def test_deposit_publish_gives_acceess_to_members_of_exp( client, db, users, create_deposit): owner = users['superuser'] role = _datastore.find_or_create_role('*****@*****.**') db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role)) deposit = create_deposit(owner, 'test', {}, experiment='CMS', publish=True) _, record = deposit.fetch_published() assert record['_access'] == { 'record-read': { 'users': [owner.id, users['cms_user'].id, users['cms_user2'].id], 'roles': [role.id] }, 'record-update': { 'users': [owner.id], 'roles': [] }, 'record-admin': { 'users': [owner.id], 'roles': [] } } assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user']).one() assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user2']).one() assert ActionRoles.query.filter_by(action='record-read', argument=str(record.id), role=role).one()
def test_record_patron_create(db, users, access, action, is_allowed): """Test patron create.""" # create role to be able to create records role = Role(name="records-creators") db.session.add(role) db.session.commit() # assign role to the action "create-records" ar = ActionRoles.allow(create_records_action, role_id=role.id) db.session.add(ar) db.session.commit() @identity_loaded.connect def mock_identity_provides(sender, identity): """Provide additional role to the user.""" roles = [RoleNeed(role.name)] # Gives the user additional roles, f.e. based on his groups identity.provides |= set(roles) login_user(users["patron1"]) id = uuid.uuid4() record = Record.create(access, id_=id) factory = RecordPermission(record, action) assert factory.can() if is_allowed else not factory.can()
def _add_deposit_permissions(cls, data, id_): """Inherit permissions after deposit.""" data['_access'] = { DEPOSIT_TO_RECORD_ACTION_MAP[action]: permission for action, permission in data['_access'].items() } for action, permission in data['_access'].items(): for role in permission['roles']: role = Role.query.filter_by(id=role).one() try: ActionRoles.query.filter_by(action=action, argument=str(id_), role_id=role.id).one() except NoResultFound: db.session.add( ActionRoles.allow(RECORD_ACTION_NEEDS(id_)[action], role=role)) for user in permission['users']: user = User.query.filter_by(id=user).one() try: ActionUsers.query.filter_by(action=action, argument=str(id_), user_id=user.id).one() except NoResultFound: db.session.add( ActionUsers.allow(RECORD_ACTION_NEEDS(id_)[action], user=user))
def _add_experiment_permissions(cls, data, id_): """Add read permissions to everybody assigned to experiment.""" exp_need = exp_need_factory(data['_experiment']) # give read access to members of collaboration for au in ActionUsers.query_by_action(exp_need).all(): try: ActionUsers.query_by_action( RECORD_ACTION_NEEDS(id_)['record-read'] ).filter_by(user=au.user).one() except NoResultFound: db.session.add( ActionUsers.allow( RECORD_ACTION_NEEDS(id_)['record-read'], user=au.user ) ) data['_access']['record-read']['users'].append(au.user.id) for ar in ActionRoles.query_by_action(exp_need).all(): try: ActionRoles.query_by_action( RECORD_ACTION_NEEDS(id_)['record-read'] ).filter_by(role=ar.role).one() except NoResultFound: db.session.add( ActionRoles.allow( RECORD_ACTION_NEEDS(id_)['record-read'], role=ar.role ) ) data['_access']['record-read']['roles'].append(ar.role.id)
def admin_user(db): """Permission for admin users.""" perms = [ location_update_all, bucket_read_all, bucket_read_versions_all, bucket_update_all, bucket_listmultiparts_all, object_read_all, object_read_version_all, object_delete_all, object_delete_version_all, multipart_read_all, multipart_delete_all, bucket_read_all, object_read_all, bucket_update_all, object_delete_all, multipart_read_all, object_read_all, ] admin = Role(name='admin') for perm in perms: db.session.add(ActionRoles.allow(perm, role=admin)) admin_user = create_test_user(email='*****@*****.**', password='******', active=True) admin.users.append(admin_user) db.session.commit() yield admin_user
def test_users(app): """Create test users. Created users are named 'normal' and 'admin'. Other fixtures can add other users. Returns: (dict) A dict of username->user_info. """ result = dict() accounts = app.extensions['invenio-accounts'] security = app.extensions['security'] with app.app_context(): # create a normal user result['normal'] = create_user('normal') # create admin user user_info = create_user('admin') user = accounts.datastore.get_user(user_info.id) role = security.datastore.find_or_create_role('admin') db.session.add(ActionRoles.allow( superuser_access, role=role )) security.datastore.add_role_to_user(user, role) result['admin'] = user_info # create the user which will create the test deposits creator = create_user('deposits_creator') result['deposits_creator'] = creator db.session.commit() return result
def test_users(app): """Create test users. Created users are named 'normal' and 'admin'. Other fixtures can add other users. Returns: (dict) A dict of username->user_info. """ result = dict() accounts = app.extensions['invenio-accounts'] security = app.extensions['security'] with app.app_context(): # create a normal user result['normal'] = create_user('normal') # create admin user user_info = create_user('admin') user = accounts.datastore.get_user(user_info.id) role = security.datastore.find_or_create_role('admin') db.session.add(ActionRoles.allow( superuser_access, role=role )) security.datastore.add_role_to_user(user, role) result['admin'] = user_info # create the user which will create the test deposits creator = create_user('deposits_creator') result['deposits_creator'] = creator db.session.commit() return result
def set_egroup_permissions(role, permissions, id, session, access): _permissions = (p for p in permissions if p.get("action", "") in DEPOSIT_ACTIONS) for permission in _permissions: if permission.get("op", "") == "add": try: session.add( ActionRoles.allow(DEPOSIT_ACTIONS_NEEDS(id).get( permission.get("action", ""), ""), role=role)) except: return access.get(permission["action"], {}).get('roles', []).append(role.id) elif permission.get("op", "") == "remove": try: au = ActionRoles.query.filter( ActionRoles.action == permission.get("action", ""), ActionRoles.argument == str(id), ActionRoles.role_id == role.id).first() if au: session.delete(au) except: return access.get(permission["action"], {}).get('roles', []).remove(role.id) return access
def test_deposit_publish_gives_acceess_to_members_of_exp(app, db, users, create_deposit): owner = users['superuser'] role = _datastore.find_or_create_role('*****@*****.**') db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role)) deposit = create_deposit(owner, 'test-v1.0.0', {}, 'CMS', publish=True) _, record = deposit.fetch_published() assert record['_access'] == { 'record-read': { 'users': [owner.id, users['cms_user'].id, users['cms_user2'].id], 'roles': [role.id] }, 'record-update': { 'users': [owner.id], 'roles': [] }, 'record-admin': { 'users': [owner.id], 'roles': [] } } assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user']).one() assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user2']).one() assert ActionRoles.query.filter_by(action='record-read', argument=str(record.id), role=role).one()
def _add_experiment_permissions(cls, data, id_): """Add read permissions to everybody assigned to experiment.""" exp_need = exp_need_factory(data['_experiment']) # give read access to members of collaboration for au in ActionUsers.query_by_action(exp_need).all(): try: ActionUsers.query_by_action( RECORD_ACTION_NEEDS(id_)['record-read']).filter_by( user=au.user).one() except NoResultFound: db.session.add( ActionUsers.allow(RECORD_ACTION_NEEDS(id_)['record-read'], user=au.user)) data['_access']['record-read']['users'].append(au.user.id) for ar in ActionRoles.query_by_action(exp_need).all(): try: ActionRoles.query_by_action( RECORD_ACTION_NEEDS(id_)['record-read']).filter_by( role=ar.role).one() except NoResultFound: db.session.add( ActionRoles.allow(RECORD_ACTION_NEEDS(id_)['record-read'], role=ar.role)) data['_access']['record-read']['roles'].append(ar.role.id)
def receive_before_insert(mapper, connection, target): """Create community admin and member roles and add their permissions.""" from b2share.modules.deposit.permissions import ( create_deposit_need_factory, read_deposit_need_factory, update_deposit_metadata_need_factory, update_deposit_publication_state_need_factory, ) from b2share.modules.deposit.api import PublicationStates admin_role = Role(name=_community_admin_role_name(target), description='Admin role of the community "{}"'.format( target.name)) member_role = Role(name=_community_member_role_name(target), description='Member role of the community "{}"'.format( target.name)) db.session.add(admin_role) db.session.add(member_role) member_needs = [ create_deposit_need_factory(str(target.id)), ] admin_needs = [ read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name), read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.published.name), update_deposit_metadata_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name), # permission to publish a submission update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.published.name), # permission to ask the owners to fix a submission before resubmitting update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.draft.name) ] for need in member_needs: db.session.add(ActionRoles.allow(need, role=member_role)) for need in chain(member_needs, admin_needs): db.session.add(ActionRoles.allow(need, role=admin_role))
def _add_egroup_permissions(self, egroup, permissions, session): for permission in permissions: session.add( ActionRoles.allow(DEPOSIT_ACTIONS_NEEDS(self.id)[permission], role=egroup)) session.flush() self['_access'][permission]['roles'].append(egroup.id)
def assign_egroup_to_experiment(egroup_name, exp): role = _datastore.find_or_create_role(egroup_name) exp_need = exp_need_factory(exp) db_.session.add(ActionRoles.allow(exp_need, role=role)) db_.session.commit() return role
def with_role_creator(db): """"Create a new role and assign action.""" role = Role(name="records-creators") db.session.add(role) db.session.commit() # assign role to the action "create-records" ar = ActionRoles.allow(create_records_action, role_id=role.id) db.session.add(ar) db.session.commit()
def add_read_access(self, role): """Give read access to egroup.""" # @TODO make possible to give access also to users db.session.add( ActionRoles.allow( SchemaReadAction(self.id), role=role ) ) db.session.commit()
def assign_egroup_to_experiment(egroup_name, exp): role = _datastore.find_or_create_role(egroup_name) exp_need = exp_need_factory(exp) db_.session.add(ActionRoles.allow( exp_need, role=role)) db_.session.commit() return role
def create_role(name, permissions=None): """Create a role and assign it the given permission needs.""" security = current_app.extensions['security'] role = security.datastore.find_or_create_role(name) if permissions is not None: for permission in permissions: # permissions of the form [('action name', 'argument'), (...)] if len(permission) == 2: permission = ParameterizedActionNeed(permission[0], permission[1]) db.session.add(ActionRoles.allow(permission, role=role)) return role
def create_role(name, permissions=None): """Create a role and assign it the given permission needs.""" security = current_app.extensions['security'] role = security.datastore.find_or_create_role(name) if permissions is not None: for permission in permissions: # permissions of the form [('action name', 'argument'), (...)] if len(permission) == 2: permission = ParameterizedActionNeed(permission[0], permission[1]) db.session.add(ActionRoles.allow(permission, role=role)) return role
def _add_egroup_permissions(self, egroup, permissions, session): for permission in permissions: session.add( ActionRoles.allow( DEPOSIT_ACTIONS_NEEDS(self.id)[permission], role=egroup ) ) session.flush() self['_access'][permission]['roles'].append(egroup.id)
def set_egroup_permissions(role, permissions, id, session, access): _permissions = (p for p in permissions if p.get( "action", "") in DEPOSIT_ACTIONS) for permission in _permissions: if (permission.get("op", "") == "add"): try: session.add(ActionRoles.allow( DEPOSIT_ACTIONS_NEEDS(id).get( permission.get("action", ""), ""), role=role )) except: return access.get(permission["action"], {}).get( 'roles', []).append(role.id) elif (permission.get("op", "") == "remove"): try: au = ActionRoles.query.filter( ActionRoles.action == permission.get("action", ""), ActionRoles.argument == str(id), ActionRoles.role_id == role.id).first() if au: session.delete(au) except: return access.get(permission["action"], {}).get( 'roles', []).remove(role.id) return access
def _add_deposit_permissions(cls, data, id_): """Inherit permissions after deposit.""" data['_access'] = { DEPOSIT_TO_RECORD_ACTION_MAP[action]: permission for action, permission in data['_access'].items() } for action, permission in data['_access'].items(): for role in permission['roles']: role = Role.query.filter_by(id=role).one() db.session.add( ActionRoles.allow( RECORD_ACTION_NEEDS(id_)[action], role=role ) ) for user in permission['users']: user = User.query.filter_by(id=user).one() db.session.add( ActionUsers.allow( RECORD_ACTION_NEEDS(id_)[action], user=user ) )
def receive_before_insert(mapper, connection, target): """Create community admin and member roles and add their permissions.""" from b2share.modules.deposit.permissions import ( create_deposit_need_factory, read_deposit_need_factory, update_deposit_metadata_need_factory, update_deposit_publication_state_need_factory, ) from b2share.modules.deposit.api import PublicationStates from b2share.modules.records.permissions import ( update_record_metadata_need_factory, ) from b2share.modules.users.permissions import ( assign_role_need_factory, search_accounts_need, ) admin_role = Role( name=_community_admin_role_name(target), description='Admin role of the community "{}"'.format(target.name) ) member_role = Role( name=_community_member_role_name(target), description='Member role of the community "{}"'.format(target.name) ) db.session.add(admin_role) db.session.add(member_role) member_needs = [ create_deposit_need_factory(str(target.id)), ] admin_needs = [ read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name ), read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.published.name ), update_deposit_metadata_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name ), # permission to publish a submission update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.published.name ), # permission to ask the owners to fix a submission before resubmitting update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.draft.name ), # permission to update the metadata of a published record update_record_metadata_need_factory( community=str(target.id), ), # allow to assign any role owned by this community assign_role_need_factory(community=target.id), # allow to list users' accounts search_accounts_need, ] for need in member_needs: db.session.add(ActionRoles.allow(need, role=member_role)) for need in chain (member_needs, admin_needs): db.session.add(ActionRoles.allow(need, role=admin_role)) oaiset = OAISet(spec=str(target.id), name=target.name, description=target.description) db.session.add(oaiset)
def create_roles_and_permissions(community, fix=False): """Create community admin and member roles and add their permissions. :param community: the community for which we add the roles and permissions. :param fix: Enable the fixing of the database. This function doesn't fail if some roles or permissions already exist. It will just add the missing ones. """ from b2share.modules.deposit.permissions import ( create_deposit_need_factory, read_deposit_need_factory, update_deposit_metadata_need_factory, update_deposit_publication_state_need_factory, ) from b2share.modules.deposit.api import PublicationStates from b2share.modules.records.permissions import ( update_record_metadata_need_factory, ) from b2share.modules.users.permissions import ( assign_role_need_factory, search_accounts_need, ) admin_role = Role( name=_community_admin_role_name(community), description='Admin role of the community "{}"'.format(community.name) ) member_role = Role( name=_community_member_role_name(community), description='Member role of the community "{}"'.format(community.name) ) # use a nested session so that the ids are generated by the DB. with db.session.begin_nested(): admin_role = add_to_db(admin_role, skip_if_exists=fix) member_role = add_to_db(member_role, skip_if_exists=fix) member_needs = [ create_deposit_need_factory(str(community.id)), ] admin_needs = [ read_deposit_need_factory( community=str(community.id), publication_state=PublicationStates.submitted.name ), read_deposit_need_factory( community=str(community.id), publication_state=PublicationStates.published.name ), update_deposit_metadata_need_factory( community=str(community.id), publication_state=PublicationStates.submitted.name ), # permission to publish a submission update_deposit_publication_state_need_factory( community=str(community.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.published.name ), # permission to ask the owners to fix a submission before resubmitting update_deposit_publication_state_need_factory( community=str(community.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.draft.name ), # permission to update the metadata of a published record update_record_metadata_need_factory( community=str(community.id), ), # allow to assign any role owned by this community assign_role_need_factory(community=community.id), # allow to list users' accounts search_accounts_need, ] for need in member_needs: add_to_db(ActionRoles.allow(need, role=member_role), skip_if_exists=fix, role_id=member_role.id) for need in chain (member_needs, admin_needs): add_to_db(ActionRoles.allow(need, role=admin_role), skip_if_exists=fix, role_id=admin_role.id)
def update_record_permissions(pid_value=None): resolver = Resolver( pid_type='recid', object_type='rec', getter=Record.get_record) pid, record = resolver.resolve(pid_value) emails = [] roles = [] userrole_list = request.get_json().keys() if not (current_app.config.get('EMAIL_REGEX', None)): resp = jsonify(**{message: "ERROR in email regex ;)"}) resp.status_code = 400 return resp email_regex = re.compile(current_app.config.get('EMAIL_REGEX'), ) for userrole in userrole_list: if email_regex.match(userrole): emails.append(userrole) else: #: [TOBEFIXED] Needs to check if E-Group exists try: role = Role.query.filter(Role.name == userrole).first() if not role: tmp_role = _datastore.create_role(name=userrole) roles.append(userrole) except: print("Something happened when trying to create '"+userrole+"' role") # Role.add(tmp_role) users = User.query.filter(User.email.in_(emails)).all() roles = Role.query.filter(Role.name.in_(roles)).all() action_edit_record = RecordUpdateActionNeed(str(record.id)) action_read_record = RecordReadActionNeed(str(record.id)) action_index_record = RecordIndexActionNeed(str(record.id)) with db.session.begin_nested(): for user in users: for action in request.get_json().get(user.email, None): if (action.get("action", None) == "records-read" and action.get("op", None) == "add"): db.session.add(ActionUsers.allow(action_read_record, user=user)) elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"): db.session.add(ActionUsers.allow(action_index_record, user=user)) elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"): db.session.add(ActionUsers.allow(action_edit_record, user=user)) elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"): au = ActionUsers.query.filter(ActionUsers.action == "records-read", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"): au = ActionUsers.query.filter(ActionUsers.action == "records-index", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"): au = ActionUsers.query.filter(ActionUsers.action == "records-update", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) # db.session.begin(nested=True) for role in roles: for action in request.get_json().get(role.name, None): if (action.get("action", None) == "records-read" and action.get("op", None) == "add"): db.session.add(ActionRoles.allow(action_read_record, role=role)) elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"): db.session.add(ActionRoles.allow(action_index_record, role=role)) elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"): db.session.add(ActionRoles.allow(action_edit_record, role=role)) elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"): au = ActionRoles.query.filter(ActionRoles.action == "records-read", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"): au = ActionRoles.query.filter(ActionRoles.action == "records-index", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"): au = ActionRoles.query.filter(ActionRoles.action == "records-update", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) db.session.commit() resp = jsonify() resp.status_code = 200 return resp
def update_record_permissions(pid_value=None): resolver = Resolver(pid_type='recid', object_type='rec', getter=Record.get_record) pid, record = resolver.resolve(pid_value) emails = [] roles = [] userrole_list = request.get_json().keys() if not (current_app.config.get('EMAIL_REGEX', None)): resp = jsonify(**{message: "ERROR in email regex ;)"}) resp.status_code = 400 return resp email_regex = re.compile(current_app.config.get('EMAIL_REGEX'), ) for userrole in userrole_list: if email_regex.match(userrole): emails.append(userrole) else: #: [TOBEFIXED] Needs to check if E-Group exists try: role = Role.query.filter(Role.name == userrole).first() if not role: tmp_role = _datastore.create_role(name=userrole) roles.append(userrole) except: print("Something happened when trying to create '" + userrole + "' role") # Role.add(tmp_role) users = User.query.filter(User.email.in_(emails)).all() roles = Role.query.filter(Role.name.in_(roles)).all() action_edit_record = RecordUpdateActionNeed(str(record.id)) action_read_record = RecordReadActionNeed(str(record.id)) action_index_record = RecordIndexActionNeed(str(record.id)) with db.session.begin_nested(): for user in users: for action in request.get_json().get(user.email, None): if (action.get("action", None) == "records-read" and action.get("op", None) == "add"): db.session.add( ActionUsers.allow(action_read_record, user=user)) elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"): db.session.add( ActionUsers.allow(action_index_record, user=user)) elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"): db.session.add( ActionUsers.allow(action_edit_record, user=user)) elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"): au = ActionUsers.query.filter( ActionUsers.action == "records-read", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"): au = ActionUsers.query.filter( ActionUsers.action == "records-index", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"): au = ActionUsers.query.filter( ActionUsers.action == "records-update", ActionUsers.argument == str(record.id), ActionUsers.user_id == user.id).first() if (au): db.session.delete(au) # db.session.begin(nested=True) for role in roles: for action in request.get_json().get(role.name, None): if (action.get("action", None) == "records-read" and action.get("op", None) == "add"): db.session.add( ActionRoles.allow(action_read_record, role=role)) elif (action.get("action", None) == "records-index" and action.get("op", None) == "add"): db.session.add( ActionRoles.allow(action_index_record, role=role)) elif (action.get("action", None) == "records-update" and action.get("op", None) == "add"): db.session.add( ActionRoles.allow(action_edit_record, role=role)) elif (action.get("action", None) == "records-read" and action.get("op", None) == "remove"): au = ActionRoles.query.filter( ActionRoles.action == "records-read", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-index" and action.get("op", None) == "remove"): au = ActionRoles.query.filter( ActionRoles.action == "records-index", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) elif (action.get("action", None) == "records-update" and action.get("op", None) == "remove"): au = ActionRoles.query.filter( ActionRoles.action == "records-update", ActionRoles.argument == str(record.id), ActionRoles.role_id == role.id).first() if (au): db.session.delete(au) db.session.commit() resp = jsonify() resp.status_code = 200 return resp
def receive_before_insert(mapper, connection, target): """Create community admin and member roles and add their permissions.""" from b2share.modules.deposit.permissions import ( create_deposit_need_factory, read_deposit_need_factory, update_deposit_metadata_need_factory, update_deposit_publication_state_need_factory, ) from b2share.modules.deposit.api import PublicationStates from b2share.modules.records.permissions import ( update_record_metadata_need_factory, ) from b2share.modules.users.permissions import ( assign_role_need_factory, search_accounts_need, ) admin_role = Role(name=_community_admin_role_name(target), description='Admin role of the community "{}"'.format( target.name)) member_role = Role(name=_community_member_role_name(target), description='Member role of the community "{}"'.format( target.name)) db.session.add(admin_role) db.session.add(member_role) member_needs = [ create_deposit_need_factory(str(target.id)), ] admin_needs = [ read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name), read_deposit_need_factory( community=str(target.id), publication_state=PublicationStates.published.name), update_deposit_metadata_need_factory( community=str(target.id), publication_state=PublicationStates.submitted.name), # permission to publish a submission update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.published.name), # permission to ask the owners to fix a submission before resubmitting update_deposit_publication_state_need_factory( community=str(target.id), old_state=PublicationStates.submitted.name, new_state=PublicationStates.draft.name), # permission to update the metadata of a published record update_record_metadata_need_factory(community=str(target.id), ), # allow to assign any role owned by this community assign_role_need_factory(community=target.id), # allow to list users' accounts search_accounts_need, ] for need in member_needs: db.session.add(ActionRoles.allow(need, role=member_role)) for need in chain(member_needs, admin_needs): db.session.add(ActionRoles.allow(need, role=admin_role)) oaiset = OAISet(spec=str(target.id), name=target.name, description=target.description) db.session.add(oaiset)