mirror of
https://github.com/Cian-H/invenio-config-iform.git
synced 2025-12-22 21:11:57 +00:00
760363b4a5
* with that addition it is possible to restrict records to an special ip or an ip network
82 lines
3.3 KiB
Python
82 lines
3.3 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright (C) 2024 Graz University of Technology.
|
|
#
|
|
# invenio-config-tugraz is free software; you can redistribute it and/or
|
|
# modify it under the terms of the MIT License; see LICENSE file for more
|
|
# details.
|
|
|
|
"""Tests for permissions-policy."""
|
|
|
|
from invenio_rdm_records.services.permissions import RDMRecordPermissionPolicy
|
|
|
|
from invenio_config_tugraz.permissions.policies import TUGrazRDMRecordPermissionPolicy
|
|
|
|
ALLOWED_DIFFERENCES = {
|
|
"can_authenticated",
|
|
"can_create",
|
|
"can_search",
|
|
"can_view",
|
|
"can_all",
|
|
"can_search_drafts",
|
|
"can_tugraz_authenticated",
|
|
}
|
|
|
|
|
|
def test_policies_synced():
|
|
"""Make sure our permission-policy stays synced with invenio's."""
|
|
tugraz_cans = {
|
|
name: getattr(TUGrazRDMRecordPermissionPolicy, name)
|
|
for name in dir(TUGrazRDMRecordPermissionPolicy)
|
|
if name.startswith("can_")
|
|
}
|
|
rdm_cans = {
|
|
name: getattr(RDMRecordPermissionPolicy, name)
|
|
for name in dir(RDMRecordPermissionPolicy)
|
|
if name.startswith("can_")
|
|
}
|
|
|
|
# check whether same set of `can_<action>`s`
|
|
if extras := set(tugraz_cans) - set(rdm_cans) - ALLOWED_DIFFERENCES:
|
|
raise KeyError(
|
|
f"TU Graz's permission-policy has additional fields over invenio-rdm's:{extras}\n"
|
|
"if this is intentional, add to ALLOWED_DIFFERENCES in test-file\n"
|
|
"otherwise remove extraneous fields from TUGrazRDMRecordPermissionPolicy"
|
|
)
|
|
if missing := set(rdm_cans) - set(tugraz_cans):
|
|
raise KeyError(
|
|
f"invenio-rdm's permission-policy has fields unhandled by TU Graz's: {missing}\n"
|
|
"if this is intentional, add to ALLOWED_DIFFERENCES\n"
|
|
"otherwise set the corresponding fields in TUGrazRDMRecordPermissionPolicy"
|
|
)
|
|
|
|
# check whether same permission-generators used for same `can_<action>`
|
|
for can_name in rdm_cans.keys() & tugraz_cans.keys():
|
|
if can_name in ALLOWED_DIFFERENCES:
|
|
continue
|
|
|
|
tugraz_can = tugraz_cans[can_name]
|
|
rdm_can = rdm_cans[can_name]
|
|
|
|
# permission-Generators don't implement equality checks for their instances
|
|
# we can however compare which types (classes) of Generators are used...
|
|
if {type(gen) for gen in tugraz_can} != {type(gen) for gen in rdm_can}:
|
|
raise ValueError(
|
|
f"permission-policy for `{can_name}` differs between TU-Graz and invenio-rdm\n"
|
|
"if this is intentional, add to ALLOWED_DIFFERENCES in test-file\n"
|
|
"otherwise fix TUGrazRDMRecordPermissionPolicy"
|
|
)
|
|
|
|
# check whether same `NEED_LABEL_TO_ACTION`
|
|
tugraz_label_to_action = TUGrazRDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION
|
|
rdm_label_to_action = RDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION
|
|
for label in tugraz_label_to_action.keys() & rdm_label_to_action.keys():
|
|
if label in ALLOWED_DIFFERENCES:
|
|
continue
|
|
if tugraz_label_to_action.get(label) != rdm_label_to_action.get(label):
|
|
raise ValueError(
|
|
f"invenio-rdm's NEED_LABEL_TO_ACTION differs from TU Graz's in {label}\n"
|
|
"if this is intentional, add to ALLOWED_DIFFERENCES in test-file\n"
|
|
"otherwise fix TUGrazRDMRecordPermissionPolicy.NEED_LABEL_TO_ACTION"
|
|
)
|