release v0.12.2

* remove unused .tx. the translation is done without transifex

* remove unused files

* remove unused checks because ruff took over

.editorconfig

@@ -15,15 +15,6 @@ insert_final_newline = true
 trim_trailing_whitespace = true
 charset = utf-8
 
-# Python files
-[*.py]
-indent_size = 4
-# isort plugin configuration
-known_first_party = invenio_config_tugraz
-multi_line_output = 2
-default_section = THIRDPARTY
-skip = .eggs
-
 # RST files (used by sphinx)
 [*.rst]
 indent_size = 4

.git-blame-ignore-revs

@@ -0,0 +1 @@
+766b2cafae4dc74393b103389e6978eca5a9cfd2

.github/workflows/pypi-publish.yml

@@ -5,22 +5,5 @@ on:
 
 jobs:
   build-n-publish:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Set up Python 3.7
-        uses: actions/setup-python@v2
-        with:
-          python-version: 3.7
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install setuptools wheel
-      - name: Build package
-        run: |
-          python setup.py compile_catalog sdist bdist_wheel
-      - name: pypi-publish
-        uses: pypa/gh-action-pypi-publish@v1.3.1
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
+    uses: tu-graz-library/.github/.github/workflows/pypi-publish.yml@main
+    secrets: inherit

.github/workflows/tests.yml

@@ -16,72 +16,5 @@ on:
         default: 'Manual trigger'
 
 jobs:
-  Tests:
-    runs-on: ubuntu-20.04
-    strategy:
-      matrix:
-          python-version: [3.6, 3.7, 3.8, 3.9]
-          requirements-level: [min, pypi]
-          db-service: [postgresql12]
-          search-service: [elasticsearch7]
-          exclude:
-          - python-version: 3.6
-            requirements-level: pypi
-
-          - python-version: 3.7
-            requirements-level: min
-
-          - python-version: 3.8
-            requirements-level: min
-
-          - python-version: 3.9
-            requirements-level: min
-
-          - db-service: postgresql12
-            requirements-level: min
-
-          - search-service: elasticsearch7
-            requirements-level: min
-
-          include:
-
-          - db-service: postgresql12
-            DB_EXTRAS: "postgresql"
-
-
-          - search-service: elasticsearch7
-            SEARCH_EXTRAS: "elasticsearch7"
-
-    env:
-      DB: ${{ matrix.db-service }}
-      SEARCH: ${{ matrix.search-service }}
-      EXTRAS: all,${{ matrix.DB_EXTRAS }},${{ matrix.SEARCH_EXTRAS }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Generate dependencies
-        run: |
-          python -m pip install --upgrade pip setuptools py wheel requirements-builder
-          requirements-builder -e "$EXTRAS" --level=${{ matrix.requirements-level }} setup.py > .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt
-      - name: Cache pip
-        uses: actions/cache@v2
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('.${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt') }}
-
-      - name: Install dependencies
-        run: |
-          pip install -r .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt
-          pip install ".[$EXTRAS]"
-          pip freeze
-          docker --version
-          docker-compose --version
-      - name: Run tests
-        run: |
-          ./run-tests.sh
+  tests:
+    uses: tu-graz-library/.github/.github/workflows/tests.yml@main

.tx/config

@@ -1,33 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020 Mojib Wali.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-# TODO: Transifex integration
-#
-# 1) Create message catalog:
-#    $ python setup.py extract_messages
-#    $ python setup.py init_catalog -l <lang>
-#    $ python setup.py compile_catalog
-# 2) Ensure project has been created on Transifex under the inveniosoftware
-#    organisation.
-# 3) Install the transifex-client
-#    $ pip install transifex-client
-# 4) Push source (.pot) and translations (.po) to Transifex
-#    $ tx push -s -t
-# 5) Pull translations for a single language from Transifex
-#    $ tx pull -l <lang>
-# 6) Pull translations for all languages from Transifex
-#    $ tx pull -a
-
-[main]
-host = https://www.transifex.com
-
-[invenio.invenio-config-tugraz-messages]
-file_filter = invenio_config_tugraz/translations/<lang>/LC_MESSAGES/messages.po
-source_file = invenio_config_tugraz/translations/messages.pot
-source_lang = en
-type = PO

CHANGES.rst

@@ -1,5 +1,5 @@
 ..
-    Copyright (C) 2020 Mojib Wali.
+    Copyright (C) 2020 - 2022 Graz University of Technology.
 
     invenio-config-tugraz is free software; you can redistribute it and/or
     modify it under the terms of the MIT License; see LICENSE file for more
@@ -8,6 +8,93 @@
 Changes
 =======
 
+Version v0.12.2 (release 2024-07-19)
+
+- setup: introduce ruff
+- perm: implement single-ip and ip-network
+- utils: add invenio_saml-compatible account-setup
+- add new permission-policy, add new role
+- fix deprecated `before_app_first_request`
+- setup: add support for python3.11 and 3.12
+
+
+Version v0.12.1 (release 2024-03-08)
+
+- setup: remove upper limit of rdm-records
+
+
+Version v0.12.0 (release 2023-11-10)
+
+- setup: remove python3.8 support
+- global: make it compatible with v12
+
+
+Version v0.11.0 (release 2023-04-20)
+
+- global: make package compatible with v11
+
+
+Version v0.10.4 (release 2023-02-10)
+
+
+
+
+Version v0.10.2 (release 2023-02-02)
+
+- change version name
+- footer: update guid
+
+
+Version v0.10.1 (release 2022-11-17)
+
+- global: add function
+
+Version 0.10.0 (released 2022-10-13)
+
+- global: migrate to v10 (#101)
+
+Version 0.9.1 (released 2022-05-30)
+
+- ci(publish): ping babel version (#99)
+
+Version 0.9.0 (released 2022-05-30)
+
+- config: adds new introduced configs v9
+- dep: compatible to v9 rdm
+- config: add deposit form quota variable (#91)
+- migrate setup py to cfg (#94)
+- fix: update email welcome template with SITE_UI_URL (#93)
+
+Version 0.8.4 (released 2022-03-11)
+
+- config: use gettext
+
+Version 0.8.3 (released 2022-03-10)
+
+- config: fix comment & import
+
+Version 0.8.2 (released 2022-03-03)
+
+- config: new introduced to v8 of invenioRDM
+
+Version 0.8.1 (released 2022-02-28)
+
+- config: set samesite cookie to strict
+- dep: bump in base dependencies
+
+Version 0.8.0 (released 2022-02-09)
+
+- dep: bump rdm-records version
+
+Version 0.7.1 (released 2021-12-07)
+
+- configs: adds new & changed configs for v7 #76
+
+Version 0.7.0 (released 2021-12-06)
+
+- fix: update blueprint reorder #74
+- dep: upgrade rdm-records version & OAI #72
+
 Version 0.1.0 (released TBD)
 
 - Initial public release.

MANIFEST.in

@@ -49,3 +49,7 @@ recursive-include invenio_config_tugraz *.html
 
 # added by check-manifest
 recursive-include invenio_config_tugraz *.csv
+
+# added by check-manifest
+recursive-include invenio_config_tugraz *.pdf
+include .git-blame-ignore-revs

README.rst

@@ -16,10 +16,10 @@
         :target: https://pypi.python.org/pypi/invenio-config-tugraz
 
 .. image:: https://img.shields.io/github/tag/tu-graz-library/invenio-config-tugraz.svg
-        :target: https://github.com/mb-wali/invenio-config-tugraz/releases
+        :target: https://github.com/tu-graz-library/invenio-config-tugraz/releases
 
 .. image:: https://img.shields.io/github/license/tu-graz-library/invenio-config-tugraz.svg
-        :target: https://github.com/mb-wali/invenio-config-tugraz/blob/master/LICENSE
+        :target: https://github.com/tu-graz-library/invenio-config-tugraz/blob/master/LICENSE
 
 .. image:: https://readthedocs.org/projects/invenio-config-tugraz/badge/?version=latest
         :target: https://invenio-config-tugraz.readthedocs.io/en/latest/?badge=latest
@@ -38,6 +38,8 @@ Override configs from diffrent invenio modules to meet TU Graz requirement:
 * Invenio-Mail
 * Invenio-shibboleth
 * Invenio-accounts
+* Flask-security
+* Defined routes for TUG
 
 Further documentation is available on
 https://invenio-config-tugraz.readthedocs.io/

babel.ini

@@ -15,7 +15,6 @@ encoding = utf-8
 
 [jinja2: **/templates/**.*]
 encoding = utf-8
-extensions = jinja2.ext.autoescape, jinja2.ext.with_
 
 # Extraction from JavaScript files
 

docs/conf.py

@@ -8,7 +8,7 @@
 
 """Sphinx configuration."""
 
-import os
+from invenio_config_tugraz import __version__
 
 # import sphinx.environment
 
@@ -46,9 +46,9 @@ source_suffix = ".rst"
 master_doc = "index"
 
 # General information about the project.
-project = u"invenio-config-tugraz"
-copyright = u"2020, Mojib Wali"
-author = u"Mojib Wali"
+project = "invenio-config-tugraz"
+copyright = "2022, TU Graz"
+author = "TU Graz"
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -56,26 +56,15 @@ author = u"Mojib Wali"
 #
 # The short X.Y version.
 
-# Get the version string. Cannot be done with import!
-g = {}
-with open(
-    os.path.join(
-        os.path.dirname(__file__), "..", "invenio_config_tugraz", "version.py"
-    ),
-    "rt",
-) as fp:
-    exec(fp.read(), g)
-    version = g["__version__"]
-
 # The full version, including alpha/beta/rc tags.
-release = version
+release = __version__
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = "en"
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
@@ -254,8 +243,8 @@ latex_documents = [
     (
         master_doc,
         "invenio-config-tugraz.tex",
-        u"invenio-config-tugraz Documentation",
-        u"Mojib Wali",
+        "invenio-config-tugraz Documentation",
+        "Mojib Wali",
         "manual",
     ),
 ]
@@ -289,7 +278,7 @@ man_pages = [
     (
         master_doc,
         "invenio-config-tugraz",
-        u"invenio-config-tugraz Documentation",
+        "invenio-config-tugraz Documentation",
         [author],
         1,
     )
@@ -308,7 +297,7 @@ texinfo_documents = [
     (
         master_doc,
         "invenio-config-tugraz",
-        u"invenio-config-tugraz Documentation",
+        "invenio-config-tugraz Documentation",
         author,
         "invenio-config-tugraz",
         "invenio module that adds tugraz configs.",
@@ -332,6 +321,8 @@ texinfo_documents = [
 # Example configuration for intersphinx: refer to the Python standard library.
 intersphinx_mapping = {
     "python": ("https://docs.python.org/", None),
+    "flask": ("https://flask.palletsprojects.com/", None),
+    "werkzeug": ("https://werkzeug.palletsprojects.com/", None),
     # TODO: Configure external documentation references, eg:
     # 'Flask-Admin': ('https://flask-admin.readthedocs.io/en/latest/', None),
 }

invenio_config_tugraz/__init__.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -9,7 +9,12 @@
 """invenio module that adds tugraz configs."""
 
 from .ext import InvenioConfigTugraz
-from .generators import RecordIp
-from .version import __version__
+from .utils import get_identity_from_user_by_email
 
-__all__ = ("__version__", "InvenioConfigTugraz", "RecordIp")
+__version__ = "0.12.2"
+
+__all__ = (
+    "__version__",
+    "InvenioConfigTugraz",
+    "get_identity_from_user_by_email",
+)

invenio_config_tugraz/base_permissions.py

@@ -1,88 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020-2021 Graz University of Technology.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-"""
-Records permission policies.
-
-Default policies for records:
-
-.. code-block:: python
-
-    # Read access given to everyone.
-    can_search = [AnyUser()]
-    # Create action given to no one (Not even superusers) bc Deposits should
-    # be used.
-    can_create = [Disable()]
-    # Read access given to everyone if public record/files and owners always.
-    can_read = [AnyUserIfPublic(), RecordOwners()]
-    # Update access given to record owners.
-    can_update = [RecordOwners()]
-    # Delete access given to admins only.
-    can_delete = [Admin()]
-    # Associated files permissions (which are really bucket permissions)
-    can_read_files = [AnyUserIfPublic(), RecordOwners()]
-    can_update_files = [RecordOwners()]
-
-How to override default policies for records.
-
-Using Custom Generator for a policy:
-
-.. code-block:: python
-
-    from invenio_rdm_records.permissions import RDMRecordPermissionPolicy
-    from invenio_config_tugraz.generators import RecordIp
-
-    class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
-
-    # Delete access given to RecordIp only.
-
-    can_delete = [RecordIp()]
-
-    RECORDS_PERMISSIONS_RECORD_POLICY = TUGRAZPermissionPolicy
-
-
-Permissions for Invenio records.
-"""
-
-# from invenio_records_permissions.generators import (
-#     Admin,
-#     AnyUser,
-#     AnyUserIfPublic,
-#     RecordOwners,
-# )
-# from invenio_records_permissions.policies.base import BasePermissionPolicy
-
-# from .generators import RecordIp
-
-
-# class TUGRAZPermissionPolicy(BasePermissionPolicy):
-#     """Access control configuration for records.
-
-#     This overrides the /api/records endpoint.
-
-#     """
-
-#     # Read access to API given to everyone.
-#     can_search = [AnyUser(), RecordIp()]
-
-#     # Read access given to everyone if public record/files and owners always.
-#     can_read = [AnyUserIfPublic(), RecordOwners(), RecordIp()]
-
-#     # Create action given to no one (Not even superusers) bc Deposits should
-#     # be used.
-#     can_create = [AnyUser()]
-
-#     # Update access given to record owners.
-#     can_update = [RecordOwners()]
-
-#     # Delete access given to admins only.
-#     can_delete = [Admin()]
-
-#     # Associated files permissions (which are really bucket permissions)
-#     can_read_files = [AnyUserIfPublic(), RecordOwners()]
-#     can_update_files = [RecordOwners()]

invenio_config_tugraz/config.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020-2021 Graz University of Technology.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -8,54 +8,48 @@
 
 """invenio module that adds tugraz configs."""
 
-from os.path import abspath, dirname, join
+from invenio_i18n import gettext as _
 
-from flask_babelex import gettext as _
-
-INVENIO_CONFIG_TUGRAZ_SHIBBOLETH = False
+CONFIG_TUGRAZ_SHIBBOLETH = False
 """Set True if SAML is configured"""
 
-INVENIO_CONFIG_TUGRAZ_SINGLE_IP = []
+CONFIG_TUGRAZ_SINGLE_IPS = []
 """Allows access to users whose IP address is listed.
 
-INVENIO_CONFIG_TUGRAZ_SINGLE_IP =
+INVENIO_CONFIG_TUGRAZ_SINGLE_IPS =
     ["127.0.0.1", "127.0.0.2"]
 """
 
-INVENIO_CONFIG_TUGRAZ_IP_RANGES = []
+CONFIG_TUGRAZ_IP_RANGES = []
 """Allows access to users whose range of IP address is listed.
 
 INVENIO_CONFIG_TUGRAZ_IP_RANGES =
 [["127.0.0.2", "127.0.0.99"], ["127.0.1.3", "127.0.1.5"]]
 """
 
+CONFIG_TUGRAZ_IP_NETWORK = ""
+"""Allows access to users who are in the IP network."""
+
+
+CONFIG_TUGRAZ_ROUTES = {
+    "guide": "/guide",
+    "terms": "/terms",
+    "gdpr": "/gdpr",
+}
+"""Defined routes for TUG."""
+
 # Invenio-App
 # ===========
 # See https://invenio-app.readthedocs.io/en/latest/configuration.html
 
-APP_ALLOWED_HOSTS = [
-    "0.0.0.0",
-    "localhost",
-    "127.0.0.1",
-    "invenio-dev01.tugraz.at",
-    "invenio-test.tugraz.at",
-    "repository.tugraz.at",
-]
-"""Allowed Hosts"""
-
 APP_DEFAULT_SECURE_HEADERS = {
     "content_security_policy": {
         "default-src": [
             "'self'",
-            "fonts.googleapis.com",
-            "*.gstatic.com",
             "data:",
             "'unsafe-inline'",
-            "'unsafe-eval'",
             "blob:",
             "ub-support.tugraz.at",  # zammad contact form
-            "api.datacite.org/dois",  # datacite
-            "api.test.datacite.org/dois",  # datacite test
         ],
     },
     "content_security_policy_report_only": False,
@@ -73,6 +67,15 @@ APP_DEFAULT_SECURE_HEADERS = {
     "strict_transport_security_preload": False,
 }
 
+# Invenio-I18N
+# ============
+# See https://invenio-i18n.readthedocs.io/en/latest/configuration.html
+BABEL_DEFAULT_LOCALE = "en"
+# Default time zone
+BABEL_DEFAULT_TIMEZONE = "Europe/Vienna"
+# Other supported languages (do not include BABEL_DEFAULT_LOCALE in list).
+I18N_LANGUAGES = [("de", _("German"))]
+
 # Invenio-Mail
 # ===========
 # See https://invenio-mail.readthedocs.io/en/latest/configuration.html
@@ -113,19 +116,22 @@ Set this to False when sending actual emails.
 # ===========
 # See https://invenio-userprofiles.readthedocs.io/en/latest/configuration.html
 
-USERPROFILES_EXTEND_SECURITY_FORMS = False
+USERPROFILES_EXTEND_SECURITY_FORMS = True
 """Set True in order to register user_profile.
 
 This also forces user to add username and fullname
 when register.
 """
 
-USERPROFILES_EMAIL_ENABLED = False
+USERPROFILES_EMAIL_ENABLED = True
 """Exclude the user email in the profile form."""
 
-# Invenio-shibboleth
+USERPROFILES_READ_ONLY = True
+"""Allow users to change profile info (name, email, etc...)."""
+
+# Invenio-saml
 # ===========
-# See https://invenio-shibboleth.readthedocs.io/en/latest/configuration.html
+# See https://invenio-saml.readthedocs.io/en/latest/configuration.html
 
 SSO_SAML_IDPS = {}
 """Configuration of IDPS. Actual values can be find in to invenio.cfg file"""
@@ -153,13 +159,16 @@ SSO_SAML_DEFAULT_SLS_ROUTE = "/sls/<idp>"
 # ===========
 # See https://invenio-accounts.readthedocs.io/en/latest/configuration.html
 
+ACCOUNTS_LOCAL_LOGIN_ENABLED = True
+"""Allow local login."""
+
 SECURITY_CHANGEABLE = False
 """Allow password change by users."""
 
 SECURITY_RECOVERABLE = False
 """Allow password recovery by users."""
 
-SECURITY_REGISTERABLE = False
+SECURITY_REGISTERABLE = True
 """"Allow users to register.
 
 With this variable set to "False" users will not be
@@ -172,6 +181,9 @@ SECURITY_CONFIRMABLE = False
 Instead user will get a welcome email.
 """
 
+SECURITY_LOGIN_WITHOUT_CONFIRMATION = False
+"""Require users to confirm email before being able to login."""
+
 # Flask-Security
 # =============
 # See https://pythonhosted.org/Flask-Security/configuration.html
@@ -228,20 +240,22 @@ password from ``users.yaml`` will be used. If that is also absent, a password
 will be generated randomly.
 """
 
-# Custom Access Right
-# RDM_RECORDS_CUSTOM_VOCABULARIES = {
-#     'access_right': {
-#         'path': join(
-#             dirname(abspath(__file__)),
-#             'restrictions', 'access_right', 'access_right_limit.csv'
-#         )
-#     }
-# }
+DATACITE_FORMAT = "{prefix}/{id}"
+"""Customize the generated DOI string."""
+
+DATACITE_DATACENTER_SYMBOL = ""
+""""The OAI-PMH server's metadata format oai_datacite
+that allows you to harvest record from InvenioRDM in DataCite XML needs
+to be configured with your DataCite data center symbol.
+This is only required if you want your records to be harvestable in DataCite XML format.
+"""
 
 # Invenio-app-rdm
 # =========================
 # See https://github.com/inveniosoftware/invenio-app-rdm/blob/master/invenio_app_rdm/config.py
-APP_RDM_DEPOSIT_FORM_DEFAULTS = {}
+APP_RDM_DEPOSIT_FORM_DEFAULTS = {
+    "publisher": "Graz University of Technology",
+}
 """Default values for new records in the deposit UI.
 
 The keys denote the dot-separated path, where in the record's metadata
@@ -250,6 +264,28 @@ If the value is callable, its return value will be used for the field
 (e.g. lambda/function for dynamic calculation of values).
 """
 
+APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = "off"
+"""Behavior for autocomplete names search field for creators/contributors.
+
+Available options:
+
+- ``search`` (default): Show search field and form always.
+- ``search_only``: Only show search field. Form displayed after selection or
+  explicit "manual" entry.
+- ``off``: Only show person form (no search field).
+"""
+
+APP_RDM_DEPOSIT_FORM_QUOTA = {
+    "maxFiles": 100,
+    # Easiest way to set this to a certain amount is to start from 1 Gb
+    # and go from there:
+    #   1 Gb: 10 ** 9
+    #  50 Gb: 10 ** 9 * 50
+    # 100 Mb: 10 ** 9 * 0.1
+    "maxStorage": 10**9 * 10,
+}
+"""Deposit file upload quota """
+
 SQLALCHEMY_ECHO = False
 """Enable to see all SQL queries."""
 
@@ -311,3 +347,31 @@ reopened regularly.
 
 See https://docs.sqlalchemy.org/en/latest/core/engines.html.
 """
+
+# Redis (cache)
+# ========
+# Cache or Redis configurations
+RATELIMIT_AUTHENTICATED_USER = "25000 per hour;1000 per minute"
+"""Increase defaults for authenticated users."""
+
+RATELIMIT_GUEST_USER = "5000 per hour;500 per minute"
+"""Increase defaults for guest users."""
+
+SESSION_COOKIE_SAMESITE = "Strict"
+"""Sets cookie with the samesite flag to 'Strict' by default."""
+
+
+# OAI-PMH
+# =======
+# See https://github.com/inveniosoftware/invenio-oaiserver/blob/master/invenio_oaiserver/config.py
+
+OAISERVER_ID_PREFIX = "repository.tugraz.at"
+"""The prefix that will be applied to the generated OAI-PMH ids."""
+
+OAISERVER_ADMIN_EMAILS = [
+    "oai@repository.tugraz.at",
+]
+"""The e-mail addresses of administrators of the repository.
+
+It **must** include one or more instances.
+"""

invenio_config_tugraz/custom_fields/__init__.py

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Custom fields."""
+
+
+from invenio_records_resources.services.custom_fields import BooleanCF
+
+ip_network = BooleanCF(name="ip_network")
+single_ip = BooleanCF(name="single_ip")

invenio_config_tugraz/ext.py

@@ -1,32 +1,61 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
 # details.
 
 """invenio module that adds tugraz configs."""
-from flask import Blueprint
+
+from flask import Flask
 
 from . import config
+from .custom_fields import ip_network, single_ip
 
 
-class InvenioConfigTugraz(object):
+class InvenioConfigTugraz:
     """invenio-config-tugraz extension."""
 
-    def __init__(self, app=None):
+    def __init__(self, app: Flask = None) -> None:
         """Extension initialization."""
         if app:
             self.init_app(app)
 
-    def init_app(self, app):
+    def init_app(self, app: Flask) -> None:
         """Flask application initialization."""
         self.init_config(app)
+        self.add_custom_fields(app)
         app.extensions["invenio-config-tugraz"] = self
 
-    def init_config(self, app):
+    def init_config(self, app: Flask) -> None:
         """Initialize configuration."""
         for k in dir(config):
             if k.startswith("INVENIO_CONFIG_TUGRAZ_"):
                 app.config.setdefault(k, getattr(config, k))
+
+    def add_custom_fields(self, app: Flask) -> None:
+        """Add custom fields."""
+        app.config.setdefault("RDM_CUSTOM_FIELDS", [])
+        app.config["RDM_CUSTOM_FIELDS"].append(ip_network)
+        app.config["RDM_CUSTOM_FIELDS"].append(single_ip)
+
+
+def finalize_app(app: Flask) -> None:
+    """Finalize app."""
+    rank_blueprint_higher(app)
+
+
+def rank_blueprint_higher(app: Flask) -> None:
+    """Rank this module's blueprint higher than blueprint of security module.
+
+    Needed in order to overwrite email templates.
+
+    Since the blueprints are in a dict and the order of insertion is
+        retained, popping and reinserting all items (except ours), ensures
+        our blueprint will be in front.
+    """
+    bps = app.blueprints
+    for blueprint_name in list(bps.keys()):
+        if blueprint_name != "invenio_config_tugraz":
+            bps.update({blueprint_name: bps.pop(blueprint_name)})

invenio_config_tugraz/generators.py

@@ -1,223 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020-2021 Graz University of Technology.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-r"""Permission generators and policies for Invenio records.
-
-Invenio-records-permissions provides a means to fully customize access control
-for Invenio records. It does so by defining and providing three layers of
-permission constructs that build on each other:
-Generators and Policies. You can extend or override them for maximum
-control. Thankfully we provide default ones that cover most cases.
-
-Invenio-records-permissions conveniently structures (and relies on)
-functionalities from
-`invenio-access <https://invenio-access.readthedocs.io>`_ and
-`flask-principal <https://pythonhosted.org/Flask-Principal>`_ .
-
-
-Generators
-----------
-
-Generators are the lowest level of abstraction provided by
-invenio-records-permissions. A
-:py:class:`~invenio_records_permissions.generators.Generator` represents
-identities via
-`Needs <https://invenio-access.readthedocs.io/en/latest/api.html#needs>`_ that
-are allowed or disallowed to act on a kind of object. A Generator does not
-specify the action, but it does specify who is allowed and the kind of object
-of concern (typically records). Generators *generate* required and forbidden
-Needs at the object-of-concern level and *generate* query filters
-at the search-for-objects-of-concern level.
-
-A Generator object defines 3 methods in addition to its constructor:
-
-- ``needs(self, **kwargs)``: returns Needs, one of which a provider is
-                             required to have to be allowed
-- ``excludes(self, **kwargs)``: returns a list of Needs disallowing any
-                                provider of a single one
-- ``query_filter(self, **kwargs)``: returns a query filter to enable retrieval
-                                    of records
-
-The ``needs`` and ``excludes`` methods specify access conditions from
-the point-of-view of the object-of-concern; whereas, the ``query_filter``
-method specifies those from the actor's point-of-view in search scenarios.
-
-A simple example of a Generator is the provided
-:py:class:`~invenio_records_permissions.generators.RecordOwners` Generator:
-
-.. code-block:: python
-
-    from flask_principal import UserNeed
-
-
-    class RecordOwners(Generator):
-        '''Allows record owners.'''
-
-        def needs(self, record=None, **kwargs):
-            '''Enabling Needs.'''
-            return [UserNeed(owner) for owner in record.get('owners', [])]
-
-        def query_filter(self, record=None, **kwargs):
-            '''Filters for current identity as owner.'''
-            # NOTE: implementation subject to change until permissions metadata
-            #       settled
-            provides = g.identity.provides
-            for need in provides:
-                if need.method == 'id':
-                    return Q('term', owners=need.value)
-            return []
-
-``RecordOwners`` allows any identity providing a `UserNeed
-<https://pythonhosted.org/Flask-Principal/#flask_principal.UserNeed>`_
-of value found in the ``owners`` metadata of a record. The
-``query_filter(self, **kwargs)``
-method outputs a query that returns all owned records of the current user.
-Not included in the above, because it doesn't apply to ``RecordOwners``, is
-the ``excludes(self, **kwargs)`` method.
-
-.. Note::
-
-    Exclusion has priority over inclusion. If a Need is returned by both
-    ``needs`` and ``excludes``, providers of that Need will be **excluded**.
-
-If implementation of Generators seems daunting, fear not! A collection of
-them has already been implemented in
-:py:mod:`~invenio_records_permissions.generators`
-and they cover most cases you may have.
-
-To fully understand how they work, we have to show where Generators are used.
-That is in the Policies.
-
-
-Policies
---------
-
-Classes inheriting from
-:py:class:`~invenio_records_permissions.policies.base.BasePermissionPolicy` are
-referred to as Policies. They list **what actions** can be done **by whom**
-over an implied category of objects (typically records). A Policy is
-instantiated on a per action basis and is a descendant of `Permission
-<https://invenio-access.readthedocs.io/en/latest/api.html
-#invenio_access.permissions.Permission>`_ in
-`invenio-access <https://invenio-access.readthedocs.io>`_ .
-Generators are used to provide the "by whom" part and the implied category of
-object.
-
-Here is an example of a custom record Policy:
-
-.. code-block:: python
-
-    from invenio_records_permissions.generators import AnyUser, RecordOwners, \
-        SuperUser
-    from invenio_records_permissions.policies.base import BasePermissionPolicy
-
-    class ExampleRecordPermissionPolicy(BasePermissionPolicy):
-        can_create = [AnyUser()]
-        can_search = [AnyUser()]
-        can_read = [AnyUser()]
-        can_update = [RecordOwners()]
-        can_foo_bar = [SuperUser()]
-
-The actions are class variables of the form: ``can_<action>`` and the
-corresponding (dis-)allowed identities are a list of Generator instances.
-One can define any action as long as it follows that pattern and
-is verified at the moment it is undertaken.
-
-In the example above, any user can create, list and read records, but only
-a record's owner can edit it and only super users can perform the "foo_bar"
-action.
-
-We recommend you extend the provided
-:py:class:`invenio_records_permissions.policies.records.RecordPermissionPolicy`
-to customize record permissions for your instance.
-This way you benefit from sane defaults.
-
-After you have defined your own Policy, set it in your configuration:
-
-.. code-block:: python
-
-    RECORDS_PERMISSIONS_RECORD_POLICY = (
-        'module.to.ExampleRecordPermissionPolicy'
-    )
-
-The succinct encoding of the permissions for your instance gives you
-    - one central location where your permissions are defined
-    - exact control
-    - great flexibility by defining your own actions, generators and policies
-"""
-
-from elasticsearch_dsl.query import Q
-from flask import current_app, request
-from invenio_access.permissions import any_user, superuser_access
-from invenio_records_permissions.generators import Generator
-
-
-class RecordIp(Generator):
-    """Allowed any user with accessing with the IP."""
-
-    def needs(self, record=None, **kwargs):
-        """Enabling Needs, Set of Needs granting permission."""
-        if record is None:
-            return []
-
-        # check if singleip is in the records restriction
-        is_single_ip = record.get("access", {}).get("access_right") == "singleip"
-
-        # check if the user ip is on list
-        visible = self.check_permission()
-
-        if not is_single_ip:
-            # if record does not have singleip - return any_user
-            return [any_user]
-            # if record has singleip, then check the ip of user - if ip user is on list - return any_user
-        elif visible:
-            return [any_user]
-        else:
-            # non of the above - return empty
-            return []
-
-    def excludes(self, **kwargs):
-        """Preventing Needs, Set of Needs denying permission.
-
-        If ANY of the Needs are matched, permission is revoked.
-
-        .. note::
-
-            ``_load_permissions()`` method from `Permission
-            <https://invenio-access.readthedocs.io/en/latest/api.html
-            #invenio_access.permissions.Permission>`_ adds by default the
-            ``superuser_access`` Need (if tied to a User or Role) for us.
-
-            It also expands ActionNeeds into the Users/Roles that
-            provide them.
-
-        If the same Need is returned by `needs` and `excludes`, then that
-        Need provider is disallowed.
-        """
-        return []
-
-    def query_filter(self, *args, **kwargs):
-        """Filters for singleip records."""
-        # check if the user ip is on list
-        visible = self.check_permission()
-
-        if not visible:
-            # If user ip is not on the list, and If the record contains 'singleip' will not be seen
-            return ~Q("match", **{"access.access_right": "singleip"})
-
-        # Lists all records
-        return Q("match_all")
-
-    def check_permission(self):
-        """Check for User IP address in config variable."""
-        # Get user IP
-        user_ip = request.remote_addr
-        # Checks if the user IP is among single IPs
-        if user_ip in current_app.config["INVENIO_CONFIG_TUGRAZ_SINGLE_IP"]:
-            return True
-        return False

invenio_config_tugraz/permissions/__init__.py

@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Permission-policies and roles, based on `flask-principal`."""
+
+from .policies import TUGrazRDMRecordPermissionPolicy
+
+__all__ = ("TUGrazRDMRecordPermissionPolicy",)

invenio_config_tugraz/permissions/generators.py

@@ -0,0 +1,209 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2020-2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+r"""Permission generators for permission policies.
+
+invenio's permissions build on
+`flask-principal <https://pythonhosted.org/Flask-Principal>`_ .
+
+In `flask-principal`, an action's `Need`s are checked
+against current user's `Need`s to determine permissions.
+
+For example, the action of deleting a record is only
+permitted to users with `Need(method='role', value='admin')`.
+
+Not all `Need`s can be known before the app is running.
+For example, permissions for reading a record depend on whether
+the record is public/private, so the set of `Need`s necessary
+for reading a record must be computed dynamically at runtime.
+This is the use case for
+invenio's :py:class:`~invenio_records_permissions.generators.Generator`:
+it generates `Need`s necessary for an action at runtime.
+
+A `Generator` object defines 3 methods in addition to its constructor:
+
+- ``needs(self, **kwargs)``: returns `Need`s, one of which a provider is
+                             required to have to be allowed
+- ``excludes(self, **kwargs)``: returns a list of `Need`s disallowing any
+                                provider of a single one
+- ``query_filter(self, **kwargs)``: returns a query filter to enable retrieval
+                                    of records
+
+The ``needs`` and ``excludes`` methods specify access conditions from
+the point-of-view of the object-of-concern; whereas, the ``query_filter``
+method specifies those from the actor's point-of-view in search scenarios.
+
+.. Note::
+
+    Exclusion has priority over inclusion. If a `Need` is returned by both
+    ``needs`` and ``excludes``, providers of that `Need` will be **excluded**.
+
+"""
+
+from ipaddress import ip_address, ip_network
+from typing import Any
+
+from flask import current_app, request
+from flask_principal import Need
+from invenio_access.permissions import any_user
+from invenio_records_permissions.generators import Generator
+from invenio_search.engine import dsl
+
+from .roles import tugraz_authenticated_user
+
+
+class RecordSingleIP(Generator):
+    """Allowed any user with accessing with the IP."""
+
+    def needs(self, record: dict | None = None, **__: dict) -> list[Need]:
+        """Set of Needs granting permission. Enabling Needs."""
+        if record is None:
+            return []
+
+        # if record does not have singleip - return any_user
+        if not record.get("custom_fields", {}).get("single_ip", False):
+            return [any_user]
+
+        # if record has singleip, and the ip of the user matches the allowed ip
+        if self.check_permission():
+            return [any_user]
+
+        # non of the above - return empty
+        return []
+
+    def excludes(self, **kwargs: dict) -> list[Need]:
+        """Set of Needs denying permission. Preventing Needs.
+
+        If ANY of the Needs are matched, permission is revoked.
+
+        .. note::
+
+            ``_load_permissions()`` method from `Permission
+            <https://invenio-access.readthedocs.io/en/latest/api.html
+            #invenio_access.permissions.Permission>`_ adds by default the
+            ``superuser_access`` Need (if tied to a User or Role) for us.
+
+            It also expands ActionNeeds into the Users/Roles that
+            provide them.
+
+        If the same Need is returned by `needs` and `excludes`, then that
+        Need provider is disallowed.
+        """
+        try:
+            if (
+                kwargs["record"]["custom_fields"]["single_ip"]
+                and not self.check_permission()
+            ):
+                return [any_user]
+
+        except KeyError:
+            return []
+        else:
+            return []
+
+    def query_filter(self, *_: dict, **__: dict) -> Any:  # noqa: ANN401
+        """Filter for singleip records."""
+        if not self.check_permission():
+            # If user ip is not on the list, and If the record contains 'singleip' will not be seen
+            return ~dsl.Q("match", **{"custom_fields.single_ip": True})
+
+        # Lists all records
+        return dsl.Q("match_all")
+
+    def check_permission(self) -> bool:
+        """Check for User IP address in config variable.
+
+        If the user ip is in the configured list return True.
+        """
+        try:
+            user_ip = request.remote_addr
+        except RuntimeError:
+            return False
+
+        single_ips = current_app.config["CONFIG_TUGRAZ_SINGLE_IPS"]
+
+        return user_ip in single_ips
+
+
+class AllowedFromIPNetwork(Generator):
+    """Allowed from ip range."""
+
+    def needs(self, record: dict | None = None, **__: dict) -> list[Need]:
+        """Set of Needs granting permission. Enabling Needs."""
+        if record is None:
+            return []
+
+        # if the record doesn't have set the ip range allowance
+        if not record.get("custom_fields", {}).get("ip_network", False):
+            return [any_user]
+
+        # if the record has set the ip_range allowance and is in the range
+        if self.check_permission():
+            return [any_user]
+
+        # non of the above - return empty
+        return []
+
+    def excludes(self, **kwargs: dict) -> Need:
+        """Set of Needs denying permission. Preventing Needs.
+
+        If ANY of the Needs are matched, permission is revoked.
+
+        .. note::
+
+            ``_load_permissions()`` method from `Permission
+            <https://invenio-access.readthedocs.io/en/latest/api.html
+            #invenio_access.permissions.Permission>`_ adds by default the
+            ``superuser_access`` Need (if tied to a User or Role) for us.
+
+            It also expands ActionNeeds into the Users/Roles that
+            provide them.
+
+        If the same Need is returned by `needs` and `excludes`, then that
+        Need provider is disallowed.
+        """
+        try:
+            if (
+                kwargs["record"]["custom_fields"]["ip_network"]
+                and not self.check_permission()
+            ):
+                return [any_user]
+
+        except KeyError:
+            return []
+        else:
+            return []
+
+    def query_filter(self, *_: dict, **__: dict) -> Any:  # noqa: ANN401
+        """Filter for ip range records."""
+        if not self.check_permission():
+            return ~dsl.Q("match", **{"custom_fields.ip_network": True})
+
+        return dsl.Q("match_all")
+
+    def check_permission(self) -> bool:
+        """Check for User IP address in the configured network."""
+        try:
+            user_ip = request.remote_addr
+        except RuntimeError:
+            return False
+
+        network = current_app.config["CONFIG_TUGRAZ_IP_NETWORK"]
+
+        try:
+            return ip_address(user_ip) in ip_network(network)
+        except ValueError:
+            return False
+
+
+class TUGrazAuthenticatedUser(Generator):
+    """Generates the `tugraz_authenticated_user` role-need."""
+
+    def needs(self, **__: dict) -> list[Need]:
+        """Generate needs to be checked against current user identity."""
+        return [tugraz_authenticated_user]

invenio_config_tugraz/permissions/policies.py

@@ -0,0 +1,253 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2020-2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""TU Graz permission-policy for RDMRecordService.
+
+To use, set config-variable `RDM_PERMISSION_POLICY` to `TUGrazRDMRecordPermissionPolicy`.
+
+Policies list **what actions** can be done **by whom**
+over an implied category of objects (typically records). A Policy is
+instantiated on a per action basis and is a descendant of `Permission
+<https://invenio-access.readthedocs.io/en/latest/api.html
+#invenio_access.permissions.Permission>`_ in
+`invenio-access <https://invenio-access.readthedocs.io>`_ .
+Generators are used to provide the "by whom" part and the implied category of
+object.
+
+Actions are class variables of the form: ``can_<action>`` and the
+corresponding (dis-)allowed identities are a list of Generator instances.
+One can define any action as long as it follows that pattern and
+is verified at the moment it is undertaken.
+"""
+
+
+from invenio_administration.generators import Administration
+from invenio_communities.generators import CommunityCurators
+from invenio_rdm_records.services.generators import (
+    AccessGrant,
+    CommunityInclusionReviewers,
+    IfDeleted,
+    IfExternalDOIRecord,
+    IfFileIsLocal,
+    IfNewRecord,
+    IfRecordDeleted,
+    IfRestricted,
+    RecordCommunitiesAction,
+    RecordOwners,
+    ResourceAccessToken,
+    SecretLinks,
+    SubmissionReviewer,
+)
+from invenio_records_permissions.generators import (
+    AnyUser,
+    Disable,
+    IfConfig,
+    SystemProcess,
+)
+from invenio_records_permissions.policies.records import RecordPermissionPolicy
+from invenio_users_resources.services.permissions import UserManager
+
+from .generators import AllowedFromIPNetwork, RecordSingleIP, TUGrazAuthenticatedUser
+
+
+class TUGrazRDMRecordPermissionPolicy(RecordPermissionPolicy):
+    """Overwrite authenticatedness to mean `tugraz_authenticated` rather than *signed up*."""
+
+    NEED_LABEL_TO_ACTION = {
+        "bucket-update": "update_files",
+        "bucket-read": "read_files",
+        "object-read": "read_files",
+    }
+
+    #
+    # General permission-groups, to be used below
+    #
+    can_manage = [
+        RecordOwners(),
+        RecordCommunitiesAction("curate"),
+        AccessGrant("manage"),
+        SystemProcess(),
+    ]
+    can_curate = can_manage + [AccessGrant("edit"), SecretLinks("edit")]
+    can_review = can_curate + [SubmissionReviewer()]
+    can_preview = can_curate + [
+        AccessGrant("preview"),
+        SecretLinks("preview"),
+        SubmissionReviewer(),
+        UserManager,
+    ]
+    can_view = can_preview + [
+        AccessGrant("view"),
+        SecretLinks("view"),
+        SubmissionReviewer(),
+        CommunityInclusionReviewers(),
+        RecordCommunitiesAction("view"),
+        AllowedFromIPNetwork(),
+        RecordSingleIP(),
+    ]
+
+    can_tugraz_authenticated = [TUGrazAuthenticatedUser(), SystemProcess()]
+    can_authenticated = can_tugraz_authenticated
+    can_all = [
+        AnyUser(),
+        SystemProcess(),
+        AllowedFromIPNetwork(),
+        RecordSingleIP(),
+    ]
+
+    #
+    # Miscellaneous
+    #
+    # Allow for querying of statistics
+    # - This is currently disabled because it's not needed and could potentially
+    #   open up surface for denial of service attacks
+    can_query_stats = [Disable()]
+
+    #
+    # Records - reading and creating
+    #
+    can_search = can_all
+    can_read = [IfRestricted("record", then_=can_view, else_=can_all)]
+
+    can_read_deleted = [
+        IfRecordDeleted(then_=[UserManager, SystemProcess()], else_=can_read),
+    ]
+    can_read_deleted_files = can_read_deleted
+    can_media_read_deleted_files = can_read_deleted_files
+    can_read_files = [
+        IfRestricted("files", then_=can_view, else_=can_all),
+        ResourceAccessToken("read"),
+    ]
+    can_get_content_files = [
+        IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()]),
+    ]
+    can_create = can_tugraz_authenticated
+
+    #
+    # Drafts
+    #
+    can_search_drafts = can_tugraz_authenticated
+    can_read_draft = can_preview
+    can_draft_read_files = can_preview + [ResourceAccessToken("read")]
+    can_update_draft = can_review
+    can_draft_create_files = can_review
+    can_draft_set_content_files = [
+        IfFileIsLocal(then_=can_review, else_=[SystemProcess()]),
+    ]
+    can_draft_get_content_files = [
+        IfFileIsLocal(then_=can_draft_read_files, else_=[SystemProcess()]),
+    ]
+    can_draft_commit_files = [IfFileIsLocal(then_=can_review, else_=[SystemProcess()])]
+    can_draft_update_files = can_review
+    can_draft_delete_files = can_review
+    can_manage_files = [
+        IfConfig(
+            "RDM_ALLOW_METADATA_ONLY_RECORDS",
+            then_=[IfNewRecord(then_=can_tugraz_authenticated, else_=can_review)],
+            else_=[],
+        ),
+    ]
+    can_manage_record_access = [
+        IfConfig(
+            "RDM_ALLOW_RESTRICTED_RECORDS",
+            then_=[IfNewRecord(then_=can_tugraz_authenticated, else_=can_review)],
+            else_=[],
+        ),
+    ]
+
+    #
+    # PIDs
+    #
+    can_pid_create = can_review
+    can_pid_register = can_review
+    can_pid_update = can_review
+    can_pid_discard = can_review
+    can_pid_delete = can_review
+
+    #
+    # Actions
+    #
+    can_edit = [IfDeleted(then_=[Disable()], else_=can_curate)]
+    can_delete_draft = can_curate
+    can_new_version = [
+        IfConfig(
+            "RDM_ALLOW_EXTERNAL_DOI_VERSIONING",
+            then_=can_curate,
+            else_=[IfExternalDOIRecord(then_=[Disable()], else_=can_curate)],
+        ),
+    ]
+    can_publish = can_review
+    can_lift_embargo = can_manage
+
+    #
+    # Record communities
+    #
+    can_add_community = can_manage
+    can_remove_community = [RecordOwners(), CommunityCurators(), SystemProcess()]
+    can_remove_record = [CommunityCurators()]
+    can_bulk_add = [SystemProcess()]
+
+    #
+    # Media files - draft
+    #
+    can_draft_media_create_files = can_review
+    can_draft_media_read_files = can_review
+    can_draft_media_set_content_files = [
+        IfFileIsLocal(then_=can_review, else_=[SystemProcess()]),
+    ]
+    can_draft_media_get_content_files = [
+        IfFileIsLocal(then_=can_preview, else_=[SystemProcess()]),
+    ]
+    can_draft_media_commit_files = [
+        IfFileIsLocal(then_=can_preview, else_=[SystemProcess()]),
+    ]
+    can_draft_media_delete_files = can_review
+    can_draft_media_update_files = can_review
+
+    #
+    # Media files - record
+    #
+    can_media_read_files = [
+        IfRestricted("record", then_=can_view, else_=can_all),
+        ResourceAccessToken("read"),
+    ]
+    can_media_get_content_files = [
+        IfFileIsLocal(then_=can_read, else_=[SystemProcess()]),
+    ]
+    can_media_create_files = [Disable()]
+    can_media_set_content_files = [Disable()]
+    can_media_commit_files = [Disable()]
+    can_media_update_files = [Disable()]
+    can_media_delete_files = [Disable()]
+
+    #
+    # Record deletetion
+    #
+    can_delete = [Administration(), SystemProcess()]
+    can_delete_files = [SystemProcess()]
+    can_purge = [SystemProcess()]
+
+    #
+    # Quotas for records/users
+    #
+    can_manage_quota = [UserManager, SystemProcess()]
+
+    #
+    # Disabled
+    #
+    # - Records/files are updated/deleted via drafts so we don't support
+    #   using below actions.
+    can_update = [Disable()]
+    can_create_files = [Disable()]
+    can_set_content_files = [Disable()]
+    can_commit_files = [Disable()]
+    can_update_files = [Disable()]
+
+    # Used to hide at the moment the `parent.is_verified` field. It should be set to
+    # correct permissions based on which the field will be exposed only to moderators
+    can_moderate = [Disable()]

invenio_config_tugraz/permissions/roles.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""`RoleNeed`s for permission policies.
+
+To use these roles, add them to the database via:
+    `$ invenio roles create tugraz_authenticated_user --description "..."`
+then add roles to users via:
+    `$ invenio roles add user@email.com tugraz_authenticated_user`
+"""
+
+from flask_principal import RoleNeed
+
+# using `flask_principal.RoleNeed`` instead of `invenio_access.SystemRoleNeed`,
+# because these roles are assigned by an admin rather than automatically by the system
+tugraz_authenticated_user = RoleNeed("tugraz_authenticated_user")

invenio_config_tugraz/rdm_permissions.py

@@ -1,86 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020-2021 Graz University of Technology.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-"""
-Records permission policies.
-
-Default policies for records:
-
-.. code-block:: python
-
-    # Read access given to everyone.
-    can_search = [AnyUser()]
-    # Create action given to no one (Not even superusers) bc Deposits should
-    # be used.
-    can_create = [Disable()]
-    # Read access given to everyone if public record/files and owners always.
-    can_read = [AnyUserIfPublic(), RecordOwners()]
-    # Update access given to record owners.
-    can_update = [RecordOwners()]
-    # Delete access given to admins only.
-    can_delete = [Admin()]
-    # Associated files permissions (which are really bucket permissions)
-    can_read_files = [AnyUserIfPublic(), RecordOwners()]
-    can_update_files = [RecordOwners()]
-
-How to override default policies for rdm-records.
-
-Using Custom Generator for a policy:
-
-.. code-block:: python
-
-    from invenio_rdm_records.services import (
-    BibliographicRecordServiceConfig,
-    RDMRecordPermissionPolicy,
-    )
-
-    from invenio_config_tugraz.generators import RecordIp
-
-    class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
-
-    # Create access given to SuperUser only.
-
-    can_create = [SuperUser()]
-
-    RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG  = TUGRAZBibliographicRecordServiceConfig
-
-
-Permissions for Invenio (RDM) Records.
-"""
-
-from invenio_rdm_records.services import RDMRecordPermissionPolicy
-from invenio_rdm_records.services.config import RDMRecordServiceConfig
-from invenio_rdm_records.services.generators import IfDraft, IfRestricted, RecordOwners
-from invenio_records_permissions.generators import (
-    Admin,
-    AnyUser,
-    AuthenticatedUser,
-    Disable,
-    SuperUser,
-    SystemProcess,
-)
-
-
-class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
-    """Access control configuration for rdm records.
-
-    This overrides the origin:
-    https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/services/permissions.py.
-    Access control configuration for records.
-    Note that even if the array is empty, the invenio_access Permission class
-    always adds the ``superuser-access``, so admins will always be allowed.
-    - Create action given to everyone for now.
-    - Read access given to everyone if public record and given to owners
-      always. (inherited)
-    - Update access given to record owners. (inherited)
-    - Delete access given to admins only. (inherited)
-    """
-
-
-class TUGRAZRDMRecordServiceConfig(RDMRecordServiceConfig):
-    """Overriding BibliographicRecordServiceConfig."""

invenio_config_tugraz/templates/invenio_app_rdm/help/search.de.html

@@ -1,257 +0,0 @@
-{#
-    Copyright (C) 2021 CERN.
-    Copyright (C) 2021 Graz University of Technology.
-  
-    Invenio App RDM is free software; you can redistribute it and/or modify it
-    under the terms of the MIT License; see LICENSE file for more details.
-  #}
-  {%- set title = _("Search guide") %}
-  {%- extends "invenio_theme/page.html" %}
-  
-  {%- block page_body %}
-  <div class="ui container">
-    <h1>Suchanleitung</h1>
-    <p>
-      Diese Anleitung erklärt anhand von leicht verständlichen Beispielen,
-      wie man erweiterte Suchanfragen schreibt.
-    </p>
-    <h3>Einfache Suche (ein oder mehrere Begriffe)</h3>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=open%20science"
-        ><code>open science</code></a
-      >
-    </p>
-    <p>
-      Die Ergebnisse entsprechen Datensätzen mit den <em>Begriffen</em> <code>open</code>
-      <em>oder</em> <code>science</code> in einem <em>beliebigen Feld</em>. Beachten Sie, dass die Abstammung angewendet wird,
-      so dass z. B. <code>science</code> auch mit
-      <code>sciences</code>übereinstimmt. Die Suchergebnisse werden nach einem Algorithmus geordnet,
-      der Ihre Suchbegriffe berücksichtigt.
-    </p>
-    <p>
-      Sie können das <em>Vorhandensein</em> beider Terme entweder mit dem
-      <code>+</code> oder dem <code>AND</code> Operator verlangen:
-    </p>
-    <p>
-      <strong>Beispiele:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=%2Bopen%20%2Bscience"
-        ><code>+open +science</code></a
-      >
-      oder
-      <a href="/search?page=1&amp;size=20&amp;q=open%20AND%20science"
-        ><code>open AND science</code></a
-      >
-    </p>
-    <p>
-      Sie können das <em>Nichtvorhandensein</em> eines oder mehrerer Begriffe mit dem Operator
-      <code>-</code> oder <code>NOT</code> verlangen:
-    </p>
-    <p>
-      <strong>Beispiele:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=-open%20%2Bscience"
-        ><code>-open +science</code></a
-      >
-      oder
-      <a href="/search?page=1&amp;size=20&amp;q=NOT%20open%20AND%20science"
-        ><code>NOT open AND science</code></a
-      >
-    </p>
-    <h3>Phrasensuche</h3>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=%22open%20science%22"
-        ><code>"open science"</code></a
-      >
-    </p>
-    <p>
-      Die Ergebnisse entsprechen Datensätzen mit der <em>phrase</em>
-      <code>open science</code> in einem <em>beliebigen Feld</em>.
-    </p>
-    <h3>Feldsuche</h3>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=metadata.title:open"
-        ><code>metadata.title:open</code></a
-      >
-    </p>
-    <p>
-      Die Ergebnisse stimmen mit Datensätzen überein, bei denen der <em>Begriff</em> <code>open</code> im
-      <em>Feld</em> <code>metadata.title</code>ist. enn Sie nach mehreren Begriffen im Titel suchen möchten,
-      müssen Sie <strong>die Begriffe</strong> mit Klammern gruppieren:
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=metadata.title:(open%20science%29"
-        ><code>metadata.title:(open science)</code></a
-      >
-    </p>
-    <p>
-      Die vollständige Liste der Felder, die Sie durchsuchen können, finden Sie in der Feldreferenz unten.
-    </p>
-    <h3>Kombinierte einfache, Phrasen- oder Feldsuche</h3>
-    <p>
-      <strong>Beispiel:</strong>
-      <a
-        href="/search?page=1&amp;size=20&amp;q=%2Bmetadata.title:%22open%20science%22%20-metadata.title:policy"
-        ><code>+metadata.title:"open science" -metadata.title:policy</code></a
-      >
-      oder z. B.
-      <a href="/search?page=1&amp;size=20&amp;q=metadata.title:(-open%20%2Bscience%29"
-        ><code>metadata.title:(-open +science)</code></a
-      >
-    </p>
-    <p>
-      Sie können einfache, Phrasen- und Feldsuche kombinieren, um erweiterte Suchanfragen zu konstruieren.
-    </p>
-    <h3>Bereichssuche</h3>
-    <p>
-      <strong>Beispiel:</strong>
-      <a
-        href="/search?page=1&amp;size=20&amp;q=metadata.publication_date:%5B2017%20TO%202018%5D"
-        ><code>metadata.publication_date:[2017 TO 2018]</code></a
-      >
-      (Achtung, <code>TO</code> muss großgeschrieben werden).
-    </p>
-    <p>
-      Die Ergebnisse entsprechen allen Datensätzen mit einem Veröffentlichungsdatum
-      zwischen 2017-01-01 und 2018-01-01 (beide Daten inklusive).
-    </p>
-    <p>Beachten Sie, dass partielle Daten zu vollständigen Daten erweitert werden, z. B.:</p>
-    <ul>
-      <li>2017 wird erweitert auf 2017-01-01</li>
-      <li>2017-06 wird erweitert auf 2017-06-01</li>
-    </ul>
-    <p>
-      Verwenden Sie eckige Klammern (<code>[]</code>) für <em>einschließende</em> Bereiche und geschweifte
-      Klammern (<code>{}</code>) für <em>ausschließende</em> Bereiche, z. B.:
-    </p>
-    <ul>
-      <li>
-        <code>[2017 TO 2018}</code> ist aufgrund der Datumserweiterung
-        und der exklusiven Obergrenze äquivalent zu
-        <code>[2017-01-01 TO 2017-12-31]</code>.
-      </li>
-    </ul>
-    <p>Beispiele für andere Bereiche:</p>
-    <ul>
-      <li>
-        <code>metadata.publication_date:{* TO 2017-01-01}</code>: Alle Tage bis 2017.
-      </li>
-      <li>
-        <code>metadata.publication_date:[2017-01-01 TO *]</code>: Alle Tage von 2017.
-      </li>
-    </ul>
-    <h3>Ranking/Sortierung</h3>
-    <p>
-      Standardmäßig werden alle Suchen nach einem internen Ranking-Algorithmus sortiert,
-      der jede Übereinstimmung mit Ihrer Abfrage bewertet. Sowohl in der Benutzeroberfläche
-      als auch in der REST-API ist es möglich, die Ergebnisse zu sortieren nach:
-    </p>
-    <ul>
-      <li>Aktuellste</li>
-      <li>Beste Übereinstimmung</li>
-    </ul>
-    <h3>Reguläre Ausdrücke</h3>
-    <p>
-      Reguläre Ausdrücke sind eine mächtige Sprache für den Mustervergleich, mit der
-      man nach bestimmten Mustern in einem Feld suchen kann. Wenn wir zum Beispiel
-      alle Datensätze mit dem DOI-Präfix 10.5281 finden wollen, können wir eine Suche mit
-      regulären Ausdrücken verwenden:
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=metadata.subjects.identifier:%2F03yrm5c2%5B1%2C6%5D%2F"
-        ><code>metadata.subjects.identifier:/03yrm5c2[1,6]/</code></a
-      >
-    </p>
-    <p>
-      Vorsicht, der reguläre Ausdruck muss mit dem <em>gesamten</em> Feldwert übereinstimmen.
-      Weitere Einzelheiten finden Sie in der
-      <a
-        href="https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax"
-        >Syntax des regulären Ausdrucks</a
-      >
-      .
-    </p>
-    <h3>Fehlende Werte</h3>
-    <p>
-      Es ist möglich, mit den Feldnamen <code>_exists_</code> und
-      <code>_missing_</code> nach Datensätzen zu suchen,
-      in denen entweder ein Wert fehlt oder die einen Wert in einem bestimmten Feld haben.
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=_missing_:metadata.additional_titles"
-        ><code>_missing_:metadata.additional_titles</code></a
-      >
-      (alle Datensätze ohne metadata.additional_titles)
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=_exists_:metadata.creators"
-        ><code>_exists_:metadata.creators</code></a
-      >
-      (alle Datensätze mit metadata.creators)
-    </p>
-    <h3>Erweiterte Konzepte</h3>
-    <h4>Boosten</h4>
-    <p>
-      Sie können den Boost-Operator <code>^</code> verwenden, wenn ein Begriff relevanter ist als ein
-      anderer. Sie können z. B. nach allen Datensätzen suchen, die den Ausdruck
-      <em>open science</em> entweder <em>im title</em> oder im
-      <em>description</em> feld enthalten, aber Datensätze mit dem Ausdruck im
-      <em>title</em> feld höher einstufen:
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a
-        href="/search?page=1&amp;size=20&amp;q=metadata.title:%22open%20science%22%5E5%20metadata.description:%22open%20science%22"
-        ><code>metadata.title:"open science"^5 metadata.description:"open science"</code></a
-      >
-    </p>
-    <h4>Unschärfe</h4>
-    <p>
-      Mit dem Fuzzy-Operator <code>~</code>können Sie nach
-      Begriffen suchen, die Ihrem Suchbegriff ähnlich, aber nicht genau gleich sind.
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=oepn~"><code>oepn~</code></a>
-    </p>
-    <p>
-      Die Ergebnisse entsprechen Datensätzen mit ähnlichen Begriffen wie <code>oepn</code> die z. B.
-      auch auf <code>open</code> passen würden.
-    </p>
-    <h4>Näherungssuche</h4>
-    <p>
-      Eine Phrasensuche wie <code>"open science"</code> erwartet standardmäßig alle Begriffe in
-      genau der gleichen Reihenfolge und würde daher z. B. nicht auf einen Datensatz
-      passen, der die Phrase <em>"open access and science"</em> enthält.
-      Eine Proximity-Suche erlaubt, dass die Begriffe nicht in der exakten Reihenfolge stehen
-      und auch andere Begriffe dazwischen enthalten können.
-      Der Grad der Flexibilität wird anschließend durch eine Ganzzahl angegeben:
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=%22open%20science%22~5"
-        ><code>"open science"~5</code></a
-      >
-    </p>
-    <h4>Wildcards</h4>
-    <p>
-      Sie können Wildcards in Suchbegriffen verwenden, um ein einzelnes Zeichen (mit
-      dem Operator<code>?</code> operator) oder null oder mehr Zeichen  (mit dem Operator
-      <code>*</code> ) zu ersetzen.
-    </p>
-    <p>
-      <strong>Beispiel:</strong>
-      <a href="/search?page=1&amp;size=20&amp;q=ope%3F%20scien*"
-        ><code>ope? scien*</code></a
-      >
-    </p>
-    <p>
-      Platzhaltersuchen können langsam sein und sollten normalerweise nach Möglichkeit vermieden werden.
-    </p>
-  </div>
-  {%- endblock page_body%}

invenio_config_tugraz/templates/security/email/welcome.txt

@@ -4,10 +4,10 @@
 
 {{ _('To help you get started, here are some useful links:') }}
 
-    - {{ _('Guidelines:')}} {{ _('Repository Guide')}} ({{ _('how to upload files')}}) (https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.guide') }})
-    - {{ _('Search Guide')}} (https://{{ config.SITE_HOSTNAME }}{{url_for('invenio_app_rdm.help_search')}})
-    - {{ _('Terms And Conditions') }} (https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.terms') }})
-    - {{ _('Data Protection Rights')}} (https://{{ config.SITE_HOSTNAME }}{{ url_for('invenio_theme_tugraz.gdpr') }})
+    - {{ _('Guidelines:')}} {{ _('Repository Guide')}} ({{ _('how to upload files')}}) ({{ config.SITE_UI_URL }}{{ url_for('invenio_config_tugraz.guide') }})
+    - {{ _('Search Guide')}} ({{ config.SITE_UI_URL }}{{url_for('invenio_app_rdm.help_search')}})
+    - {{ _('Terms And Conditions') }} ({{ config.SITE_UI_URL }}{{ url_for('invenio_config_tugraz.terms') }})
+    - {{ _('Data Protection Rights')}} ({{ config.SITE_UI_URL }}{{ url_for('invenio_config_tugraz.gdpr') }})
 {% if security.confirmable %}
 {{ _('You can confirm your email through the link below:') }}
 {{ confirmation_link }}">

invenio_config_tugraz/utils.py

@@ -0,0 +1,73 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2022-2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Utils file."""
+
+import warnings
+
+from flask_principal import Identity
+from invenio_access import any_user
+from invenio_access.utils import get_identity
+from invenio_accounts import current_accounts
+
+
+def get_identity_from_user_by_email(email: str | None = None) -> Identity:
+    """Get the user specified via email or ID."""
+    warnings.warn("deprecated", DeprecationWarning, stacklevel=2)
+
+    if email is None:
+        msg = "the email has to be set to get a identity"
+        raise ValueError(msg)
+
+    user = current_accounts.datastore.get_user(email)
+
+    if user is None:
+        msg = f"user with {email} not found"
+        raise LookupError(msg)
+
+    identity = get_identity(user)
+
+    # TODO: this is a temporary solution. this should be done with data from the db
+    identity.provides.add(any_user)
+
+    return identity
+
+
+def tugraz_account_setup_extension(user, account_info) -> None:  # noqa: ANN001, ARG001
+    """Add tugraz_authenticated role to user after SAML-login was acknowledged.
+
+    To use, have `acs_handler_factory` call invenio_saml's `default_account_setup` first,
+    then this function second.
+
+    .. code-block:: python
+
+        # invenio.cfg
+        from invenio_saml.handlers import default_account_setup, acs_handler_factory
+
+        def tugraz_account_setup(user, account_info):
+            # links external `account_info` with our database's `user` for future logins
+            default_account_setup(user, account_info)
+            tugraz_account_setup_extension(user, account_info)
+
+        SSO_SAML_IDPS = {
+            "my-tugraz-idp": {
+                ...
+                "acs_handler": acs_handler_factory(
+                    "my-tugraz-idp", account_setup=tugraz_account_setup
+                )
+            }
+        }
+
+    For this to work, the role tugraz_authenticated must have been created
+    (e.g. via `invenio roles create tugraz_authenticated`).
+    """
+    user_email = account_info["user"]["email"]
+
+    # NOTE: `datastore.commit`ing will be done by acs_handler that calls this func
+    # NOTE: this is a No-Op when user_email already has role tugraz_authenticated
+    current_accounts.datastore.add_role_to_user(user_email, "tugraz_authenticated")

invenio_config_tugraz/version.py

@@ -1,15 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020 Mojib Wali.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-"""Version information for invenio-config-tugraz.
-
-This file is imported by ``invenio_config_tugraz.__init__``,
-and parsed by ``setup.py``.
-"""
-
-__version__ = "0.5.9"

invenio_config_tugraz/views.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020-2021 Graz University of Technology.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -8,37 +8,60 @@
 
 """invenio module for TUGRAZ config."""
 
-from os import environ
-from typing import Dict
-
-from elasticsearch_dsl.utils import AttrDict
-from flask import Blueprint, current_app
+from flask import Blueprint, Flask, redirect, url_for
+from invenio_i18n import get_locale
+from werkzeug.wrappers import Response as BaseResponse
 
 
-def ui_blueprint(app):
+def ui_blueprint(app: Flask) -> Blueprint:
     """Blueprint for the routes and resources provided by invenio-config-tugraz."""
+    routes = app.config.get("CONFIG_TUGRAZ_ROUTES")
+
     blueprint = Blueprint(
         "invenio_config_tugraz",
         __name__,
         template_folder="templates",
+        static_folder="static",
     )
 
-    @blueprint.before_app_first_request
-    def rank_higher():
-        """Rank this modules blueprint higher than blueprint of security module."""
-        blueprints = current_app._blueprint_order
-        our_index = None
-        security_index = None
-
-        for index, bp in enumerate(blueprints):
-            if bp.name == "security":
-                security_index = index
-            if bp.name == "invenio_config_tugraz":
-                our_index = index
-
-        if (security_index is not None) and (our_index > security_index):
-            temp = blueprints[security_index]
-            blueprints[security_index] = blueprints[our_index]
-            blueprints[our_index] = temp
+    blueprint.add_url_rule(routes["guide"], view_func=guide)
+    blueprint.add_url_rule(routes["terms"], view_func=terms)
+    blueprint.add_url_rule(routes["gdpr"], view_func=gdpr)
 
     return blueprint
+
+
+def guide() -> BaseResponse:
+    """TUGraz_Repository_Guide."""
+    locale = get_locale()
+    return redirect(
+        url_for(
+            "static",
+            filename=f"documents/TUGraz_Repository_Guide_02.1_{locale}.pdf",
+            _external=True,
+        ),
+    )
+
+
+def terms() -> BaseResponse:
+    """Terms_And_Conditions."""
+    locale = get_locale()
+    return redirect(
+        url_for(
+            "static",
+            filename=f"documents/TUGraz_Repository_Terms_And_Conditions_{locale}.pdf",
+            _external=True,
+        ),
+    )
+
+
+def gdpr() -> BaseResponse:
+    """General_Data_Protection_Rights."""
+    locale = get_locale()
+    return redirect(
+        url_for(
+            "static",
+            filename=f"documents/TUGraz_Repository_General_Data_Protection_Rights_{locale}.pdf",
+            _external=True,
+        ),
+    )

pyproject.toml

@@ -0,0 +1,22 @@
+[build-system]
+requires = ["setuptools", "wheel", "babel>2.8"]
+build-backend = "setuptools.build_meta"
+
+[tool.ruff]
+exclude = ["docs"]
+
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+  "ANN101", "ANN102",
+  "D203", "D211", "D212", "D213",
+  "E501",
+  "ERA001",
+  "FA102",
+  "FIX002",
+  "INP001",
+  "RUF005", "RUF012",
+  "S101",
+  "TD002", "TD003",
+  "UP009",
+]

pytest.ini

@@ -1,12 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020 Mojib Wali.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-[pytest]
-addopts = --isort --pydocstyle --pycodestyle --doctest-glob="*.rst" --doctest-modules --cov=invenio_config_tugraz --cov-report=term-missing tests invenio_config_tugraz
-testpaths = tests invenio_config_tugraz
-live_server_scope = module

requirements-devel.txt

@@ -1,13 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020 Mojib Wali.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-#
-# TODO: Add development versions of some important dependencies here to get a
-#       warning when there are breaking upstream changes, e.g.:
-#
-#     -e git+git://github.com/mitsuhiko/werkzeug.git#egg=Werkzeug
-#     -e git+git://github.com/mitsuhiko/jinja2.git#egg=Jinja2

run-tests.sh

@@ -3,7 +3,7 @@
 #
 # Copyright (C) 2019-2020 CERN.
 # Copyright (C) 2019-2020 Northwestern University.
-# Copyright (C) 2020 Graz University of Technology.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -16,18 +16,8 @@ set -o errexit
 # Quit on unbound symbols
 set -o nounset
 
-# Always bring down docker services
+ruff check .
 
-function cleanup() {
-    eval "$(docker-services-cli down --env)"
-}
-trap cleanup EXIT
-
-
-python -m check_manifest --ignore ".*-requirements.txt"
-python -m sphinx.cmd.build -qnNW docs docs/_build/html
-eval "$(docker-services-cli up --db ${DB:-postgresql} --search ${SEARCH:-elasticsearch} --cache ${CACHE:-redis} --env)"
+python -m check_manifest
+python -m sphinx.cmd.build -qnN docs docs/_build/html
 python -m pytest
-tests_exit_code=$?
-python -m sphinx.cmd.build -qnNW -b doctest docs docs/_build/doctest
-exit "$tests_exit_code"

setup.cfg

@@ -1,11 +1,64 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
 # details.
 
+[metadata]
+name = invenio-config-tugraz
+version = attr: invenio_config_tugraz.__version__
+description = "Invenio module that adds tugraz configs."
+long_description = file: README.rst, CHANGES.rst
+keywords = invenio config TU-Graz
+license = MIT
+author = "Graz University of Technology"
+author_email = info@tugraz.at
+platforms = any
+url = https://github.com/tu-graz-library/invenio-config-tugraz
+classifiers =
+    Environment :: Web Environment
+    Intended Audience :: Developers
+    License :: OSI Approved :: MIT License
+    Operating System :: OS Independent
+    Programming Language :: Python
+    Topic :: Internet :: WWW/HTTP :: Dynamic Content
+    Topic :: Software Development :: Libraries :: Python Modules
+    Programming Language :: Python :: 3.12
+    Development Status :: 3 - Alpha
+
+[options]
+include_package_data = True
+packages = find:
+python_requires = >=3.12
+zip_safe = False
+install_requires =
+    invenio-cache>=1.1.1
+    invenio-i18n>=2.0.0
+    invenio-rdm-records>=4.0.0
+
+[options.extras_require]
+tests =
+    invenio-app>=1.5.0
+    invenio-search[opensearch2]>=2.1.0,<3.0.0
+    pytest-black-ng>=0.4.0
+    pytest-invenio>=2.1.0,<3.0.0
+    ruff>=0.5.3
+    Sphinx>=4.5.0
+
+[options.entry_points]
+invenio_base.apps =
+    invenio_config_tugraz = invenio_config_tugraz:InvenioConfigTugraz
+invenio_base.blueprints =
+    invenio_config_tugraz = invenio_config_tugraz.views:ui_blueprint
+invenio_i18n.translations =
+    messages = invenio_config_tugraz
+invenio_config.module =
+    invenio_config_tugraz = invenio_config_tugraz.config
+invenio_base.finalize_app =
+    invenio_config_tugraz = invenio_config_tugraz.ext:finalize_app
+
 [aliases]
 test = pytest
 
@@ -17,9 +70,6 @@ all_files = 1
 [bdist_wheel]
 universal = 1
 
-[pydocstyle]
-add_ignore = D401
-
 [compile_catalog]
 directory = invenio_config_tugraz/translations/
 
@@ -38,19 +88,13 @@ output-dir = invenio_config_tugraz/translations/
 input-file = invenio_config_tugraz/translations/messages.pot
 output-dir = invenio_config_tugraz/translations/
 
-[flake8]
-max-line-length = 88
-extend-ignore = E203
-select = C,E,F,W,B,B950
-ignore = E501
-
 [isort]
-multi_line_output = 3
-include_trailing_comma = True
-force_grid_wrap = 0
-use_parentheses = True
-ensure_newline_before_comments = True
-line_length = 88
+profile=black
 
-[pycodestyle]
-ignore = E203,E501
+[check-manifest]
+ignore = *-requirements.txt
+
+[tool:pytest]
+addopts = --black --cov=invenio_config_tugraz --cov-report=term-missing
+testpaths = tests invenio_config_tugraz
+live_server_scope = module

setup.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020-2021 Graz University of Technology.
+# Copyright (C) 2020-2022 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -8,108 +8,6 @@
 
 """invenio module that adds tugraz configs."""
 
-import os
+from setuptools import setup
 
-from setuptools import find_packages, setup
-
-readme = open("README.rst").read()
-history = open("CHANGES.rst").read()
-
-tests_require = [
-    "pytest-invenio>=1.4.0",
-    "invenio-app>=1.3.0,<2.0.0",
-]
-
-# Should follow invenio-app-rdm
-invenio_search_version = ">=1.4.0,<1.5.0"
-invenio_db_version = ">=1.0.9,<1.1.0"
-
-extras_require = {
-    "elasticsearch7": [f"invenio-search[elasticsearch7]{invenio_search_version}"],
-    "mysql": [f"invenio-db[mysql,versioning]{invenio_db_version}"],
-    "postgresql": [f"invenio-db[postgresql,versioning]{invenio_db_version}"],
-    "sqlite": [f"invenio-db[versioning]{invenio_db_version}"],
-    "docs": [
-        "Sphinx>=3",
-    ],
-    "tests": tests_require,
-}
-
-extras_require["all"] = []
-for name, reqs in extras_require.items():
-    if name[0] == ":" or name in (
-        "elasticsearch7",
-        "mysql",
-        "postgresql",
-        "sqlite",
-    ):
-        continue
-    extras_require["all"].extend(reqs)
-
-setup_requires = [
-    "Babel>=1.3",
-    "pytest-runner>=3.0.0,<5",
-]
-
-install_requires = [
-    "Flask-BabelEx>=0.9.4",
-    # keep this in sync with invenioRDM release
-    "invenio_app_rdm==3.0.0",
-]
-
-packages = find_packages()
-
-
-# Get the version string. Cannot be done with import!
-g = {}
-with open(os.path.join("invenio_config_tugraz", "version.py"), "rt") as fp:
-    exec(fp.read(), g)
-    version = g["__version__"]
-
-setup(
-    name="invenio-config-tugraz",
-    version=version,
-    description=__doc__,
-    long_description=readme + "\n\n" + history,
-    keywords="invenio, config, Tu Graz",
-    license="MIT",
-    author="Mojib Wali",
-    author_email="mb_wali@hotmail.com",
-    url="https://github.com/tu-graz-library/invenio-config-tugraz",
-    packages=packages,
-    zip_safe=False,
-    include_package_data=True,
-    platforms="any",
-    entry_points={
-        "invenio_base.apps": [
-            "invenio_config_tugraz = invenio_config_tugraz:InvenioConfigTugraz",
-        ],
-        "invenio_base.blueprints": [
-            "invenio_config_tugraz = invenio_config_tugraz.views:ui_blueprint",
-        ],
-        "invenio_i18n.translations": [
-            "messages = invenio_config_tugraz",
-        ],
-        "invenio_config.module": [
-            "invenio_config_tugraz = invenio_config_tugraz.config",
-        ],
-    },
-    extras_require=extras_require,
-    install_requires=install_requires,
-    setup_requires=setup_requires,
-    tests_require=tests_require,
-    classifiers=[
-        "Environment :: Web Environment",
-        "Intended Audience :: Developers",
-        "License :: OSI Approved :: MIT License",
-        "Operating System :: OS Independent",
-        "Programming Language :: Python",
-        "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
-        "Topic :: Software Development :: Libraries :: Python Modules",
-        "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.6",
-        "Programming Language :: Python :: 3.7",
-        "Programming Language :: Python :: 3.8",
-        "Development Status :: 3 - Alpha",
-    ],
-)
+setup()

tests/conftest.py

@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -12,152 +13,21 @@ See https://pytest-invenio.readthedocs.io/ for documentation on which test
 fixtures are available.
 """
 
-import os
-import shutil
-import tempfile
 
 import pytest
 from flask import Flask
-from flask_babelex import Babel
-from invenio_db import InvenioDB, db
-from sqlalchemy_utils.functions import create_database, database_exists, drop_database
 
 from invenio_config_tugraz import InvenioConfigTugraz
 
 
 @pytest.fixture(scope="module")
-def celery_config():
-    """Override pytest-invenio fixture.
+def create_app(instance_path: str) -> Flask:
+    """Application factory fixture."""
 
-    TODO: Remove this fixture if you add Celery support.
-    """
-    return {}
-
-
-@pytest.fixture()
-def create_app(request):
-    """Basic Flask application."""
-    instance_path = tempfile.mkdtemp()
-    app = Flask("testapp")
-    DB = os.getenv("SQLALCHEMY_DATABASE_URI", "sqlite://")
-    app.config.update(
-        INVENIO_CONFIG_TUGRAZ_SINGLE_IP=["127.0.0.1", "127.0.0.2"],
-        INVENIO_CONFIG_TUGRAZ_IP_RANGES=[
-            ["127.0.0.2", "127.0.0.99"],
-            ["127.0.1.3", "127.0.1.5"],
-        ],
-        SQLALCHEMY_DATABASE_URI=DB,
-        SQLALCHEMY_TRACK_MODIFICATIONS=False,
-    )
-    Babel(app)
+    def factory(**config: str) -> Flask:
+        app = Flask("testapp", instance_path=instance_path)
+        app.config.update(**config)
         InvenioConfigTugraz(app)
-    InvenioDB(app)
-
-    with app.app_context():
-        db_url = str(db.engine.url)
-        if db_url != "sqlite://" and not database_exists(db_url):
-            create_database(db_url)
-        db.create_all()
-
-    def teardown():
-        with app.app_context():
-            db_url = str(db.engine.url)
-            db.session.close()
-            if db_url != "sqlite://":
-                drop_database(db_url)
-            shutil.rmtree(instance_path)
-
-    request.addfinalizer(teardown)
-    app.test_request_context().push()
-
         return app
 
-
-@pytest.fixture(scope='function')
-def open_record():
-    """Open record data as dict coming from the external world."""
-    return {
-        "access": {
-            "metadata": False,
-            "files": False,
-            "owned_by": [1],
-            "access_right": "open"
-        },
-        "metadata": {
-            "publication_date": "2020-06-01",
-            "resource_type": {
-                "type": "image",
-                "subtype": "image-photo"
-            },
-            # Technically not required
-            "creators": [{
-                "name": "Troy Brown",
-                "type": "personal"
-            }, {
-                "name": "Phillip Lester",
-                "type": "personal",
-                "identifiers": {"orcid": "0000-0002-1825-0097"},
-                "affiliations": [{
-                    "name": "Carter-Morris",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }]
-            }, {
-                "name": "Steven Williamson",
-                "type": "personal",
-                "identifiers": {"orcid": "0000-0002-1825-0097"},
-                "affiliations": [{
-                    "name": "Ritter and Sons",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }, {
-                    "name": "Montgomery, Bush and Madden",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }]
-            }],
-            "title": "A Romans story"
-        }
-    }
-
-
-@pytest.fixture(scope='function')
-def singleip_record():
-    """Single Ip record data as dict coming from the external world."""
-    return {
-        "access": {
-            "metadata": False,
-            "files": False,
-            "owned_by": [1],
-            "access_right": "singleip"
-        },
-        "metadata": {
-            "publication_date": "2020-06-01",
-            "resource_type": {
-                "type": "image",
-                "subtype": "image-photo"
-            },
-            # Technically not required
-            "creators": [{
-                "name": "Troy Brown",
-                "type": "personal"
-            }, {
-                "name": "Phillip Lester",
-                "type": "personal",
-                "identifiers": {"orcid": "0000-0002-1825-0097"},
-                "affiliations": [{
-                    "name": "Carter-Morris",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }]
-            }, {
-                "name": "Steven Williamson",
-                "type": "personal",
-                "identifiers": {"orcid": "0000-0002-1825-0097"},
-                "affiliations": [{
-                    "name": "Ritter and Sons",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }, {
-                    "name": "Montgomery, Bush and Madden",
-                    "identifiers": {"ror": "03yrm5c26"}
-                }]
-            }],
-            "title": "A Romans story"
-        }
-    }
+    return factory

tests/test_generators.py

@@ -1,29 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2020 Mojib Wali.
-#
-# invenio-config-tugraz is free software; you can redistribute it and/or
-# modify it under the terms of the MIT License; see LICENSE file for more
-# details.
-
-"""Test Generators."""
-
-from invenio_access.permissions import any_user
-
-from invenio_config_tugraz.generators import RecordIp
-
-
-def test_recordip(create_app, open_record, singleip_record):
-    """Test Generator RecordIp."""
-    generator = RecordIp()
-    open_record = open_record
-    singleiprec = singleip_record
-
-    assert generator.needs(record=None) == []
-    assert generator.needs(record=open_record) == [any_user]
-    assert generator.needs(record=singleiprec) == []
-
-    assert generator.excludes(record=open_record) == []
-    assert generator.excludes(record=open_record) == []
-
-    assert generator.query_filter().to_dict() == {'bool': {'must_not': [{'match': {'access.access_right': 'singleip'}}]}}

tests/test_invenio_config_tugraz.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020-2024 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -13,14 +13,14 @@ from flask import Flask
 from invenio_config_tugraz import InvenioConfigTugraz
 
 
-def test_version():
+def test_version() -> None:
     """Test version import."""
     from invenio_config_tugraz import __version__
 
     assert __version__
 
 
-def test_init():
+def test_init() -> None:
     """Test extension initialization."""
     app = Flask("testapp")
     ext = InvenioConfigTugraz(app)

tests/test_policies.py

@@ -0,0 +1,88 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2024 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Tests for permissions-policy."""
+
+from invenio_rdm_records.services.permissions import RDMRecordPermissionPolicy
+
+from invenio_config_tugraz.permissions.policies import TUGrazRDMRecordPermissionPolicy
+
+ALLOWED_DIFFERENCES = {
+    "can_authenticated",
+    "can_create",
+    "can_search",
+    "can_view",
+    "can_all",
+    "can_search_drafts",
+    "can_tugraz_authenticated",
+}
+
+
+def test_policies_synced() -> None:
+    """Make sure our permission-policy stays synced with invenio's."""
+    tugraz_cans = {
+        name: getattr(TUGrazRDMRecordPermissionPolicy, name)
+        for name in dir(TUGrazRDMRecordPermissionPolicy)
+        if name.startswith("can_")
+    }
+    rdm_cans = {
+        name: getattr(RDMRecordPermissionPolicy, name)
+        for name in dir(RDMRecordPermissionPolicy)
+        if name.startswith("can_")
+    }
+
+    # check whether same set of `can_<action>`s`
+    if extras := set(tugraz_cans) - set(rdm_cans) - ALLOWED_DIFFERENCES:
+        msg = f"""
+        TU Graz's permission-policy has additional fields over invenio-rdm's:{extras}
+        if this is intentional, add to ALLOWED_DIFFERENCES in test-file
+        otherwise remove extraneous fields from TUGrazRDMRecordPermissionPolicy
+        """
+        raise KeyError(msg)
+
+    if missing := set(rdm_cans) - set(tugraz_cans):
+        msg = f"""
+        invenio-rdm's permission-policy has fields unhandled by TU Graz's: {missing}
+        if this is intentional, add to ALLOWED_DIFFERENCES
+        otherwise set the corresponding fields in TUGrazRDMRecordPermissionPolicy
+        """
+        raise KeyError(msg)
+
+    # check whether same permission-generators used for same `can_<action>`
+    for can_name in rdm_cans.keys() & tugraz_cans.keys():
+        if can_name in ALLOWED_DIFFERENCES:
+            continue
+
+        tugraz_can = tugraz_cans[can_name]
+        rdm_can = rdm_cans[can_name]
+
+        # permission-Generators don't implement equality checks for their instances
+        # we can however compare which types (classes) of Generators are used...
+        if {type(gen) for gen in tugraz_can} != {type(gen) for gen in rdm_can}:
+            msg = f"""
+            permission-policy for `{can_name}` differs between TU-Graz and invenio-rdm
+            if this is intentional, add to ALLOWED_DIFFERENCES in test-file
+            otherwise fix TUGrazRDMRecordPermissionPolicy
+            """
+            raise ValueError(msg)
+
+    # check whether same `NEED_LABEL_TO_ACTION`
+    tugraz_label_to_action = TUGrazRDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION
+    rdm_label_to_action = RDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION
+
+    for label in tugraz_label_to_action.keys() & rdm_label_to_action.keys():
+        if label in ALLOWED_DIFFERENCES:
+            continue
+
+        if tugraz_label_to_action.get(label) != rdm_label_to_action.get(label):
+            msg = f"""
+            invenio-rdm's NEED_LABEL_TO_ACTION differs from TU Graz's in {label}
+            if this is intentional, add to ALLOWED_DIFFERENCES in test-file
+            otherwise fix TUGrazRDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION
+            """
+            raise ValueError(msg)