def test_require_all(record: ExampleRecord):
assert not require_all(
state_required('closed'),
state_required('editing'),
)(record).can()
assert require_all(
state_required('closed'),
state_required('editing', 'closed'),
)(record).can()
assert not require_all()(record).can()
def read_permission_factory(record, *args, **kwargs):
f"""Read permission factory that takes secondary communities into account.
Allows access to record in one of the following cases:
* Record is PUBLISHED
* Current user is the OWNER of the record
* User's role has allowed READ action in one of record's communities AND:
1) User is in one of the roles of the community from the request path AND record is atleast APPROVED. OR
2) User is CURATOR in the community from the request path
:param record: An instance of :class:`oarepo_communities.record.CommunityRecordMixin`
or ``None`` if the action is global.
:raises RuntimeError: If the object is unknown.
:returns: A :class:`invenio_access.permissions.Permission` instance.
"""
if isinstance(record, Record):
communities = [record.primary_community, *record.secondary_communities]
return require_any(
#: Anyone can read published records
state_required(STATE_PUBLISHED),
require_all(
require_action_allowed(COMMUNITY_READ),
require_any(
#: Record AUTHOR can READ his own records
owner_permission_impl,
require_all(
#: User's role has granted READ permissions in record's communities
Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]),
require_any(
#: Community MEMBERS can READ APPROVED community records
require_all(
state_required(STATE_APPROVED),
require_any(
community_member_permission_impl,
community_publisher_permission_impl
)
),
#: Community CURATORS can READ ALL community records
community_curator_permission_impl
)
)
)
)
)(record, *args, **kwargs)
else:
raise RuntimeError('Unknown or missing object')
def update_permission_factory(record, *args, **kwargs):
f"""Records REST update permission factory.
Permission is granted if:
* Record is a DRAFT AND
* Current user is the OWNER of the record and record is not submitted for APPROVAL yet. OR
* Current user is in role that has UPDATE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING, STATE_PENDING_APPROVAL),
require_any(
require_all(
state_required(None, STATE_EDITING),
owner_permission_impl
),
action_permission_factory(COMMUNITY_UPDATE)(record, *args, **kwargs)
)
)(record, *args, **kwargs)
def unpublish_permission_factory(record, *args, **kwargs):
f"""Unpublish action permissions factory.
Permission is granted if:
* Record is PUBLISHED. AND
* Current user is in role that has UNPUBLISH action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PUBLISHED),
action_permission_factory(COMMUNITY_UNPUBLISH)(record, *args, **kwargs)
)(record, *args, **kwargs)
def revert_approval_permission_factory(record, *args, **kwargs):
f"""Revert approval action permissions factory.
Permission is granted if:
* Record is APPROVED. AND
* Current user is in role that has REVERT APPROVE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_APPROVED),
action_permission_factory(COMMUNITY_REVERT_APPROVE)(record, *args, **kwargs)
)(record, *args, **kwargs)
def approve_permission_factory(record, *args, **kwargs):
f"""Approve action permissions factory.
Permission is granted if:
* Record is submitted for approval. AND
* Current user is in role that has APPROVE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PENDING_APPROVAL),
action_permission_factory(COMMUNITY_APPROVE)(record, *args, **kwargs)
)(record, *args, **kwargs)
def request_changes_permission_factory(record, *args, **kwargs):
f"""Request changes action permissions factory.
Permission is granted if:
* Record is submitted for approval. AND
* Current user is in role that has REQUEST CHANGES action allowed in record's PRIMARY community.
"""
return require_all(
state_required(STATE_PENDING_APPROVAL),
action_permission_factory(COMMUNITY_REQUEST_CHANGES)(record, *args, **kwargs)
)(record, *args, **kwargs)
def delete_permission_factory(record, *args, **kwargs):
"""Records REST delete permission factory.
Permission is granted if:
* Record is a DRAFT record AND
* Current user is the owner of the record. OR
* Current user is in role that has DELETE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING),
owner_or_role_action_permission_factory(COMMUNITY_DELETE, record, *args, **kwargs)
)(record, *args, **kwargs)
def request_approval_permission_factory(record, *args, **kwargs):
f"""Request approval action permissions factory.
Permission is granted if:
* Record an EDITED DRAFT record. AND
* Current user is the owner of the record. OR
* Current user is in role that has REQUEST APPROVAL action allowed
in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING),
owner_or_role_action_permission_factory(COMMUNITY_REQUEST_APPROVAL, record)
)(record, *args, **kwargs)
def inner(record, *args, **kwargs):
if record is None:
raise RuntimeError('Record is missing.')
arg = None
if isinstance(record, Record):
arg = record.primary_community
elif isinstance(record, dict):
arg = current_oarepo_communities.get_primary_community_field(record)
else:
raise RuntimeError('Unknown or missing object')
return require_all(
require_action_allowed(action),
Permission(ParameterizedActionNeed(action, arg)))
def test_owner_permissions(app, db, community, authenticated_user):
"""Test owner system role permissions."""
login_user(authenticated_user)
assert len(g.identity.provides) == 4
assert community_record_owner in g.identity.provides
permissions = require_any(
# Approval is granted either by user role
Permission(ParameterizedActionNeed(COMMUNITY_REQUEST_APPROVAL, community[0])),
require_all(
# Or user id must match and record owners must be granted the action
Permission(UserNeed(authenticated_user.id)),
Permission(ParameterizedActionNeed(f'owner-{COMMUNITY_REQUEST_APPROVAL}', community[0]))
)
)
assert not permissions().can()
db.session.add(
ActionSystemRoles(action=f'owner-{COMMUNITY_REQUEST_APPROVAL}', role_name=community_record_owner.value,
argument=community[0]))
assert permissions().can()
from oarepo_tokens.permissions import put_file_token_permission_factory
from publications.permissions import ADMIN_ROLE_PERMISSIONS, INGESTER_ROLE_PERMISSIONS
create_draft_object_permission_impl = require_any(
INGESTER_ROLE_PERMISSIONS, create_object_permission_impl)
update_draft_object_permission_impl = require_any(
INGESTER_ROLE_PERMISSIONS, update_object_permission_impl)
read_draft_object_permission_impl = require_any(INGESTER_ROLE_PERMISSIONS,
read_object_permission_impl)
delete_draft_object_permission_impl = delete_object_permission_impl
list_draft_object_permission_impl = deny_all
# DRAFT dataset file manipulation
put_draft_file_permission_impl = put_file_token_permission_factory(
require_any(INGESTER_ROLE_PERMISSIONS, update_object_permission_impl))
get_draft_file_permission_impl = put_file_token_permission_factory(
require_any(INGESTER_ROLE_PERMISSIONS, read_draft_object_permission_impl))
delete_draft_file_permission_impl = update_object_permission_impl
# DRAFT dataset publishing
publish_draft_object_permission_impl = publish_permission_impl
unpublish_draft_object_permission_impl = unpublish_permission_impl
# PUBLISHED dataset manipulation
update_object_permission_impl = require_all(ADMIN_ROLE_PERMISSIONS)
# ALL dataset list
list_all_object_permission_impl = allow_all
