def _add_experiment_permissions(cls, data, id_):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(data['_experiment'])
# give read access to members of collaboration
for au in ActionUsers.query_by_action(exp_need).all():
try:
ActionUsers.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']).filter_by(
user=au.user).one()
except NoResultFound:
db.session.add(
ActionUsers.allow(RECORD_ACTION_NEEDS(id_)['record-read'],
user=au.user))
data['_access']['record-read']['users'].append(au.user.id)
for ar in ActionRoles.query_by_action(exp_need).all():
try:
ActionRoles.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']).filter_by(
role=ar.role).one()
except NoResultFound:
db.session.add(
ActionRoles.allow(RECORD_ACTION_NEEDS(id_)['record-read'],
role=ar.role))
data['_access']['record-read']['roles'].append(ar.role.id)
def test_deposit_publish_gives_acceess_to_members_of_exp(
client, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test', {}, experiment='CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def _add_experiment_permissions(cls, data, id_):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(data['_experiment'])
# give read access to members of collaboration
for au in ActionUsers.query_by_action(exp_need).all():
try:
ActionUsers.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']
).filter_by(user=au.user).one()
except NoResultFound:
db.session.add(
ActionUsers.allow(
RECORD_ACTION_NEEDS(id_)['record-read'],
user=au.user
)
)
data['_access']['record-read']['users'].append(au.user.id)
for ar in ActionRoles.query_by_action(exp_need).all():
try:
ActionRoles.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']
).filter_by(role=ar.role).one()
except NoResultFound:
db.session.add(
ActionRoles.allow(
RECORD_ACTION_NEEDS(id_)['record-read'],
role=ar.role
)
)
data['_access']['record-read']['roles'].append(ar.role.id)
def test_deposit_publish_gives_acceess_to_members_of_exp(app, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test-v1.0.0', {}, 'CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def assign_egroup_to_experiment(egroup_name, exp):
role = _datastore.find_or_create_role(egroup_name)
exp_need = exp_need_factory(exp)
db_.session.add(ActionRoles.allow(exp_need, role=role))
db_.session.commit()
return role
def _add_experiment_permissions(self, experiment, permissions):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(experiment)
# give read access to members of collaboration
with db.session.begin_nested():
for au in ActionUsers.query_by_action(exp_need).all():
self._add_user_permissions(au.user, permissions, db.session)
for ar in ActionRoles.query_by_action(exp_need).all():
self._add_egroup_permissions(ar.role, permissions, db.session)
def _add_experiment_permissions(self, experiment, permissions):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(experiment)
# give read access to members of collaboration
with db.session.begin_nested():
for au in ActionUsers.query_by_action(exp_need).all():
self._add_user_permissions(au.user, permissions, db.session)
for ar in ActionRoles.query_by_action(exp_need).all():
self._add_egroup_permissions(ar.role, permissions, db.session)
def assign_egroup_to_experiment(egroup_name, exp):
role = _datastore.find_or_create_role(egroup_name)
exp_need = exp_need_factory(exp)
db_.session.add(ActionRoles.allow(
exp_need, role=role))
db_.session.commit()
return role
def __init__(self, record, action):
"""Constructor.
Args:
record: record to which access is requested.
"""
_needs = set()
_needs.add(self.access_needs['admin'](record))
exp = record.json.get('_experiment')
if exp:
_needs.add(exp_need_factory(exp))
for access, actions in self.access_actions.items():
if action in actions:
_needs.add(self.access_needs[access](record))
super(RecordFilesPermission, self).__init__(*_needs)
def __init__(self, schema):
"""Initialize state.
Read access for:
* all members of experiment assigned to schema
* all users/roles assigned to schema-object-read action
"""
_needs = set()
_needs.add(SchemaReadActionNeed(schema.id))
# experiments members can access schema
if schema.experiment:
_needs.add(exp_need_factory(schema.experiment))
super(ReadSchemaPermission, self).__init__(*_needs)