feature(permission): AuthenticatedUser Generator #39

2025-12-22 21:11:57 +00:00 · 2021-01-05 13:23:11 +01:00
parent ce97c5378c
commit 956a9eea76
3 changed files with 33 additions and 9 deletions
--- a/invenio_config_tugraz/generators.py
+++ b/invenio_config_tugraz/generators.py
@@ -153,7 +153,7 @@ The succinct encoding of the permissions for your instance gives you
 from elasticsearch_dsl.query import Q
 from flask import current_app, request
-from invenio_access.permissions import any_user, superuser_access
+from invenio_access.permissions import any_user, authenticated_user, superuser_access
 from invenio_records_permissions.generators import Generator
@@ -221,3 +221,20 @@ class RecordIp(Generator):
        if user_ip in current_app.config["INVENIO_CONFIG_TUGRAZ_SINGLE_IP"]:
            return True
        return False
 class AuthenticatedUser(Generator):
    """Allows authenticated users."""
    def __init__(self):
        """Constructor."""
        super(AuthenticatedUser, self).__init__()
    def needs(self, **kwargs):
        """Enabling Needs."""
        return [authenticated_user]
    def query_filter(self, **kwargs):
        """Filters for current identity as super user."""
        # TODO: Implement with new permissions metadata
        return []
--- a/invenio_config_tugraz/rdm_permissions.py
+++ b/invenio_config_tugraz/rdm_permissions.py
@@ -64,7 +64,7 @@ from invenio_records_permissions.generators import (
    SuperUser,
 )
-from .generators import RecordIp
+from .generators import AuthenticatedUser, RecordIp
 class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
@@ -81,9 +81,8 @@ class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
    # RecordIp: grant access for single_ip
    # RecordOwners: owner of records, enable once the deposit is allowed only for loged-in users.
    # CURRENT:
    # AnyUser
    # RecordIp: grant access for single_ip
-    can_read = [AnyUser(), RecordIp()]  # RecordOwners()
+    can_read = [RecordIp()]  # RecordOwners()
    # Search access given to:
    # AnyUser : grant access anyUser
@@ -96,11 +95,10 @@ class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
    # Delete access given to admins only.
    can_delete = [Admin()]
    # TODO: create (AuthenticatedUser) generator
    # Create action given to AuthenticatedUser
    # UI - if user is loged in
-    # API - if user has be Access token (Bearer API-TOKEN)
+    # API - if user has Access token (Bearer API-TOKEN)
-    # can_create = [AuthenticatedUser()]
+    can_create = [AuthenticatedUser()]
    # Associated files permissions (which are really bucket permissions)
    # can_read_files = [AnyUserIfPublic(), RecordOwners()]
--- a/tests/test_generators.py
+++ b/tests/test_generators.py
@@ -8,9 +8,9 @@
 """Test Generators."""
-from invenio_access.permissions import any_user
+from invenio_access.permissions import any_user, authenticated_user
-from invenio_config_tugraz.generators import RecordIp
+from invenio_config_tugraz.generators import AuthenticatedUser, RecordIp
 def test_recordip(create_app, open_record, singleip_record):
@@ -27,3 +27,12 @@ def test_recordip(create_app, open_record, singleip_record):
    assert generator.excludes(record=open_record) == []
    assert generator.query_filter().to_dict() == {'bool': {'must_not': [{'match': {'access.access_right': 'singleip'}}]}}
 def test_authenticateduser():
    """Test Generator AuthenticatedUser."""
    generator = AuthenticatedUser()
    assert generator.needs() == [authenticated_user]
    assert generator.excludes() == []
    assert generator.query_filter() == []