def test_require_all(record: ExampleRecord): assert not require_all( state_required('closed'), state_required('editing'), )(record).can() assert require_all( state_required('closed'), state_required('editing', 'closed'), )(record).can() assert not require_all()(record).can()
def read_permission_factory(record, *args, **kwargs): f"""Read permission factory that takes secondary communities into account. Allows access to record in one of the following cases: * Record is PUBLISHED * Current user is the OWNER of the record * User's role has allowed READ action in one of record's communities AND: 1) User is in one of the roles of the community from the request path AND record is atleast APPROVED. OR 2) User is CURATOR in the community from the request path :param record: An instance of :class:`oarepo_communities.record.CommunityRecordMixin` or ``None`` if the action is global. :raises RuntimeError: If the object is unknown. :returns: A :class:`invenio_access.permissions.Permission` instance. """ if isinstance(record, Record): communities = [record.primary_community, *record.secondary_communities] return require_any( #: Anyone can read published records state_required(STATE_PUBLISHED), require_all( require_action_allowed(COMMUNITY_READ), require_any( #: Record AUTHOR can READ his own records owner_permission_impl, require_all( #: User's role has granted READ permissions in record's communities Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]), require_any( #: Community MEMBERS can READ APPROVED community records require_all( state_required(STATE_APPROVED), require_any( community_member_permission_impl, community_publisher_permission_impl ) ), #: Community CURATORS can READ ALL community records community_curator_permission_impl ) ) ) ) )(record, *args, **kwargs) else: raise RuntimeError('Unknown or missing object')
def update_permission_factory(record, *args, **kwargs): f"""Records REST update permission factory. Permission is granted if: * Record is a DRAFT AND * Current user is the OWNER of the record and record is not submitted for APPROVAL yet. OR * Current user is in role that has UPDATE action allowed in record's PRIMARY community. """ return require_all( state_required(None, STATE_EDITING, STATE_PENDING_APPROVAL), require_any( require_all( state_required(None, STATE_EDITING), owner_permission_impl ), action_permission_factory(COMMUNITY_UPDATE)(record, *args, **kwargs) ) )(record, *args, **kwargs)
def unpublish_permission_factory(record, *args, **kwargs): f"""Unpublish action permissions factory. Permission is granted if: * Record is PUBLISHED. AND * Current user is in role that has UNPUBLISH action allowed in record's PRIMARY community. """ return require_all( state_required(STATE_PUBLISHED), action_permission_factory(COMMUNITY_UNPUBLISH)(record, *args, **kwargs) )(record, *args, **kwargs)
def revert_approval_permission_factory(record, *args, **kwargs): f"""Revert approval action permissions factory. Permission is granted if: * Record is APPROVED. AND * Current user is in role that has REVERT APPROVE action allowed in record's PRIMARY community. """ return require_all( state_required(STATE_APPROVED), action_permission_factory(COMMUNITY_REVERT_APPROVE)(record, *args, **kwargs) )(record, *args, **kwargs)
def approve_permission_factory(record, *args, **kwargs): f"""Approve action permissions factory. Permission is granted if: * Record is submitted for approval. AND * Current user is in role that has APPROVE action allowed in record's PRIMARY community. """ return require_all( state_required(STATE_PENDING_APPROVAL), action_permission_factory(COMMUNITY_APPROVE)(record, *args, **kwargs) )(record, *args, **kwargs)
def request_changes_permission_factory(record, *args, **kwargs): f"""Request changes action permissions factory. Permission is granted if: * Record is submitted for approval. AND * Current user is in role that has REQUEST CHANGES action allowed in record's PRIMARY community. """ return require_all( state_required(STATE_PENDING_APPROVAL), action_permission_factory(COMMUNITY_REQUEST_CHANGES)(record, *args, **kwargs) )(record, *args, **kwargs)
def delete_permission_factory(record, *args, **kwargs): """Records REST delete permission factory. Permission is granted if: * Record is a DRAFT record AND * Current user is the owner of the record. OR * Current user is in role that has DELETE action allowed in record's PRIMARY community. """ return require_all( state_required(None, STATE_EDITING), owner_or_role_action_permission_factory(COMMUNITY_DELETE, record, *args, **kwargs) )(record, *args, **kwargs)
def request_approval_permission_factory(record, *args, **kwargs): f"""Request approval action permissions factory. Permission is granted if: * Record an EDITED DRAFT record. AND * Current user is the owner of the record. OR * Current user is in role that has REQUEST APPROVAL action allowed in record's PRIMARY community. """ return require_all( state_required(None, STATE_EDITING), owner_or_role_action_permission_factory(COMMUNITY_REQUEST_APPROVAL, record) )(record, *args, **kwargs)
def inner(record, *args, **kwargs): if record is None: raise RuntimeError('Record is missing.') arg = None if isinstance(record, Record): arg = record.primary_community elif isinstance(record, dict): arg = current_oarepo_communities.get_primary_community_field(record) else: raise RuntimeError('Unknown or missing object') return require_all( require_action_allowed(action), Permission(ParameterizedActionNeed(action, arg)))
def test_owner_permissions(app, db, community, authenticated_user): """Test owner system role permissions.""" login_user(authenticated_user) assert len(g.identity.provides) == 4 assert community_record_owner in g.identity.provides permissions = require_any( # Approval is granted either by user role Permission(ParameterizedActionNeed(COMMUNITY_REQUEST_APPROVAL, community[0])), require_all( # Or user id must match and record owners must be granted the action Permission(UserNeed(authenticated_user.id)), Permission(ParameterizedActionNeed(f'owner-{COMMUNITY_REQUEST_APPROVAL}', community[0])) ) ) assert not permissions().can() db.session.add( ActionSystemRoles(action=f'owner-{COMMUNITY_REQUEST_APPROVAL}', role_name=community_record_owner.value, argument=community[0])) assert permissions().can()
from oarepo_tokens.permissions import put_file_token_permission_factory from publications.permissions import ADMIN_ROLE_PERMISSIONS, INGESTER_ROLE_PERMISSIONS create_draft_object_permission_impl = require_any( INGESTER_ROLE_PERMISSIONS, create_object_permission_impl) update_draft_object_permission_impl = require_any( INGESTER_ROLE_PERMISSIONS, update_object_permission_impl) read_draft_object_permission_impl = require_any(INGESTER_ROLE_PERMISSIONS, read_object_permission_impl) delete_draft_object_permission_impl = delete_object_permission_impl list_draft_object_permission_impl = deny_all # DRAFT dataset file manipulation put_draft_file_permission_impl = put_file_token_permission_factory( require_any(INGESTER_ROLE_PERMISSIONS, update_object_permission_impl)) get_draft_file_permission_impl = put_file_token_permission_factory( require_any(INGESTER_ROLE_PERMISSIONS, read_draft_object_permission_impl)) delete_draft_file_permission_impl = update_object_permission_impl # DRAFT dataset publishing publish_draft_object_permission_impl = publish_permission_impl unpublish_draft_object_permission_impl = unpublish_permission_impl # PUBLISHED dataset manipulation update_object_permission_impl = require_all(ADMIN_ROLE_PERMISSIONS) # ALL dataset list list_all_object_permission_impl = allow_all