v0.5.4

* overrides flask-security welcome template

.github/workflows/tests.yml

@@ -20,9 +20,42 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-          python-version: [3.6, 3.7, 3.8]
+          python-version: [3.6, 3.7, 3.8, 3.9]
           requirements-level: [min, pypi]
+          db-service: [postgresql12]
+          search-service: [elasticsearch7]
+          exclude:
+          - python-version: 3.6
+            requirements-level: pypi
 
+          - python-version: 3.7
+            requirements-level: min
+
+          - python-version: 3.8
+            requirements-level: min
+
+          - python-version: 3.9
+            requirements-level: min
+
+          - db-service: postgresql12
+            requirements-level: min
+
+          - search-service: elasticsearch7
+            requirements-level: min
+
+          include:
+
+          - db-service: postgresql12
+            DB_EXTRAS: "postgresql"
+
+
+          - search-service: elasticsearch7
+            SEARCH_EXTRAS: "elasticsearch7"
+
+    env:
+      DB: ${{ matrix.db-service }}
+      SEARCH: ${{ matrix.search-service }}
+      EXTRAS: all,${{ matrix.DB_EXTRAS }},${{ matrix.SEARCH_EXTRAS }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -35,8 +68,7 @@ jobs:
       - name: Generate dependencies
         run: |
           python -m pip install --upgrade pip setuptools py wheel requirements-builder
-          requirements-builder -e all --level=${{ matrix.requirements-level }} setup.py > .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt
-
+          requirements-builder -e "$EXTRAS" --level=${{ matrix.requirements-level }} setup.py > .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt
       - name: Cache pip
         uses: actions/cache@v2
         with:
@@ -45,10 +77,11 @@ jobs:
 
       - name: Install dependencies
         run: |
-          pip install -r .${{matrix.requirements-level}}-${{ matrix.python-version }}-requirements.txt
-          pip install .[all]
+          pip install -r .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt
+          pip install ".[$EXTRAS]"
           pip freeze
-
+          docker --version
+          docker-compose --version
       - name: Run tests
         run: |
-          ./run-tests.sh
+          ./run-tests.sh

MANIFEST.in

@@ -34,15 +34,18 @@ recursive-include docs *.py
 recursive-include docs *.rst
 recursive-include docs *.txt
 recursive-include docs Makefile
-recursive-include invenio_config_tugraz *.html
 recursive-include tests *.py
 
+
 # added by check_manifest.py
 recursive-include invenio_config_tugraz *.crt
 recursive-include invenio_config_tugraz *.json
 recursive-include invenio_config_tugraz *.key
 recursive-include invenio_config_tugraz *.xml
 recursive-include invenio_config_tugraz *.gitkeep
+recursive-include invenio_config_tugraz *.txt
+recursive-include invenio_config_tugraz *.html
+
 
 # added by check-manifest
 recursive-include invenio_config_tugraz *.csv

invenio_config_tugraz/base_permissions.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Graz University of Technology.
+# Copyright (C) 2020-2021 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -49,40 +49,40 @@ Using Custom Generator for a policy:
 Permissions for Invenio records.
 """
 
-from invenio_records_permissions.generators import (
-    Admin,
-    AnyUser,
-    AnyUserIfPublic,
-    RecordOwners,
-)
-from invenio_records_permissions.policies.base import BasePermissionPolicy
+# from invenio_records_permissions.generators import (
+#     Admin,
+#     AnyUser,
+#     AnyUserIfPublic,
+#     RecordOwners,
+# )
+# from invenio_records_permissions.policies.base import BasePermissionPolicy
 
-from .generators import RecordIp
+# from .generators import RecordIp
 
 
-class TUGRAZPermissionPolicy(BasePermissionPolicy):
-    """Access control configuration for records.
+# class TUGRAZPermissionPolicy(BasePermissionPolicy):
+#     """Access control configuration for records.
 
-    This overrides the /api/records endpoint.
+#     This overrides the /api/records endpoint.
 
-    """
+#     """
 
-    # Read access to API given to everyone.
-    can_search = [AnyUser(), RecordIp()]
+#     # Read access to API given to everyone.
+#     can_search = [AnyUser(), RecordIp()]
 
-    # Read access given to everyone if public record/files and owners always.
-    can_read = [AnyUserIfPublic(), RecordOwners(), RecordIp()]
+#     # Read access given to everyone if public record/files and owners always.
+#     can_read = [AnyUserIfPublic(), RecordOwners(), RecordIp()]
 
-    # Create action given to no one (Not even superusers) bc Deposits should
-    # be used.
-    can_create = [AnyUser()]
+#     # Create action given to no one (Not even superusers) bc Deposits should
+#     # be used.
+#     can_create = [AnyUser()]
 
-    # Update access given to record owners.
-    can_update = [RecordOwners()]
+#     # Update access given to record owners.
+#     can_update = [RecordOwners()]
 
-    # Delete access given to admins only.
-    can_delete = [Admin()]
+#     # Delete access given to admins only.
+#     can_delete = [Admin()]
 
-    # Associated files permissions (which are really bucket permissions)
-    can_read_files = [AnyUserIfPublic(), RecordOwners()]
-    can_update_files = [RecordOwners()]
+#     # Associated files permissions (which are really bucket permissions)
+#     can_read_files = [AnyUserIfPublic(), RecordOwners()]
+#     can_update_files = [RecordOwners()]

invenio_config_tugraz/config.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Graz University of Technology.
+# Copyright (C) 2020-2021 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -172,6 +172,15 @@ SECURITY_CONFIRMABLE = False
 Instead user will get a welcome email.
 """
 
+# Flask-Security
+# =============
+# See https://pythonhosted.org/Flask-Security/configuration.html
+SECURITY_EMAIL_PLAINTEXT = True
+"""Render email content as plaintext."""
+
+SECURITY_EMAIL_HTML = False
+"""Render email content as HTML."""
+
 
 ACCOUNTS = True
 """Tells if the templates should use the accounts module.
@@ -198,16 +207,9 @@ RECAPTCHA_PRIVATE_KEY = None
 # =======
 # See:
 # https://invenio-records-permissions.readthedocs.io/en/latest/configuration.html
-#
-# Uncomment these to enable overriding Base permissions - (NOT RECOMMANDED)
-# RECORDS_PERMISSIONS_RECORD_POLICY = (
-#    'invenio_config_tugraz.base_permissions.TUGRAZPermissionPolicy'
-# )
-#
 # Uncomment these to enable overriding RDM permissions
-# RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = (
-#     'invenio_config_tugraz.rdm_permissions.TUGRAZBibliographicRecordServiceConfig'
-# )
+# from .rdm_permissions import TUGRAZRDMRecordServiceConfig
+# RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = TUGRAZRDMRecordServiceConfig
 """Access control configuration for records."""
 
 # invenio-rdm-records
@@ -215,9 +217,7 @@ RECAPTCHA_PRIVATE_KEY = None
 # See:
 # https://invenio-rdm-records.readthedocs.io/en/latest/configuration.html
 #
-RDM_RECORDS_USER_FIXTURE_PASSWORDS = {
-    "info@tugraz.at": None
-}
+RDM_RECORDS_USER_FIXTURE_PASSWORDS = {"info@tugraz.at": None}
 """Overrides for the user fixtures' passwords.
 The password set for a user fixture in this dictionary overrides the
 password set in the ``users.yaml`` file. This can be used to set custom

invenio_config_tugraz/ext.py

@@ -7,6 +7,7 @@
 # details.
 
 """invenio module that adds tugraz configs."""
+from flask import Blueprint
 
 from . import config
 

invenio_config_tugraz/generators.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2021 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -153,7 +153,7 @@ The succinct encoding of the permissions for your instance gives you
 
 from elasticsearch_dsl.query import Q
 from flask import current_app, request
-from invenio_access.permissions import any_user, authenticated_user, superuser_access
+from invenio_access.permissions import any_user, superuser_access
 from invenio_records_permissions.generators import Generator
 
 
@@ -221,20 +221,3 @@ class RecordIp(Generator):
         if user_ip in current_app.config["INVENIO_CONFIG_TUGRAZ_SINGLE_IP"]:
             return True
         return False
-
-
-class AuthenticatedUser(Generator):
-    """Allows authenticated users."""
-
-    def __init__(self):
-        """Constructor."""
-        super(AuthenticatedUser, self).__init__()
-
-    def needs(self, **kwargs):
-        """Enabling Needs."""
-        return [authenticated_user]
-
-    def query_filter(self, **kwargs):
-        """Filters for current identity as super user."""
-        # TODO: Implement with new permissions metadata
-        return []

invenio_config_tugraz/rdm_permissions.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Graz University of Technology.
+# Copyright (C) 2020-2021 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -53,59 +53,34 @@ Using Custom Generator for a policy:
 Permissions for Invenio (RDM) Records.
 """
 
-from invenio_rdm_records.services import (
-    BibliographicRecordServiceConfig,
-    RDMRecordPermissionPolicy,
-)
+from invenio_rdm_records.services import RDMRecordPermissionPolicy
+from invenio_rdm_records.services.config import RDMRecordServiceConfig
+from invenio_rdm_records.services.generators import IfDraft, IfRestricted, RecordOwners
 from invenio_records_permissions.generators import (
     Admin,
     AnyUser,
-    RecordOwners,
+    AuthenticatedUser,
+    Disable,
     SuperUser,
+    SystemProcess,
 )
 
-from .generators import AuthenticatedUser, RecordIp
-
 
 class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
     """Access control configuration for rdm records.
 
     This overrides the origin:
     https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/services/permissions.py.
-
+    Access control configuration for records.
+    Note that even if the array is empty, the invenio_access Permission class
+    always adds the ``superuser-access``, so admins will always be allowed.
+    - Create action given to everyone for now.
+    - Read access given to everyone if public record and given to owners
+      always. (inherited)
+    - Update access given to record owners. (inherited)
+    - Delete access given to admins only. (inherited)
     """
 
-    # Read access given to:
-    # TODO:
-    # AnyUserIfPublic : grant access if record is public
-    # RecordIp: grant access for single_ip
-    # RecordOwners: owner of records, enable once the deposit is allowed only for loged-in users.
-    # CURRENT:
-    # RecordIp: grant access for single_ip
-    can_read = [RecordIp()]  # RecordOwners()
 
-    # Search access given to:
-    # AnyUser : grant access anyUser
-    # RecordIp: grant access for single_ip
-    can_search = [AnyUser(), RecordIp()]
-
-    # Update access given to record owners.
-    can_update = [RecordOwners()]
-
-    # Delete access given to admins only.
-    can_delete = [Admin()]
-
-    # Create action given to AuthenticatedUser
-    # UI - if user is loged in
-    # API - if user has Access token (Bearer API-TOKEN)
-    can_create = [AuthenticatedUser()]
-
-    # Associated files permissions (which are really bucket permissions)
-    # can_read_files = [AnyUserIfPublic(), RecordOwners()]
-    # can_update_files = [RecordOwners()]
-
-
-class TUGRAZBibliographicRecordServiceConfig(BibliographicRecordServiceConfig):
+class TUGRAZRDMRecordServiceConfig(RDMRecordServiceConfig):
     """Overriding BibliographicRecordServiceConfig."""
-
-    permission_policy_cls = TUGRAZPermissionPolicy

invenio_config_tugraz/templates/security/email/welcome.html

@@ -0,0 +1,26 @@
+<p> 
+  {% trans salut=current_userprofile.full_name or user.email %}
+  Dear {{ salut }}!
+  {% endtrans %}
+</p>
+
+<p>
+  {{ _('To help you get started, here are some useful links:') }}
+</p>
+
+<p>
+  <a href="{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.index') }}"> {{ _('TU Graz Repository') }} </a> <br>
+  <a href="{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.guide')">{{ _('Reference Guide') }}</a><br>
+  <a href="{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.terms')"> {{ _('Terms and Conditions') }} </a> <br>
+</p>
+
+{% if security.confirmable %}
+<p>{{ _('You can confirm your email through the link below:') }}</p>
+
+<p><a href="{{ confirmation_link }}">{{ _('Confirm my account') }}</a></p>
+{% endif %}
+
+<p>
+  {{ _('Best regards') }} <br>
+  {{ _('TU Graz Repository Team') }}
+</p>

invenio_config_tugraz/templates/security/email/welcome.txt

@@ -0,0 +1,14 @@
+{{ _('Dear %(email)s!', email=user.email) }}
+{{ _('To help you get started, here are some useful links:') }}
+
+  {{ _('Repository')}}:           https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.index') }}
+  {{ _('Repository Guide')}}:     https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.guide') }}
+  {{ _('Terms And Conditions')}}: https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.terms') }}
+
+{% if security.confirmable %}
+{{ _('You can confirm your email through the link below:') }}
+{{ confirmation_link }}">
+{% endif %}
+
+{{ _('Best regards') }}
+{{ _('TU Graz Repository Team') }}

invenio_config_tugraz/version.py

@@ -12,4 +12,4 @@ This file is imported by ``invenio_config_tugraz.__init__``,
 and parsed by ``setup.py``.
 """
 
-__version__ = "0.5.3"
+__version__ = "0.5.4"

invenio_config_tugraz/views.py

@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2020-2021 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""invenio module for TUGRAZ config."""
+
+from os import environ
+from typing import Dict
+
+from elasticsearch_dsl.utils import AttrDict
+from flask import Blueprint, current_app
+
+
+def ui_blueprint(app):
+    """Blueprint for the routes and resources provided by invenio-config-tugraz."""
+    blueprint = Blueprint(
+        "invenio_config_tugraz",
+        __name__,
+        template_folder="templates",
+    )
+
+    @blueprint.before_app_first_request
+    def rank_higher():
+        """Rank this modules blueprint higher than blueprint of security module."""
+        blueprints = current_app._blueprint_order
+        our_index = None
+        security_index = None
+
+        for index, bp in enumerate(blueprints):
+            if bp.name == "security":
+                security_index = index
+            if bp.name == "invenio_config_tugraz":
+                our_index = index
+
+        if (security_index is not None) and (our_index > security_index):
+            temp = blueprints[security_index]
+            blueprints[security_index] = blueprints[our_index]
+            blueprints[our_index] = temp
+
+    return blueprint

setup.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2021 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -17,13 +17,18 @@ history = open("CHANGES.rst").read()
 
 tests_require = [
     "pytest-invenio>=1.4.0",
-    "SQLAlchemy-Utils>=0.33.1,<0.36",
-    "invenio-rdm-records~=0.20.8",
-    "invenio-search[elasticsearch7]>=1.4.0",
-    "psycopg2-binary>=2.8.6",
+    "invenio-app>=1.3.0,<2.0.0",
 ]
 
+# Should follow invenio-app-rdm
+invenio_search_version = ">=1.4.0,<1.5.0"
+invenio_db_version = ">=1.0.9,<1.1.0"
+
 extras_require = {
+    "elasticsearch7": [f"invenio-search[elasticsearch7]{invenio_search_version}"],
+    "mysql": [f"invenio-db[mysql,versioning]{invenio_db_version}"],
+    "postgresql": [f"invenio-db[postgresql,versioning]{invenio_db_version}"],
+    "sqlite": [f"invenio-db[versioning]{invenio_db_version}"],
     "docs": [
         "Sphinx>=3",
     ],
@@ -31,7 +36,14 @@ extras_require = {
 }
 
 extras_require["all"] = []
-for reqs in extras_require.values():
+for name, reqs in extras_require.items():
+    if name[0] == ":" or name in (
+        "elasticsearch7",
+        "mysql",
+        "postgresql",
+        "sqlite",
+    ):
+        continue
     extras_require["all"].extend(reqs)
 
 setup_requires = [
@@ -41,8 +53,8 @@ setup_requires = [
 
 install_requires = [
     "Flask-BabelEx>=0.9.4",
-    "elasticsearch_dsl>=7.2.1",
-    "sqlalchemy-continuum>=1.3.11",
+    # keep this in sync with invenioRDM release
+    "invenio_rdm_records>=0.28.0,<0.29.0",
 ]
 
 packages = find_packages()
@@ -72,6 +84,9 @@ setup(
         "invenio_base.apps": [
             "invenio_config_tugraz = invenio_config_tugraz:InvenioConfigTugraz",
         ],
+        "invenio_base.blueprints": [
+            "invenio_config_tugraz = invenio_config_tugraz.views:ui_blueprint",
+        ],
         "invenio_i18n.translations": [
             "messages = invenio_config_tugraz",
         ],

tests/test_generators.py

@@ -8,9 +8,9 @@
 
 """Test Generators."""
 
-from invenio_access.permissions import any_user, authenticated_user
+from invenio_access.permissions import any_user
 
-from invenio_config_tugraz.generators import AuthenticatedUser, RecordIp
+from invenio_config_tugraz.generators import RecordIp
 
 
 def test_recordip(create_app, open_record, singleip_record):
@@ -27,12 +27,3 @@ def test_recordip(create_app, open_record, singleip_record):
     assert generator.excludes(record=open_record) == []
 
     assert generator.query_filter().to_dict() == {'bool': {'must_not': [{'match': {'access.access_right': 'singleip'}}]}}
-
-
-def test_authenticateduser():
-    """Test Generator AuthenticatedUser."""
-    generator = AuthenticatedUser()
-
-    assert generator.needs() == [authenticated_user]
-    assert generator.excludes() == []
-    assert generator.query_filter() == []