def test_cli_action_allow(app, script_info, community, authenticated_user, db):
runner = CliRunner()
app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv(
'SQLALCHEMY_DATABASE_URI', 'sqlite://')
role = community[1].roles[0]
current_datastore.add_role_to_user(authenticated_user, role)
read_need = action_factory(COMMUNITY_READ, parameter=True)
login_user(authenticated_user)
assert not Permission(read_need(community[0])).allows(g.identity)
# -*- coding: utf-8 -*-
#
# Copyright (C) 2021 GEO Secretariat.
#
# geo-knowledge-hub-ext is free software; you can redistribute it and/or
# modify it under the terms of the MIT License; see LICENSE file for more
# details.
"""GEO Knowledge Hub Permission and Actions definitions"""
from invenio_access import Permission
from invenio_access import action_factory
#
# Geo Knowledge Community
#
community_action = action_factory("geo-community-access")
community_permission = Permission(community_action)
#
# Geo Knowledge Provider
#
kprovider_action = action_factory("geo-knowledge-provider-access")
kprovider_permission = Permission(kprovider_action)
#
# Geo Secretariat
#
secretariat_action = action_factory("geo-secretariat-access")
secretariat_permission = Permission(secretariat_action)
# Copyright (C) 2019 CERN.
#
# invenio-app-ils is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
"""CDS-ILS retrieve patron loans permissions."""
from invenio_access import action_factory
from invenio_access.permissions import Permission
from invenio_app_ils.permissions import backoffice_access_action, \
backoffice_permission
from invenio_app_ils.permissions import \
views_permissions_factory as ils_views_permissions_factory
retrieve_patron_loans_access_action = action_factory(
"retrieve-patron-loans-access"
)
document_importer_access_action = action_factory(
"document-importer-access"
)
def retrieve_patron_loans_permission(*args, **kwargs):
"""Return permission to retrieve patron loans."""
return Permission(
retrieve_patron_loans_access_action, backoffice_access_action
)
def document_importer_permission(*args, **kwargs):
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for schemas."""
from invenio_access import Permission, action_factory
action_schema_access = action_factory('schema-access')
schema_permission = Permission(action_schema_access)
"""Ils permissions."""
from __future__ import absolute_import, print_function
from functools import wraps
from flask import abort, current_app
from flask_login import current_user
from flask_principal import UserNeed
from invenio_access import action_factory
from invenio_access.permissions import Permission, authenticated_user
from invenio_records_rest.utils import allow_all, deny_all
from invenio_app_ils.proxies import current_app_ils
backoffice_access_action = action_factory("ils-backoffice-access")
def need_permissions(action):
"""View decorator to check permissions for the given action or abort.
:param action: The action needed.
"""
def decorator_builder(f):
@wraps(f)
def decorate(*args, **kwargs):
check_permission(
current_app.config["ILS_VIEWS_PERMISSIONS_FACTORY"](action)
)
return f(*args, **kwargs)
from invenio_access import Permission, action_factory, authenticated_user
from flask_principal import UserNeed
create_records = action_factory("create-records")
def owner_permission_factory(record=None):
"""Permission factory with owner access."""
return Permission(UserNeed(record["owner"]))
def authenticated_user_permission(record=None):
"""Return an object that evaluates if the current user is authenticated."""
return Permission(authenticated_user)
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for items."""
from invenio_access import Permission, action_factory
from weko_records_ui.permissions import page_permission_factory
action_item_access = action_factory('item-access')
item_permission = Permission(action_item_access)
def edit_permission_factory(record, **kwargs):
"""Edit permission factory."""
def can(self):
return page_permission_factory(record, flg='Edit').can()
return type('EditPermissionChecker', (), {'can': can})()
# Copyright (C) 2019 CERN.
#
# invenio-app-ils is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
"""CDS Books retrieve patron loans permissions."""
from __future__ import absolute_import, print_function
from invenio_access import action_factory
from invenio_access.permissions import Permission
from invenio_app_ils.permissions import backoffice_access_action
from invenio_app_ils.permissions import \
views_permissions_factory as ils_views_permissions_factory
retrieve_patron_loans_access_action = action_factory(
"retrieve-patron-loans-access")
def retrieve_patron_loans_permission(*args, **kwargs):
"""Return permission to retrieve patron loans."""
return Permission(
retrieve_patron_loans_access_action,
backoffice_access_action)
def views_permissions_factory(action):
"""Override ILS views permissions factory."""
if action == "retrieve-patron-loans":
return retrieve_patron_loans_permission()
return ils_views_permissions_factory(action)
# Copyright (c) 2021. Universidad de Pinar del Rio
# This file is part of SCEIBA (sceiba.cu).
# SCEIBA is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
#
from invenio_access import Permission, action_factory
# creando action
create_source_curator = action_factory('curator-source-add')
create_vocabulary_curator = action_factory('curator-vocabulary-add')
# creando permiso, que requiere varias acciones, por ahora solo la anterior
source_create_permission = Permission(create_source_curator)
vocabulary_create_permission = Permission(create_vocabulary_curator)
# concediendo acceso a un usuario, puede ser por rol
# 1- si es por usuario hay q obtener el usuario, si es por rol igual
# eduardo = db.session.query(User).filter_by(email="*****@*****.**").first()
# 2- agregar a la base de datos de access
# db.session.add(ActionUsers.allow(vocabulary_create_permission, user=eduardo))
# db.session.commit()
# #para comprobar, si no es una funcionaldiad q Flask-Security verifique por si mismo, seria asi
# eduardo_identity = get_identity(eduardo)
# permission.allows(eduardo_identity) #Tambie puede ser eduardo_identity.can(permission)
# un usuario administrador(manager) de fuentes puede cambiar el campo source_status
# 2- source_editor_actions: se le asigna a un usuario para un SourceRecord.id:
# significa que el usuario puede crear versiones de ese SourceRecord
# 3- source_term_manager_actions: se le asigna a un usuario para un Term.id:
# significa que todas las SourcesRecord que tengan en el campo classifications.id ese Term.id
# son administradas por el usuario.
# 4- source_organization_manager_actions: se le asigna a un usuario para un Organization.id:
# significa que todas las SourcesRecord que tengan en el campo organizations.id ese
# Organization.id
# son administradas por el usuario.
# creando action
source_full_manager_actions = action_factory('source_full_manager_actions')
ObjectSourceEditor = action_factory('source_editor_actions', parameter=True)
source_editor_actions = ObjectSourceEditor(None)
ObjectSourceManager = action_factory('source_manager_actions', parameter=True)
source_manager_actions = ObjectSourceManager(None)
# TODO: Eliminar este permiso, no tiene sentido
ObjectSourceTermManager = action_factory('source_term_manager_actions',
parameter=True)
source_term_manager_actions = ObjectSourceTermManager(None)
ObjectSourceOrganizationManager = action_factory(
'source_organization_manager_actions', parameter=True)
source_organization_manager_actions = ObjectSourceOrganizationManager(None)
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for index tree."""
from invenio_access import Permission, action_factory
action_index_tree_access = action_factory('index-tree-access')
index_tree_permission = Permission(action_index_tree_access)
#
# invenio-circulation is free software; you can redistribute it and/or modify
# it under the terms of the MIT License; see LICENSE file for more details.
"""Circulation permissions."""
from __future__ import absolute_import, print_function
from functools import wraps
from flask import abort, current_app
from flask_login import current_user
from invenio_access import action_factory
from invenio_access.permissions import Permission
from invenio_records_rest.utils import allow_all
loan_access = action_factory('loan-read-access')
def check_permission(permission):
"""Abort if permission is not allowed.
:param permission: The permission to check.
"""
# NOTE: we have to explicitly check for not None, since flask-principal
# overrides the default __bool__ implementation for permission.
if permission is not None and not permission.can():
if not current_user.is_authenticated:
abort(401)
abort(403)
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for Detail Page."""
from datetime import datetime as dt
from flask import abort, current_app
from flask_security import current_user
from invenio_access import Permission, action_factory
from weko_groups.api import Group, Membership, MembershipState
from weko_records.api import ItemTypes
from .ipaddr import check_site_license_permission
action_detail_page_access = action_factory('detail-page-access')
detail_page_permission = Permission(action_detail_page_access)
def page_permission_factory(record, *args, **kwargs):
def can(self):
is_ok = True
# item publish status check
is_pub = check_publish_status(record)
# role permission
is_can = detail_page_permission.can()
# person himself check
is_himself = check_created_id(record)
if not is_pub:
if not is_can or (is_can and not is_himself):
is_ok = False
# -*- coding: utf-8 -*-
#
# Copyright (C) 2018 CERN.
#
# invenio-app-ils is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
"""Ils permissions."""
from __future__ import absolute_import, print_function
from invenio_access import action_factory
from invenio_access.permissions import DynamicPermission
action_librarian_access = action_factory('ils-librarian-access')
def librarian_permission_factory():
"""."""
return DynamicPermission(action_librarian_access)
def has_librarian_permission(loan):
"""."""
return librarian_permission_factory()
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for item types."""
from invenio_access import Permission, action_factory
action_item_type_access = action_factory('item-type-access')
item_type_permission = Permission(action_item_type_access)
#
# Invenio is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
"""Permissions for files using Invenio-Access."""
import os
from functools import partial
from invenio_access import Permission, action_factory
from .models import Bucket, MultipartObject, ObjectVersion
#
# Action needs
#
LocationUpdate = action_factory('files-rest-location-update', parameter=True)
"""Action needed: location update."""
BucketRead = action_factory('files-rest-bucket-read', parameter=True)
"""Action needed: list objects in bucket."""
BucketReadVersions = action_factory('files-rest-bucket-read-versions',
parameter=True)
"""Action needed: list object versions in bucket."""
BucketUpdate = action_factory('files-rest-bucket-update', parameter=True)
"""Action needed: create objects and multipart uploads in bucket."""
BucketListMultiparts = action_factory('files-rest-bucket-listmultiparts',
parameter=True)
"""Action needed: list multipart uploads in bucket."""
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for schemas."""
from invenio_access import Permission, action_factory
action_auto_fill = action_factory('items-autofill')
auto_fill_permission = Permission(action_auto_fill)
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for index tree."""
from invenio_access import Permission, action_factory
action_indextree_journal_access = action_factory('indextree-journal-access')
indextree_journal_permission = Permission(action_indextree_journal_access)
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for invenio-stats."""
from invenio_access import Permission, action_factory
stats_api_access = action_factory('stats-api-access')
stats_api_permission = Permission(stats_api_access)
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for Detail Page."""
from datetime import datetime as dt
from flask import abort, current_app
from flask_security import current_user
from invenio_access import Permission, action_factory
from weko_groups.api import Group, Membership, MembershipState
from weko_records.api import ItemTypes
from .ipaddr import check_site_license_permission
action_detail_page_access = action_factory('detail-page-access')
detail_page_permission = Permission(action_detail_page_access)
action_download_original_pdf_access = action_factory(
'download-original-pdf-access')
download_original_pdf_permission = Permission(
action_download_original_pdf_access)
def page_permission_factory(record, *args, **kwargs):
"""Page permission factory."""
def can(self):
is_ok = True
# item publish status check
is_pub = check_publish_status(record)
# role permission
# -*- coding: utf-8 -*-
#
# Copyright (C) 2019 CESNET.
#
# Invenio Records Presentation is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
""" Permissions for Invenio Records Presentation."""
from functools import wraps
from flask_login import current_user
from invenio_access import Permission, action_factory
from invenio_workflows import WorkflowEngine
from invenio_records_presentation.errors import WorkflowsPermissionError, WorkflowsNotAuthenticated
PresentationWorkflowStart = action_factory('presentation-workflow-start',
parameter=True)
"""Action: Presentation Workflow start."""
presentation_workflow_start_all = PresentationWorkflowStart(None)
def needs_permission():
""" Get permission for Workflow execution or abort. """
def decorator_builder(f):
@wraps(f)
def decorate(*args, **kwargs):
permissions = kwargs.get('permissions', [])
if permissions:
check_permission(Permission(*permissions))
return f(*args, **kwargs)
# -*- coding: utf-8 -*-
"""Taxonomy permissions."""
#
# Action needs
#
from invenio_access import Permission, action_factory
from flask_taxonomies.models import Taxonomy, TaxonomyTerm
TaxonomyCreate = action_factory('taxonomy-create', True)
"""Action needed: Taxonomy create."""
TaxonomyUpdate = action_factory('taxonomy-update', True)
"""Action needed: Taxonomy update."""
TaxonomyRead = action_factory('taxonomy-read', True)
"""Action needed: Taxonomy Read."""
TaxonomyDelete = action_factory('taxonomy-delete', True)
"""Action needed: Taxonomy delete."""
TaxonomyTermCreate = action_factory('taxonomy-term-create', True)
"""Action needed: Taxonomy Term Create."""
TaxonomyTermUpdate = action_factory('taxonomy-term-update', True)
"""Action needed: Taxonomy Term update."""
TaxonomyTermRead = action_factory('taxonomy-term-read', True)
"""Action needed: Taxonomy Term Read."""
TaxonomyTermDelete = action_factory('taxonomy-term-delete', True)
from flask_principal import ActionNeed
from invenio_access.permissions import Permission
from invenio_access import action_factory
def exp_permission_factory(experiment):
"""Experiment permission factory."""
return Permission(
ActionNeed('{}-access'.format(experiment.lower()))
)
def exp_need_factory(experiment):
"""Experiment need factory."""
return ActionNeed(('{}-access'.format(experiment.lower())))
cms_access_action = exp_need_factory('CMS')
lhcb_access_action = exp_need_factory('LHCb')
alice_access_action = exp_need_factory('ALICE')
atlas_access_action = exp_need_factory('ATLAS')
cms_pag_convener_action = action_factory('cap-cms-pag-conveners',
parameter=True)
cms_pag_convener_action_all = cms_pag_convener_action(None)
cms_permission = exp_permission_factory('CMS')
lhcb_permission = exp_permission_factory('LHCb')
alice_permission = exp_permission_factory('ALICE')
atlas_permission = exp_permission_factory('ATLAS')
# -*- coding: utf-8 -*-
#
# This file is part of WEKO3.
# Copyright (C) 2017 National Institute of Informatics.
#
# WEKO3 is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# WEKO3 is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with WEKO3; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
"""Permissions for Search."""
from invenio_access import Permission, action_factory
action_search_access = action_factory('search-access')
search_permission = Permission(action_search_access)
# Copyright (c) 2021. Universidad de Pinar del Rio
# This file is part of SCEIBA (sceiba.cu).
# SCEIBA is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
#
from flask_login import current_user
from invenio_access import Permission, action_factory
from invenio_access.utils import get_identity
# creando action
notification_admin_actions = action_factory('notification_admin_actions')
ObjectNotificationViewed = action_factory('notification_viewed_actions',
parameter=True)
notification_viewed_actions = ObjectNotificationViewed(None)
def notification_viewed_permission_factory(obj):
try:
permission = Permission(notification_admin_actions)
current_identity = get_identity(current_user)
if permission.allows(current_identity):
return permission
except Exception as e:
pass
return Permission(ObjectNotificationViewed(obj['id']))
# Copyright (c) 2021. Universidad de Pinar del Rio
# This file is part of SCEIBA (sceiba.cu).
# SCEIBA is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
#
from flask_login import current_user
from invenio_access import Permission, action_factory
from invenio_access.models import ActionUsers
from invenio_access.utils import get_identity
# creando action
vocabularies_full_editor_actions = action_factory(
'vocabularies_full_editor_actions')
ObjectVocabularyEditor = action_factory('vocabulary_editor_actions',
parameter=True)
vocabulary_editor_actions = ObjectVocabularyEditor(None)
def vocabulary_editor_permission_factory(obj):
try:
permission = Permission(vocabularies_full_editor_actions)
current_identity = get_identity(current_user)
if permission.allows(current_identity):
return permission
except Exception as e:
msg = str(e)
return Permission(ObjectVocabularyEditor(obj['name']))
taxonomy_full_editor_permission = Permission(vocabularies_full_editor_actions)
