From 956a9eea7665842da99fd2316d97e75c7a9aae72 Mon Sep 17 00:00:00 2001 From: Mojib Wali <44528277+mb-wali@users.noreply.github.com> Date: Tue, 5 Jan 2021 13:23:11 +0100 Subject: [PATCH] feature(permission): AuthenticatedUser Generator #39 --- invenio_config_tugraz/generators.py | 19 ++++++++++++++++++- invenio_config_tugraz/rdm_permissions.py | 10 ++++------ tests/test_generators.py | 13 +++++++++++-- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/invenio_config_tugraz/generators.py b/invenio_config_tugraz/generators.py index e68a931..39eef42 100644 --- a/invenio_config_tugraz/generators.py +++ b/invenio_config_tugraz/generators.py @@ -153,7 +153,7 @@ The succinct encoding of the permissions for your instance gives you from elasticsearch_dsl.query import Q from flask import current_app, request -from invenio_access.permissions import any_user, superuser_access +from invenio_access.permissions import any_user, authenticated_user, superuser_access from invenio_records_permissions.generators import Generator @@ -221,3 +221,20 @@ class RecordIp(Generator): if user_ip in current_app.config["INVENIO_CONFIG_TUGRAZ_SINGLE_IP"]: return True return False + + +class AuthenticatedUser(Generator): + """Allows authenticated users.""" + + def __init__(self): + """Constructor.""" + super(AuthenticatedUser, self).__init__() + + def needs(self, **kwargs): + """Enabling Needs.""" + return [authenticated_user] + + def query_filter(self, **kwargs): + """Filters for current identity as super user.""" + # TODO: Implement with new permissions metadata + return [] diff --git a/invenio_config_tugraz/rdm_permissions.py b/invenio_config_tugraz/rdm_permissions.py index 63e6f1d..34e3f1d 100644 --- a/invenio_config_tugraz/rdm_permissions.py +++ b/invenio_config_tugraz/rdm_permissions.py @@ -64,7 +64,7 @@ from invenio_records_permissions.generators import ( SuperUser, ) -from .generators import RecordIp +from .generators import AuthenticatedUser, RecordIp class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): @@ -81,9 +81,8 @@ class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): # RecordIp: grant access for single_ip # RecordOwners: owner of records, enable once the deposit is allowed only for loged-in users. # CURRENT: - # AnyUser # RecordIp: grant access for single_ip - can_read = [AnyUser(), RecordIp()] # RecordOwners() + can_read = [RecordIp()] # RecordOwners() # Search access given to: # AnyUser : grant access anyUser @@ -96,11 +95,10 @@ class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): # Delete access given to admins only. can_delete = [Admin()] - # TODO: create (AuthenticatedUser) generator # Create action given to AuthenticatedUser # UI - if user is loged in - # API - if user has be Access token (Bearer API-TOKEN) - # can_create = [AuthenticatedUser()] + # API - if user has Access token (Bearer API-TOKEN) + can_create = [AuthenticatedUser()] # Associated files permissions (which are really bucket permissions) # can_read_files = [AnyUserIfPublic(), RecordOwners()] diff --git a/tests/test_generators.py b/tests/test_generators.py index 6060075..4eb4dcd 100644 --- a/tests/test_generators.py +++ b/tests/test_generators.py @@ -8,9 +8,9 @@ """Test Generators.""" -from invenio_access.permissions import any_user +from invenio_access.permissions import any_user, authenticated_user -from invenio_config_tugraz.generators import RecordIp +from invenio_config_tugraz.generators import AuthenticatedUser, RecordIp def test_recordip(create_app, open_record, singleip_record): @@ -27,3 +27,12 @@ def test_recordip(create_app, open_record, singleip_record): assert generator.excludes(record=open_record) == [] assert generator.query_filter().to_dict() == {'bool': {'must_not': [{'match': {'access.access_right': 'singleip'}}]}} + + +def test_authenticateduser(): + """Test Generator AuthenticatedUser.""" + generator = AuthenticatedUser() + + assert generator.needs() == [authenticated_user] + assert generator.excludes() == [] + assert generator.query_filter() == []