def test_require_any(record: ExampleRecord): assert not require_any( state_required('new'), state_required('editing'), )(record).can() assert require_any( state_required('closed'), state_required('editing'), )(record).can() assert not require_any()(record).can()
def read_permission_factory(record, *args, **kwargs): f"""Read permission factory that takes secondary communities into account. Allows access to record in one of the following cases: * Record is PUBLISHED * Current user is the OWNER of the record * User's role has allowed READ action in one of record's communities AND: 1) User is in one of the roles of the community from the request path AND record is atleast APPROVED. OR 2) User is CURATOR in the community from the request path :param record: An instance of :class:`oarepo_communities.record.CommunityRecordMixin` or ``None`` if the action is global. :raises RuntimeError: If the object is unknown. :returns: A :class:`invenio_access.permissions.Permission` instance. """ if isinstance(record, Record): communities = [record.primary_community, *record.secondary_communities] return require_any( #: Anyone can read published records state_required(STATE_PUBLISHED), require_all( require_action_allowed(COMMUNITY_READ), require_any( #: Record AUTHOR can READ his own records owner_permission_impl, require_all( #: User's role has granted READ permissions in record's communities Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]), require_any( #: Community MEMBERS can READ APPROVED community records require_all( state_required(STATE_APPROVED), require_any( community_member_permission_impl, community_publisher_permission_impl ) ), #: Community CURATORS can READ ALL community records community_curator_permission_impl ) ) ) ) )(record, *args, **kwargs) else: raise RuntimeError('Unknown or missing object')
def owner_or_role_action_permission_factory(action, record, *args, **kwargs): f"""Record owner/role permission factory. Allows access to record if: * The record is owned by the current user. /OR/ * User's role is allowed the required action for the record """ return require_any( action_permission_factory(action)(record, *args, **kwargs), owner_permission_factory(action, record, *args, **kwargs) )(record, *args, **kwargs)
def update_permission_factory(record, *args, **kwargs): f"""Records REST update permission factory. Permission is granted if: * Record is a DRAFT AND * Current user is the OWNER of the record and record is not submitted for APPROVAL yet. OR * Current user is in role that has UPDATE action allowed in record's PRIMARY community. """ return require_all( state_required(None, STATE_EDITING, STATE_PENDING_APPROVAL), require_any( require_all( state_required(None, STATE_EDITING), owner_permission_impl ), action_permission_factory(COMMUNITY_UPDATE)(record, *args, **kwargs) ) )(record, *args, **kwargs)
def test_owner_permissions(app, db, community, authenticated_user): """Test owner system role permissions.""" login_user(authenticated_user) assert len(g.identity.provides) == 4 assert community_record_owner in g.identity.provides permissions = require_any( # Approval is granted either by user role Permission(ParameterizedActionNeed(COMMUNITY_REQUEST_APPROVAL, community[0])), require_all( # Or user id must match and record owners must be granted the action Permission(UserNeed(authenticated_user.id)), Permission(ParameterizedActionNeed(f'owner-{COMMUNITY_REQUEST_APPROVAL}', community[0])) ) ) assert not permissions().can() db.session.add( ActionSystemRoles(action=f'owner-{COMMUNITY_REQUEST_APPROVAL}', role_name=community_record_owner.value, argument=community[0])) assert permissions().can()
# Copyright (C) 2020 CESNET. # # CESNET OA Publication Repository is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. # # DRAFT dataset record manipulation from invenio_records_rest.utils import deny_all, allow_all from oarepo_communities.permissions import read_object_permission_impl, create_object_permission_impl, \ update_object_permission_impl, delete_object_permission_impl, publish_permission_impl, unpublish_permission_impl from oarepo_fsm.permissions import require_any, require_all from oarepo_tokens.permissions import put_file_token_permission_factory from publications.permissions import ADMIN_ROLE_PERMISSIONS, INGESTER_ROLE_PERMISSIONS create_draft_object_permission_impl = require_any( INGESTER_ROLE_PERMISSIONS, create_object_permission_impl) update_draft_object_permission_impl = require_any( INGESTER_ROLE_PERMISSIONS, update_object_permission_impl) read_draft_object_permission_impl = require_any(INGESTER_ROLE_PERMISSIONS, read_object_permission_impl) delete_draft_object_permission_impl = delete_object_permission_impl list_draft_object_permission_impl = deny_all # DRAFT dataset file manipulation put_draft_file_permission_impl = put_file_token_permission_factory( require_any(INGESTER_ROLE_PERMISSIONS, update_object_permission_impl)) get_draft_file_permission_impl = put_file_token_permission_factory( require_any(INGESTER_ROLE_PERMISSIONS, read_draft_object_permission_impl)) delete_draft_file_permission_impl = update_object_permission_impl