def test_deposit_publish_gives_acceess_to_members_of_exp(
client, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test', {}, experiment='CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def test_record_patron_create(db, users, access, action, is_allowed):
"""Test patron create."""
# create role to be able to create records
role = Role(name="records-creators")
db.session.add(role)
db.session.commit()
# assign role to the action "create-records"
ar = ActionRoles.allow(create_records_action, role_id=role.id)
db.session.add(ar)
db.session.commit()
@identity_loaded.connect
def mock_identity_provides(sender, identity):
"""Provide additional role to the user."""
roles = [RoleNeed(role.name)]
# Gives the user additional roles, f.e. based on his groups
identity.provides |= set(roles)
login_user(users["patron1"])
id = uuid.uuid4()
record = Record.create(access, id_=id)
factory = RecordPermission(record, action)
assert factory.can() if is_allowed else not factory.can()
def _add_deposit_permissions(cls, data, id_):
"""Inherit permissions after deposit."""
data['_access'] = {
DEPOSIT_TO_RECORD_ACTION_MAP[action]: permission
for action, permission in data['_access'].items()
}
for action, permission in data['_access'].items():
for role in permission['roles']:
role = Role.query.filter_by(id=role).one()
try:
ActionRoles.query.filter_by(action=action,
argument=str(id_),
role_id=role.id).one()
except NoResultFound:
db.session.add(
ActionRoles.allow(RECORD_ACTION_NEEDS(id_)[action],
role=role))
for user in permission['users']:
user = User.query.filter_by(id=user).one()
try:
ActionUsers.query.filter_by(action=action,
argument=str(id_),
user_id=user.id).one()
except NoResultFound:
db.session.add(
ActionUsers.allow(RECORD_ACTION_NEEDS(id_)[action],
user=user))
def _add_experiment_permissions(cls, data, id_):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(data['_experiment'])
# give read access to members of collaboration
for au in ActionUsers.query_by_action(exp_need).all():
try:
ActionUsers.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']
).filter_by(user=au.user).one()
except NoResultFound:
db.session.add(
ActionUsers.allow(
RECORD_ACTION_NEEDS(id_)['record-read'],
user=au.user
)
)
data['_access']['record-read']['users'].append(au.user.id)
for ar in ActionRoles.query_by_action(exp_need).all():
try:
ActionRoles.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']
).filter_by(role=ar.role).one()
except NoResultFound:
db.session.add(
ActionRoles.allow(
RECORD_ACTION_NEEDS(id_)['record-read'],
role=ar.role
)
)
data['_access']['record-read']['roles'].append(ar.role.id)
def admin_user(db):
"""Permission for admin users."""
perms = [
location_update_all,
bucket_read_all,
bucket_read_versions_all,
bucket_update_all,
bucket_listmultiparts_all,
object_read_all,
object_read_version_all,
object_delete_all,
object_delete_version_all,
multipart_read_all,
multipart_delete_all,
bucket_read_all,
object_read_all,
bucket_update_all,
object_delete_all,
multipart_read_all,
object_read_all,
]
admin = Role(name='admin')
for perm in perms:
db.session.add(ActionRoles.allow(perm, role=admin))
admin_user = create_test_user(email='*****@*****.**',
password='******',
active=True)
admin.users.append(admin_user)
db.session.commit()
yield admin_user
def test_users(app):
"""Create test users.
Created users are named 'normal' and 'admin'.
Other fixtures can add other users.
Returns:
(dict) A dict of username->user_info.
"""
result = dict()
accounts = app.extensions['invenio-accounts']
security = app.extensions['security']
with app.app_context():
# create a normal user
result['normal'] = create_user('normal')
# create admin user
user_info = create_user('admin')
user = accounts.datastore.get_user(user_info.id)
role = security.datastore.find_or_create_role('admin')
db.session.add(ActionRoles.allow(
superuser_access, role=role
))
security.datastore.add_role_to_user(user, role)
result['admin'] = user_info
# create the user which will create the test deposits
creator = create_user('deposits_creator')
result['deposits_creator'] = creator
db.session.commit()
return result
def test_users(app):
"""Create test users.
Created users are named 'normal' and 'admin'.
Other fixtures can add other users.
Returns:
(dict) A dict of username->user_info.
"""
result = dict()
accounts = app.extensions['invenio-accounts']
security = app.extensions['security']
with app.app_context():
# create a normal user
result['normal'] = create_user('normal')
# create admin user
user_info = create_user('admin')
user = accounts.datastore.get_user(user_info.id)
role = security.datastore.find_or_create_role('admin')
db.session.add(ActionRoles.allow(
superuser_access, role=role
))
security.datastore.add_role_to_user(user, role)
result['admin'] = user_info
# create the user which will create the test deposits
creator = create_user('deposits_creator')
result['deposits_creator'] = creator
db.session.commit()
return result
def set_egroup_permissions(role, permissions, id, session, access):
_permissions = (p for p in permissions
if p.get("action", "") in DEPOSIT_ACTIONS)
for permission in _permissions:
if permission.get("op", "") == "add":
try:
session.add(
ActionRoles.allow(DEPOSIT_ACTIONS_NEEDS(id).get(
permission.get("action", ""), ""),
role=role))
except:
return
access.get(permission["action"], {}).get('roles',
[]).append(role.id)
elif permission.get("op", "") == "remove":
try:
au = ActionRoles.query.filter(
ActionRoles.action == permission.get("action", ""),
ActionRoles.argument == str(id),
ActionRoles.role_id == role.id).first()
if au:
session.delete(au)
except:
return
access.get(permission["action"], {}).get('roles',
[]).remove(role.id)
return access
def test_deposit_publish_gives_acceess_to_members_of_exp(app, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test-v1.0.0', {}, 'CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def _add_experiment_permissions(cls, data, id_):
"""Add read permissions to everybody assigned to experiment."""
exp_need = exp_need_factory(data['_experiment'])
# give read access to members of collaboration
for au in ActionUsers.query_by_action(exp_need).all():
try:
ActionUsers.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']).filter_by(
user=au.user).one()
except NoResultFound:
db.session.add(
ActionUsers.allow(RECORD_ACTION_NEEDS(id_)['record-read'],
user=au.user))
data['_access']['record-read']['users'].append(au.user.id)
for ar in ActionRoles.query_by_action(exp_need).all():
try:
ActionRoles.query_by_action(
RECORD_ACTION_NEEDS(id_)['record-read']).filter_by(
role=ar.role).one()
except NoResultFound:
db.session.add(
ActionRoles.allow(RECORD_ACTION_NEEDS(id_)['record-read'],
role=ar.role))
data['_access']['record-read']['roles'].append(ar.role.id)
def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory,
read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
admin_role = Role(name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(
target.name))
member_role = Role(name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(
target.name))
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name)
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain(member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
def _add_egroup_permissions(self, egroup, permissions, session):
for permission in permissions:
session.add(
ActionRoles.allow(DEPOSIT_ACTIONS_NEEDS(self.id)[permission],
role=egroup))
session.flush()
self['_access'][permission]['roles'].append(egroup.id)
def assign_egroup_to_experiment(egroup_name, exp):
role = _datastore.find_or_create_role(egroup_name)
exp_need = exp_need_factory(exp)
db_.session.add(ActionRoles.allow(exp_need, role=role))
db_.session.commit()
return role
def with_role_creator(db):
""""Create a new role and assign action."""
role = Role(name="records-creators")
db.session.add(role)
db.session.commit()
# assign role to the action "create-records"
ar = ActionRoles.allow(create_records_action, role_id=role.id)
db.session.add(ar)
db.session.commit()
def add_read_access(self, role):
"""Give read access to egroup."""
# @TODO make possible to give access also to users
db.session.add(
ActionRoles.allow(
SchemaReadAction(self.id),
role=role
)
)
db.session.commit()
def assign_egroup_to_experiment(egroup_name, exp):
role = _datastore.find_or_create_role(egroup_name)
exp_need = exp_need_factory(exp)
db_.session.add(ActionRoles.allow(
exp_need, role=role))
db_.session.commit()
return role
def create_role(name, permissions=None):
"""Create a role and assign it the given permission needs."""
security = current_app.extensions['security']
role = security.datastore.find_or_create_role(name)
if permissions is not None:
for permission in permissions:
# permissions of the form [('action name', 'argument'), (...)]
if len(permission) == 2:
permission = ParameterizedActionNeed(permission[0],
permission[1])
db.session.add(ActionRoles.allow(permission, role=role))
return role
def create_role(name, permissions=None):
"""Create a role and assign it the given permission needs."""
security = current_app.extensions['security']
role = security.datastore.find_or_create_role(name)
if permissions is not None:
for permission in permissions:
# permissions of the form [('action name', 'argument'), (...)]
if len(permission) == 2:
permission = ParameterizedActionNeed(permission[0],
permission[1])
db.session.add(ActionRoles.allow(permission, role=role))
return role
def _add_egroup_permissions(self,
egroup,
permissions,
session):
for permission in permissions:
session.add(
ActionRoles.allow(
DEPOSIT_ACTIONS_NEEDS(self.id)[permission],
role=egroup
)
)
session.flush()
self['_access'][permission]['roles'].append(egroup.id)
def set_egroup_permissions(role, permissions, id, session, access):
_permissions = (p for p in permissions if p.get(
"action", "") in DEPOSIT_ACTIONS)
for permission in _permissions:
if (permission.get("op", "") == "add"):
try:
session.add(ActionRoles.allow(
DEPOSIT_ACTIONS_NEEDS(id).get(
permission.get("action", ""),
""),
role=role
))
except:
return
access.get(permission["action"], {}).get(
'roles', []).append(role.id)
elif (permission.get("op", "") == "remove"):
try:
au = ActionRoles.query.filter(
ActionRoles.action == permission.get("action", ""),
ActionRoles.argument == str(id),
ActionRoles.role_id == role.id).first()
if au:
session.delete(au)
except:
return
access.get(permission["action"], {}).get(
'roles', []).remove(role.id)
return access
def _add_deposit_permissions(cls, data, id_):
"""Inherit permissions after deposit."""
data['_access'] = {
DEPOSIT_TO_RECORD_ACTION_MAP[action]: permission
for action, permission in data['_access'].items()
}
for action, permission in data['_access'].items():
for role in permission['roles']:
role = Role.query.filter_by(id=role).one()
db.session.add(
ActionRoles.allow(
RECORD_ACTION_NEEDS(id_)[action],
role=role
)
)
for user in permission['users']:
user = User.query.filter_by(id=user).one()
db.session.add(
ActionUsers.allow(
RECORD_ACTION_NEEDS(id_)[action],
user=user
)
)
def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory, read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory,
)
from b2share.modules.users.permissions import (
assign_role_need_factory, search_accounts_need,
)
admin_role = Role(
name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(target.name)
)
member_role = Role(
name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(target.name)
)
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name
),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name
),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name
),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name
),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name
),
# permission to update the metadata of a published record
update_record_metadata_need_factory(
community=str(target.id),
),
# allow to assign any role owned by this community
assign_role_need_factory(community=target.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain (member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
oaiset = OAISet(spec=str(target.id), name=target.name, description=target.description)
db.session.add(oaiset)
def create_roles_and_permissions(community, fix=False):
"""Create community admin and member roles and add their permissions.
:param community: the community for which we add the roles and
permissions.
:param fix: Enable the fixing of the database. This function doesn't fail
if some roles or permissions already exist. It will just add the
missing ones.
"""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory, read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory,
)
from b2share.modules.users.permissions import (
assign_role_need_factory, search_accounts_need,
)
admin_role = Role(
name=_community_admin_role_name(community),
description='Admin role of the community "{}"'.format(community.name)
)
member_role = Role(
name=_community_member_role_name(community),
description='Member role of the community "{}"'.format(community.name)
)
# use a nested session so that the ids are generated by the DB.
with db.session.begin_nested():
admin_role = add_to_db(admin_role, skip_if_exists=fix)
member_role = add_to_db(member_role, skip_if_exists=fix)
member_needs = [
create_deposit_need_factory(str(community.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(community.id),
publication_state=PublicationStates.submitted.name
),
read_deposit_need_factory(
community=str(community.id),
publication_state=PublicationStates.published.name
),
update_deposit_metadata_need_factory(
community=str(community.id),
publication_state=PublicationStates.submitted.name
),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(community.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name
),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(community.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name
),
# permission to update the metadata of a published record
update_record_metadata_need_factory(
community=str(community.id),
),
# allow to assign any role owned by this community
assign_role_need_factory(community=community.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
add_to_db(ActionRoles.allow(need, role=member_role),
skip_if_exists=fix,
role_id=member_role.id)
for need in chain (member_needs, admin_needs):
add_to_db(ActionRoles.allow(need, role=admin_role),
skip_if_exists=fix,
role_id=admin_role.id)
def update_record_permissions(pid_value=None):
resolver = Resolver(
pid_type='recid',
object_type='rec',
getter=Record.get_record)
pid, record = resolver.resolve(pid_value)
emails = []
roles = []
userrole_list = request.get_json().keys()
if not (current_app.config.get('EMAIL_REGEX', None)):
resp = jsonify(**{message: "ERROR in email regex ;)"})
resp.status_code = 400
return resp
email_regex = re.compile(current_app.config.get('EMAIL_REGEX'), )
for userrole in userrole_list:
if email_regex.match(userrole):
emails.append(userrole)
else:
#: [TOBEFIXED] Needs to check if E-Group exists
try:
role = Role.query.filter(Role.name == userrole).first()
if not role:
tmp_role = _datastore.create_role(name=userrole)
roles.append(userrole)
except:
print("Something happened when trying to create '"+userrole+"' role")
# Role.add(tmp_role)
users = User.query.filter(User.email.in_(emails)).all()
roles = Role.query.filter(Role.name.in_(roles)).all()
action_edit_record = RecordUpdateActionNeed(str(record.id))
action_read_record = RecordReadActionNeed(str(record.id))
action_index_record = RecordIndexActionNeed(str(record.id))
with db.session.begin_nested():
for user in users:
for action in request.get_json().get(user.email, None):
if (action.get("action", None) == "records-read" and action.get("op", None) == "add"):
db.session.add(ActionUsers.allow(action_read_record, user=user))
elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"):
db.session.add(ActionUsers.allow(action_index_record, user=user))
elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"):
db.session.add(ActionUsers.allow(action_edit_record, user=user))
elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(ActionUsers.action == "records-read", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(ActionUsers.action == "records-index", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(ActionUsers.action == "records-update", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
# db.session.begin(nested=True)
for role in roles:
for action in request.get_json().get(role.name, None):
if (action.get("action", None) == "records-read" and action.get("op", None) == "add"):
db.session.add(ActionRoles.allow(action_read_record, role=role))
elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"):
db.session.add(ActionRoles.allow(action_index_record, role=role))
elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"):
db.session.add(ActionRoles.allow(action_edit_record, role=role))
elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(ActionRoles.action == "records-read", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(ActionRoles.action == "records-index", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(ActionRoles.action == "records-update", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
db.session.commit()
resp = jsonify()
resp.status_code = 200
return resp
def update_record_permissions(pid_value=None):
resolver = Resolver(pid_type='recid',
object_type='rec',
getter=Record.get_record)
pid, record = resolver.resolve(pid_value)
emails = []
roles = []
userrole_list = request.get_json().keys()
if not (current_app.config.get('EMAIL_REGEX', None)):
resp = jsonify(**{message: "ERROR in email regex ;)"})
resp.status_code = 400
return resp
email_regex = re.compile(current_app.config.get('EMAIL_REGEX'), )
for userrole in userrole_list:
if email_regex.match(userrole):
emails.append(userrole)
else:
#: [TOBEFIXED] Needs to check if E-Group exists
try:
role = Role.query.filter(Role.name == userrole).first()
if not role:
tmp_role = _datastore.create_role(name=userrole)
roles.append(userrole)
except:
print("Something happened when trying to create '" + userrole +
"' role")
# Role.add(tmp_role)
users = User.query.filter(User.email.in_(emails)).all()
roles = Role.query.filter(Role.name.in_(roles)).all()
action_edit_record = RecordUpdateActionNeed(str(record.id))
action_read_record = RecordReadActionNeed(str(record.id))
action_index_record = RecordIndexActionNeed(str(record.id))
with db.session.begin_nested():
for user in users:
for action in request.get_json().get(user.email, None):
if (action.get("action", None) == "records-read"
and action.get("op", None) == "add"):
db.session.add(
ActionUsers.allow(action_read_record, user=user))
elif (action.get("action", None) == "records-index"
and action.get("op", None) == "add"):
db.session.add(
ActionUsers.allow(action_index_record, user=user))
elif (action.get("action", None) == "records-update"
and action.get("op", None) == "add"):
db.session.add(
ActionUsers.allow(action_edit_record, user=user))
elif (action.get("action", None) == "records-read"
and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(
ActionUsers.action == "records-read",
ActionUsers.argument == str(record.id),
ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-index"
and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(
ActionUsers.action == "records-index",
ActionUsers.argument == str(record.id),
ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-update"
and action.get("op", None) == "remove"):
au = ActionUsers.query.filter(
ActionUsers.action == "records-update",
ActionUsers.argument == str(record.id),
ActionUsers.user_id == user.id).first()
if (au):
db.session.delete(au)
# db.session.begin(nested=True)
for role in roles:
for action in request.get_json().get(role.name, None):
if (action.get("action", None) == "records-read"
and action.get("op", None) == "add"):
db.session.add(
ActionRoles.allow(action_read_record, role=role))
elif (action.get("action", None) == "records-index"
and action.get("op", None) == "add"):
db.session.add(
ActionRoles.allow(action_index_record, role=role))
elif (action.get("action", None) == "records-update"
and action.get("op", None) == "add"):
db.session.add(
ActionRoles.allow(action_edit_record, role=role))
elif (action.get("action", None) == "records-read"
and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(
ActionRoles.action == "records-read",
ActionRoles.argument == str(record.id),
ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-index"
and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(
ActionRoles.action == "records-index",
ActionRoles.argument == str(record.id),
ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
elif (action.get("action", None) == "records-update"
and action.get("op", None) == "remove"):
au = ActionRoles.query.filter(
ActionRoles.action == "records-update",
ActionRoles.argument == str(record.id),
ActionRoles.role_id == role.id).first()
if (au):
db.session.delete(au)
db.session.commit()
resp = jsonify()
resp.status_code = 200
return resp
def receive_before_insert(mapper, connection, target):
"""Create community admin and member roles and add their permissions."""
from b2share.modules.deposit.permissions import (
create_deposit_need_factory,
read_deposit_need_factory,
update_deposit_metadata_need_factory,
update_deposit_publication_state_need_factory,
)
from b2share.modules.deposit.api import PublicationStates
from b2share.modules.records.permissions import (
update_record_metadata_need_factory, )
from b2share.modules.users.permissions import (
assign_role_need_factory,
search_accounts_need,
)
admin_role = Role(name=_community_admin_role_name(target),
description='Admin role of the community "{}"'.format(
target.name))
member_role = Role(name=_community_member_role_name(target),
description='Member role of the community "{}"'.format(
target.name))
db.session.add(admin_role)
db.session.add(member_role)
member_needs = [
create_deposit_need_factory(str(target.id)),
]
admin_needs = [
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
read_deposit_need_factory(
community=str(target.id),
publication_state=PublicationStates.published.name),
update_deposit_metadata_need_factory(
community=str(target.id),
publication_state=PublicationStates.submitted.name),
# permission to publish a submission
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.published.name),
# permission to ask the owners to fix a submission before resubmitting
update_deposit_publication_state_need_factory(
community=str(target.id),
old_state=PublicationStates.submitted.name,
new_state=PublicationStates.draft.name),
# permission to update the metadata of a published record
update_record_metadata_need_factory(community=str(target.id), ),
# allow to assign any role owned by this community
assign_role_need_factory(community=target.id),
# allow to list users' accounts
search_accounts_need,
]
for need in member_needs:
db.session.add(ActionRoles.allow(need, role=member_role))
for need in chain(member_needs, admin_needs):
db.session.add(ActionRoles.allow(need, role=admin_role))
oaiset = OAISet(spec=str(target.id),
name=target.name,
description=target.description)
db.session.add(oaiset)
