def test_require_any(record: ExampleRecord):
assert not require_any(
state_required('new'),
state_required('editing'),
)(record).can()
assert require_any(
state_required('closed'),
state_required('editing'),
)(record).can()
assert not require_any()(record).can()
def read_permission_factory(record, *args, **kwargs):
f"""Read permission factory that takes secondary communities into account.
Allows access to record in one of the following cases:
* Record is PUBLISHED
* Current user is the OWNER of the record
* User's role has allowed READ action in one of record's communities AND:
1) User is in one of the roles of the community from the request path AND record is atleast APPROVED. OR
2) User is CURATOR in the community from the request path
:param record: An instance of :class:`oarepo_communities.record.CommunityRecordMixin`
or ``None`` if the action is global.
:raises RuntimeError: If the object is unknown.
:returns: A :class:`invenio_access.permissions.Permission` instance.
"""
if isinstance(record, Record):
communities = [record.primary_community, *record.secondary_communities]
return require_any(
#: Anyone can read published records
state_required(STATE_PUBLISHED),
require_all(
require_action_allowed(COMMUNITY_READ),
require_any(
#: Record AUTHOR can READ his own records
owner_permission_impl,
require_all(
#: User's role has granted READ permissions in record's communities
Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]),
require_any(
#: Community MEMBERS can READ APPROVED community records
require_all(
state_required(STATE_APPROVED),
require_any(
community_member_permission_impl,
community_publisher_permission_impl
)
),
#: Community CURATORS can READ ALL community records
community_curator_permission_impl
)
)
)
)
)(record, *args, **kwargs)
else:
raise RuntimeError('Unknown or missing object')
def owner_or_role_action_permission_factory(action, record, *args, **kwargs):
f"""Record owner/role permission factory.
Allows access to record if:
* The record is owned by the current user.
/OR/
* User's role is allowed the required action for the record
"""
return require_any(
action_permission_factory(action)(record, *args, **kwargs),
owner_permission_factory(action, record, *args, **kwargs)
)(record, *args, **kwargs)
def update_permission_factory(record, *args, **kwargs):
f"""Records REST update permission factory.
Permission is granted if:
* Record is a DRAFT AND
* Current user is the OWNER of the record and record is not submitted for APPROVAL yet. OR
* Current user is in role that has UPDATE action allowed in record's PRIMARY community.
"""
return require_all(
state_required(None, STATE_EDITING, STATE_PENDING_APPROVAL),
require_any(
require_all(
state_required(None, STATE_EDITING),
owner_permission_impl
),
action_permission_factory(COMMUNITY_UPDATE)(record, *args, **kwargs)
)
)(record, *args, **kwargs)
def test_owner_permissions(app, db, community, authenticated_user):
"""Test owner system role permissions."""
login_user(authenticated_user)
assert len(g.identity.provides) == 4
assert community_record_owner in g.identity.provides
permissions = require_any(
# Approval is granted either by user role
Permission(ParameterizedActionNeed(COMMUNITY_REQUEST_APPROVAL, community[0])),
require_all(
# Or user id must match and record owners must be granted the action
Permission(UserNeed(authenticated_user.id)),
Permission(ParameterizedActionNeed(f'owner-{COMMUNITY_REQUEST_APPROVAL}', community[0]))
)
)
assert not permissions().can()
db.session.add(
ActionSystemRoles(action=f'owner-{COMMUNITY_REQUEST_APPROVAL}', role_name=community_record_owner.value,
argument=community[0]))
assert permissions().can()
# Copyright (C) 2020 CESNET.
#
# CESNET OA Publication Repository is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
#
# DRAFT dataset record manipulation
from invenio_records_rest.utils import deny_all, allow_all
from oarepo_communities.permissions import read_object_permission_impl, create_object_permission_impl, \
update_object_permission_impl, delete_object_permission_impl, publish_permission_impl, unpublish_permission_impl
from oarepo_fsm.permissions import require_any, require_all
from oarepo_tokens.permissions import put_file_token_permission_factory
from publications.permissions import ADMIN_ROLE_PERMISSIONS, INGESTER_ROLE_PERMISSIONS
create_draft_object_permission_impl = require_any(
INGESTER_ROLE_PERMISSIONS, create_object_permission_impl)
update_draft_object_permission_impl = require_any(
INGESTER_ROLE_PERMISSIONS, update_object_permission_impl)
read_draft_object_permission_impl = require_any(INGESTER_ROLE_PERMISSIONS,
read_object_permission_impl)
delete_draft_object_permission_impl = delete_object_permission_impl
list_draft_object_permission_impl = deny_all
# DRAFT dataset file manipulation
put_draft_file_permission_impl = put_file_token_permission_factory(
require_any(INGESTER_ROLE_PERMISSIONS, update_object_permission_impl))
get_draft_file_permission_impl = put_file_token_permission_factory(
require_any(INGESTER_ROLE_PERMISSIONS, read_draft_object_permission_impl))
delete_draft_file_permission_impl = update_object_permission_impl