def test_cli_action_allow(app, script_info, community, authenticated_user, db): runner = CliRunner() app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv( 'SQLALCHEMY_DATABASE_URI', 'sqlite://') role = community[1].roles[0] current_datastore.add_role_to_user(authenticated_user, role) read_need = action_factory(COMMUNITY_READ, parameter=True) login_user(authenticated_user) assert not Permission(read_need(community[0])).allows(g.identity)
# -*- coding: utf-8 -*- # # Copyright (C) 2021 GEO Secretariat. # # geo-knowledge-hub-ext is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more # details. """GEO Knowledge Hub Permission and Actions definitions""" from invenio_access import Permission from invenio_access import action_factory # # Geo Knowledge Community # community_action = action_factory("geo-community-access") community_permission = Permission(community_action) # # Geo Knowledge Provider # kprovider_action = action_factory("geo-knowledge-provider-access") kprovider_permission = Permission(kprovider_action) # # Geo Secretariat # secretariat_action = action_factory("geo-secretariat-access") secretariat_permission = Permission(secretariat_action)
# Copyright (C) 2019 CERN. # # invenio-app-ils is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. """CDS-ILS retrieve patron loans permissions.""" from invenio_access import action_factory from invenio_access.permissions import Permission from invenio_app_ils.permissions import backoffice_access_action, \ backoffice_permission from invenio_app_ils.permissions import \ views_permissions_factory as ils_views_permissions_factory retrieve_patron_loans_access_action = action_factory( "retrieve-patron-loans-access" ) document_importer_access_action = action_factory( "document-importer-access" ) def retrieve_patron_loans_permission(*args, **kwargs): """Return permission to retrieve patron loans.""" return Permission( retrieve_patron_loans_access_action, backoffice_access_action ) def document_importer_permission(*args, **kwargs):
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for schemas.""" from invenio_access import Permission, action_factory action_schema_access = action_factory('schema-access') schema_permission = Permission(action_schema_access)
"""Ils permissions.""" from __future__ import absolute_import, print_function from functools import wraps from flask import abort, current_app from flask_login import current_user from flask_principal import UserNeed from invenio_access import action_factory from invenio_access.permissions import Permission, authenticated_user from invenio_records_rest.utils import allow_all, deny_all from invenio_app_ils.proxies import current_app_ils backoffice_access_action = action_factory("ils-backoffice-access") def need_permissions(action): """View decorator to check permissions for the given action or abort. :param action: The action needed. """ def decorator_builder(f): @wraps(f) def decorate(*args, **kwargs): check_permission( current_app.config["ILS_VIEWS_PERMISSIONS_FACTORY"](action) ) return f(*args, **kwargs)
from invenio_access import Permission, action_factory, authenticated_user from flask_principal import UserNeed create_records = action_factory("create-records") def owner_permission_factory(record=None): """Permission factory with owner access.""" return Permission(UserNeed(record["owner"])) def authenticated_user_permission(record=None): """Return an object that evaluates if the current user is authenticated.""" return Permission(authenticated_user)
# # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for items.""" from invenio_access import Permission, action_factory from weko_records_ui.permissions import page_permission_factory action_item_access = action_factory('item-access') item_permission = Permission(action_item_access) def edit_permission_factory(record, **kwargs): """Edit permission factory.""" def can(self): return page_permission_factory(record, flg='Edit').can() return type('EditPermissionChecker', (), {'can': can})()
# Copyright (C) 2019 CERN. # # invenio-app-ils is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. """CDS Books retrieve patron loans permissions.""" from __future__ import absolute_import, print_function from invenio_access import action_factory from invenio_access.permissions import Permission from invenio_app_ils.permissions import backoffice_access_action from invenio_app_ils.permissions import \ views_permissions_factory as ils_views_permissions_factory retrieve_patron_loans_access_action = action_factory( "retrieve-patron-loans-access") def retrieve_patron_loans_permission(*args, **kwargs): """Return permission to retrieve patron loans.""" return Permission( retrieve_patron_loans_access_action, backoffice_access_action) def views_permissions_factory(action): """Override ILS views permissions factory.""" if action == "retrieve-patron-loans": return retrieve_patron_loans_permission() return ils_views_permissions_factory(action)
# Copyright (c) 2021. Universidad de Pinar del Rio # This file is part of SCEIBA (sceiba.cu). # SCEIBA is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. # from invenio_access import Permission, action_factory # creando action create_source_curator = action_factory('curator-source-add') create_vocabulary_curator = action_factory('curator-vocabulary-add') # creando permiso, que requiere varias acciones, por ahora solo la anterior source_create_permission = Permission(create_source_curator) vocabulary_create_permission = Permission(create_vocabulary_curator) # concediendo acceso a un usuario, puede ser por rol # 1- si es por usuario hay q obtener el usuario, si es por rol igual # eduardo = db.session.query(User).filter_by(email="*****@*****.**").first() # 2- agregar a la base de datos de access # db.session.add(ActionUsers.allow(vocabulary_create_permission, user=eduardo)) # db.session.commit() # #para comprobar, si no es una funcionaldiad q Flask-Security verifique por si mismo, seria asi # eduardo_identity = get_identity(eduardo) # permission.allows(eduardo_identity) #Tambie puede ser eduardo_identity.can(permission)
# un usuario administrador(manager) de fuentes puede cambiar el campo source_status # 2- source_editor_actions: se le asigna a un usuario para un SourceRecord.id: # significa que el usuario puede crear versiones de ese SourceRecord # 3- source_term_manager_actions: se le asigna a un usuario para un Term.id: # significa que todas las SourcesRecord que tengan en el campo classifications.id ese Term.id # son administradas por el usuario. # 4- source_organization_manager_actions: se le asigna a un usuario para un Organization.id: # significa que todas las SourcesRecord que tengan en el campo organizations.id ese # Organization.id # son administradas por el usuario. # creando action source_full_manager_actions = action_factory('source_full_manager_actions') ObjectSourceEditor = action_factory('source_editor_actions', parameter=True) source_editor_actions = ObjectSourceEditor(None) ObjectSourceManager = action_factory('source_manager_actions', parameter=True) source_manager_actions = ObjectSourceManager(None) # TODO: Eliminar este permiso, no tiene sentido ObjectSourceTermManager = action_factory('source_term_manager_actions', parameter=True) source_term_manager_actions = ObjectSourceTermManager(None) ObjectSourceOrganizationManager = action_factory( 'source_organization_manager_actions', parameter=True) source_organization_manager_actions = ObjectSourceOrganizationManager(None)
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for index tree.""" from invenio_access import Permission, action_factory action_index_tree_access = action_factory('index-tree-access') index_tree_permission = Permission(action_index_tree_access)
# # invenio-circulation is free software; you can redistribute it and/or modify # it under the terms of the MIT License; see LICENSE file for more details. """Circulation permissions.""" from __future__ import absolute_import, print_function from functools import wraps from flask import abort, current_app from flask_login import current_user from invenio_access import action_factory from invenio_access.permissions import Permission from invenio_records_rest.utils import allow_all loan_access = action_factory('loan-read-access') def check_permission(permission): """Abort if permission is not allowed. :param permission: The permission to check. """ # NOTE: we have to explicitly check for not None, since flask-principal # overrides the default __bool__ implementation for permission. if permission is not None and not permission.can(): if not current_user.is_authenticated: abort(401) abort(403)
# along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for Detail Page.""" from datetime import datetime as dt from flask import abort, current_app from flask_security import current_user from invenio_access import Permission, action_factory from weko_groups.api import Group, Membership, MembershipState from weko_records.api import ItemTypes from .ipaddr import check_site_license_permission action_detail_page_access = action_factory('detail-page-access') detail_page_permission = Permission(action_detail_page_access) def page_permission_factory(record, *args, **kwargs): def can(self): is_ok = True # item publish status check is_pub = check_publish_status(record) # role permission is_can = detail_page_permission.can() # person himself check is_himself = check_created_id(record) if not is_pub: if not is_can or (is_can and not is_himself): is_ok = False
# -*- coding: utf-8 -*- # # Copyright (C) 2018 CERN. # # invenio-app-ils is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. """Ils permissions.""" from __future__ import absolute_import, print_function from invenio_access import action_factory from invenio_access.permissions import DynamicPermission action_librarian_access = action_factory('ils-librarian-access') def librarian_permission_factory(): """.""" return DynamicPermission(action_librarian_access) def has_librarian_permission(loan): """.""" return librarian_permission_factory()
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for item types.""" from invenio_access import Permission, action_factory action_item_type_access = action_factory('item-type-access') item_type_permission = Permission(action_item_type_access)
# # Invenio is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. """Permissions for files using Invenio-Access.""" import os from functools import partial from invenio_access import Permission, action_factory from .models import Bucket, MultipartObject, ObjectVersion # # Action needs # LocationUpdate = action_factory('files-rest-location-update', parameter=True) """Action needed: location update.""" BucketRead = action_factory('files-rest-bucket-read', parameter=True) """Action needed: list objects in bucket.""" BucketReadVersions = action_factory('files-rest-bucket-read-versions', parameter=True) """Action needed: list object versions in bucket.""" BucketUpdate = action_factory('files-rest-bucket-update', parameter=True) """Action needed: create objects and multipart uploads in bucket.""" BucketListMultiparts = action_factory('files-rest-bucket-listmultiparts', parameter=True) """Action needed: list multipart uploads in bucket."""
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for schemas.""" from invenio_access import Permission, action_factory action_auto_fill = action_factory('items-autofill') auto_fill_permission = Permission(action_auto_fill)
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for index tree.""" from invenio_access import Permission, action_factory action_indextree_journal_access = action_factory('indextree-journal-access') indextree_journal_permission = Permission(action_indextree_journal_access)
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for invenio-stats.""" from invenio_access import Permission, action_factory stats_api_access = action_factory('stats-api-access') stats_api_permission = Permission(stats_api_access)
# along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for Detail Page.""" from datetime import datetime as dt from flask import abort, current_app from flask_security import current_user from invenio_access import Permission, action_factory from weko_groups.api import Group, Membership, MembershipState from weko_records.api import ItemTypes from .ipaddr import check_site_license_permission action_detail_page_access = action_factory('detail-page-access') detail_page_permission = Permission(action_detail_page_access) action_download_original_pdf_access = action_factory( 'download-original-pdf-access') download_original_pdf_permission = Permission( action_download_original_pdf_access) def page_permission_factory(record, *args, **kwargs): """Page permission factory.""" def can(self): is_ok = True # item publish status check is_pub = check_publish_status(record) # role permission
# -*- coding: utf-8 -*- # # Copyright (C) 2019 CESNET. # # Invenio Records Presentation is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. """ Permissions for Invenio Records Presentation.""" from functools import wraps from flask_login import current_user from invenio_access import Permission, action_factory from invenio_workflows import WorkflowEngine from invenio_records_presentation.errors import WorkflowsPermissionError, WorkflowsNotAuthenticated PresentationWorkflowStart = action_factory('presentation-workflow-start', parameter=True) """Action: Presentation Workflow start.""" presentation_workflow_start_all = PresentationWorkflowStart(None) def needs_permission(): """ Get permission for Workflow execution or abort. """ def decorator_builder(f): @wraps(f) def decorate(*args, **kwargs): permissions = kwargs.get('permissions', []) if permissions: check_permission(Permission(*permissions)) return f(*args, **kwargs)
# -*- coding: utf-8 -*- """Taxonomy permissions.""" # # Action needs # from invenio_access import Permission, action_factory from flask_taxonomies.models import Taxonomy, TaxonomyTerm TaxonomyCreate = action_factory('taxonomy-create', True) """Action needed: Taxonomy create.""" TaxonomyUpdate = action_factory('taxonomy-update', True) """Action needed: Taxonomy update.""" TaxonomyRead = action_factory('taxonomy-read', True) """Action needed: Taxonomy Read.""" TaxonomyDelete = action_factory('taxonomy-delete', True) """Action needed: Taxonomy delete.""" TaxonomyTermCreate = action_factory('taxonomy-term-create', True) """Action needed: Taxonomy Term Create.""" TaxonomyTermUpdate = action_factory('taxonomy-term-update', True) """Action needed: Taxonomy Term update.""" TaxonomyTermRead = action_factory('taxonomy-term-read', True) """Action needed: Taxonomy Term Read.""" TaxonomyTermDelete = action_factory('taxonomy-term-delete', True)
from flask_principal import ActionNeed from invenio_access.permissions import Permission from invenio_access import action_factory def exp_permission_factory(experiment): """Experiment permission factory.""" return Permission( ActionNeed('{}-access'.format(experiment.lower())) ) def exp_need_factory(experiment): """Experiment need factory.""" return ActionNeed(('{}-access'.format(experiment.lower()))) cms_access_action = exp_need_factory('CMS') lhcb_access_action = exp_need_factory('LHCb') alice_access_action = exp_need_factory('ALICE') atlas_access_action = exp_need_factory('ATLAS') cms_pag_convener_action = action_factory('cap-cms-pag-conveners', parameter=True) cms_pag_convener_action_all = cms_pag_convener_action(None) cms_permission = exp_permission_factory('CMS') lhcb_permission = exp_permission_factory('LHCb') alice_permission = exp_permission_factory('ALICE') atlas_permission = exp_permission_factory('ATLAS')
# -*- coding: utf-8 -*- # # This file is part of WEKO3. # Copyright (C) 2017 National Institute of Informatics. # # WEKO3 is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version. # # WEKO3 is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with WEKO3; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. """Permissions for Search.""" from invenio_access import Permission, action_factory action_search_access = action_factory('search-access') search_permission = Permission(action_search_access)
# Copyright (c) 2021. Universidad de Pinar del Rio # This file is part of SCEIBA (sceiba.cu). # SCEIBA is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. # from flask_login import current_user from invenio_access import Permission, action_factory from invenio_access.utils import get_identity # creando action notification_admin_actions = action_factory('notification_admin_actions') ObjectNotificationViewed = action_factory('notification_viewed_actions', parameter=True) notification_viewed_actions = ObjectNotificationViewed(None) def notification_viewed_permission_factory(obj): try: permission = Permission(notification_admin_actions) current_identity = get_identity(current_user) if permission.allows(current_identity): return permission except Exception as e: pass return Permission(ObjectNotificationViewed(obj['id']))
# Copyright (c) 2021. Universidad de Pinar del Rio # This file is part of SCEIBA (sceiba.cu). # SCEIBA is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. # from flask_login import current_user from invenio_access import Permission, action_factory from invenio_access.models import ActionUsers from invenio_access.utils import get_identity # creando action vocabularies_full_editor_actions = action_factory( 'vocabularies_full_editor_actions') ObjectVocabularyEditor = action_factory('vocabulary_editor_actions', parameter=True) vocabulary_editor_actions = ObjectVocabularyEditor(None) def vocabulary_editor_permission_factory(obj): try: permission = Permission(vocabularies_full_editor_actions) current_identity = get_identity(current_user) if permission.allows(current_identity): return permission except Exception as e: msg = str(e) return Permission(ObjectVocabularyEditor(obj['name'])) taxonomy_full_editor_permission = Permission(vocabularies_full_editor_actions)