100)
        headers = [('Content-Type', 'application/json'),
                   ('Accept', 'application/json')]

        def test_search(status, expected_deposits, user=None):
            with app.test_client() as client:
                if user is not None:
                    login_user(user, client)
                deposit_search_res = client.get(search_deposits_url,
                                                headers=headers)
                assert deposit_search_res.status_code == status
                # test the response data only when the user is allowed to
                # search for deposits
                if status != 200:
                    return
                deposit_search_data = json.loads(
                    deposit_search_res.get_data(as_text=True))

                assert deposit_search_data['hits']['total'] == \
                    len(expected_deposits)

                deposit_pids = [
                    hit['id'] for hit in deposit_search_data['hits']['hits']
                ]
                expected_deposit_pids = [
                    dep.deposit_id.hex for dep in expected_deposits
                ]
                deposit_pids.sort()
                expected_deposit_pids.sort()
                assert deposit_pids == expected_deposit_pids

        test_search(200, draft_deposits + submitted_deposits, creator)
        test_search(200, draft_deposits + submitted_deposits, admin)
        test_search(401, [], None)
        test_search(200, [], non_creator)

        # search for submitted records
        community2_deposits = [
            dep for dep in submitted_deposits if dep.data['community'] == str(
                test_communities['MyTestCommunity2'])
        ]
        test_search(200, community2_deposits, user_allowed_by_role)
        test_search(200, community2_deposits, user_allowed_by_permission)

        # community admin should have access to all submitted records
        # in their community
        test_search(200, [], com_member)
        test_search(200, community2_deposits, com_admin)
예제 #3
0
def receive_before_insert(mapper, connection, target):
    """Create community admin and member roles and add their permissions."""
    from b2share.modules.deposit.permissions import (
        create_deposit_need_factory,
        read_deposit_need_factory,
        update_deposit_metadata_need_factory,
        update_deposit_publication_state_need_factory,
    )
    from b2share.modules.deposit.api import PublicationStates
    from b2share.modules.records.permissions import (
        update_record_metadata_need_factory, )
    from b2share.modules.users.permissions import (
        assign_role_need_factory,
        search_accounts_need,
    )
    admin_role = Role(name=_community_admin_role_name(target),
                      description='Admin role of the community "{}"'.format(
                          target.name))
    member_role = Role(name=_community_member_role_name(target),
                       description='Member role of the community "{}"'.format(
                           target.name))

    db.session.add(admin_role)
    db.session.add(member_role)
    member_needs = [
        create_deposit_need_factory(str(target.id)),
    ]
    admin_needs = [
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name),
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.published.name),
        update_deposit_metadata_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name),
        # permission to publish a submission
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.published.name),
        # permission to ask the owners to fix a submission before resubmitting
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.draft.name),
        # permission to update the metadata of a published record
        update_record_metadata_need_factory(community=str(target.id), ),
        # allow to assign any role owned by this community
        assign_role_need_factory(community=target.id),
        # allow to list users' accounts
        search_accounts_need,
    ]
    for need in member_needs:
        db.session.add(ActionRoles.allow(need, role=member_role))
    for need in chain(member_needs, admin_needs):
        db.session.add(ActionRoles.allow(need, role=admin_role))

    oaiset = OAISet(spec=str(target.id),
                    name=target.name,
                    description=target.description)
    db.session.add(oaiset)
예제 #4
0
def test_deposit_search_permissions(app, draft_deposits, submitted_deposits,
                                    test_users, login_user, test_communities):
    """Test deposit search permissions."""
    with app.app_context():
        # flush the indices so that indexed deposits are searchable
        current_search_client.indices.flush('*')

        admin = test_users['admin']
        creator = test_users['deposits_creator']
        non_creator = create_user('non-creator')

        permission_to_read_all_submitted_deposits = read_deposit_need_factory(
            community=str(test_communities['MyTestCommunity2']),
            publication_state='submitted',
        )
        allowed_role = create_role(
            'allowed_role',
            permissions=[
                permission_to_read_all_submitted_deposits
            ]
        )
        user_allowed_by_role = create_user('user-allowed-by-role',
                                           roles=[allowed_role])
        user_allowed_by_permission = create_user(
            'user-allowed-by-permission',
            permissions=[
                permission_to_read_all_submitted_deposits
            ]
        )

        community = Community.get(test_communities['MyTestCommunity2'])
        com_member = create_user('com_member', roles=[community.member_role])
        com_admin = create_user('com_admin', roles=[community.admin_role])

        search_deposits_url = url_for(
            'b2share_records_rest.b2rec_list', drafts=1, size=100)
        headers = [('Content-Type', 'application/json'),
                ('Accept', 'application/json')]

        def test_search(status, expected_deposits, user=None):
            with app.test_client() as client:
                if user is not None:
                    login_user(user, client)
                deposit_search_res = client.get(
                    search_deposits_url,
                    headers=headers)
                assert deposit_search_res.status_code == status
                # test the response data only when the user is allowed to
                # search for deposits
                if status != 200:
                    return
                deposit_search_data = json.loads(
                    deposit_search_res.get_data(as_text=True))

                assert deposit_search_data['hits']['total'] == \
                    len(expected_deposits)

                deposit_pids = [hit['id'] for hit
                            in deposit_search_data['hits']['hits']]
                expected_deposit_pids = [dep.deposit_id.hex for dep
                                         in expected_deposits]
                deposit_pids.sort()
                expected_deposit_pids.sort()
                assert deposit_pids == expected_deposit_pids
        test_search(200, draft_deposits + submitted_deposits, creator)
        test_search(200, draft_deposits + submitted_deposits, admin)
        test_search(401, [], None)
        test_search(200, [], non_creator)


        # search for submitted records
        community2_deposits = [dep for dep in submitted_deposits
                                if dep.data['community'] ==
                                str(test_communities['MyTestCommunity2'])]
        test_search(200, community2_deposits, user_allowed_by_role)
        test_search(200,
                    community2_deposits,
                    user_allowed_by_permission)

        # community admin should have access to all submitted records
        # in their community
        test_search(200, [], com_member)
        test_search(200, community2_deposits, com_admin)
예제 #5
0
def create_roles_and_permissions(community, fix=False):
    """Create community admin and member roles and add their permissions.

    :param community: the community for which we add the roles and
        permissions.
    :param fix: Enable the fixing of the database. This function doesn't fail
        if some roles or permissions already exist. It will just add the
        missing ones.
    """
    from b2share.modules.deposit.permissions import (
        create_deposit_need_factory, read_deposit_need_factory,
        update_deposit_metadata_need_factory,
        update_deposit_publication_state_need_factory,
    )
    from b2share.modules.deposit.api import PublicationStates
    from b2share.modules.records.permissions import (
        update_record_metadata_need_factory,
    )
    from b2share.modules.users.permissions import (
        assign_role_need_factory, search_accounts_need,
    )
    admin_role = Role(
        name=_community_admin_role_name(community),
        description='Admin role of the community "{}"'.format(community.name)
    )
    member_role = Role(
        name=_community_member_role_name(community),
        description='Member role of the community "{}"'.format(community.name)
    )
    # use a nested session so that the ids are generated by the DB.
    with db.session.begin_nested():
        admin_role = add_to_db(admin_role, skip_if_exists=fix)
        member_role = add_to_db(member_role, skip_if_exists=fix)
    member_needs = [
        create_deposit_need_factory(str(community.id)),
    ]
    admin_needs = [
        read_deposit_need_factory(
            community=str(community.id),
            publication_state=PublicationStates.submitted.name
        ),
        read_deposit_need_factory(
            community=str(community.id),
            publication_state=PublicationStates.published.name
        ),
        update_deposit_metadata_need_factory(
            community=str(community.id),
            publication_state=PublicationStates.submitted.name
        ),
        # permission to publish a submission
        update_deposit_publication_state_need_factory(
            community=str(community.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.published.name
        ),
        # permission to ask the owners to fix a submission before resubmitting
        update_deposit_publication_state_need_factory(
            community=str(community.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.draft.name
        ),
        # permission to update the metadata of a published record
        update_record_metadata_need_factory(
            community=str(community.id),
        ),
        # allow to assign any role owned by this community
        assign_role_need_factory(community=community.id),
        # allow to list users' accounts
        search_accounts_need,
    ]
    for need in member_needs:
        add_to_db(ActionRoles.allow(need, role=member_role),
                  skip_if_exists=fix,
                  role_id=member_role.id)
    for need in chain (member_needs, admin_needs):
        add_to_db(ActionRoles.allow(need, role=admin_role),
                  skip_if_exists=fix,
                  role_id=admin_role.id)
예제 #6
0
def receive_before_insert(mapper, connection, target):
    """Create community admin and member roles and add their permissions."""
    from b2share.modules.deposit.permissions import (
        create_deposit_need_factory, read_deposit_need_factory,
        update_deposit_metadata_need_factory,
        update_deposit_publication_state_need_factory,
    )
    from b2share.modules.deposit.api import PublicationStates
    from b2share.modules.records.permissions import (
        update_record_metadata_need_factory,
    )
    from b2share.modules.users.permissions import (
        assign_role_need_factory, search_accounts_need,
    )
    admin_role = Role(
        name=_community_admin_role_name(target),
        description='Admin role of the community "{}"'.format(target.name)
    )
    member_role = Role(
        name=_community_member_role_name(target),
        description='Member role of the community "{}"'.format(target.name)
    )

    db.session.add(admin_role)
    db.session.add(member_role)
    member_needs = [
        create_deposit_need_factory(str(target.id)),
    ]
    admin_needs = [
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name
        ),
        read_deposit_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.published.name
        ),
        update_deposit_metadata_need_factory(
            community=str(target.id),
            publication_state=PublicationStates.submitted.name
        ),
        # permission to publish a submission
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.published.name
        ),
        # permission to ask the owners to fix a submission before resubmitting
        update_deposit_publication_state_need_factory(
            community=str(target.id),
            old_state=PublicationStates.submitted.name,
            new_state=PublicationStates.draft.name
        ),
        # permission to update the metadata of a published record
        update_record_metadata_need_factory(
            community=str(target.id),
        ),
        # allow to assign any role owned by this community
        assign_role_need_factory(community=target.id),
        # allow to list users' accounts
        search_accounts_need,
    ]
    for need in member_needs:
        db.session.add(ActionRoles.allow(need, role=member_role))
    for need in chain (member_needs, admin_needs):
        db.session.add(ActionRoles.allow(need, role=admin_role))

    oaiset = OAISet(spec=str(target.id), name=target.name, description=target.description)
    db.session.add(oaiset)