-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
permissions: restrict non searchable values
- Loading branch information
Showing
12 changed files
with
225 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# -*- coding: utf-8 -*- | ||
Check failure on line 1 in invenio_vocabularies/contrib/names/permissions.py GitHub Actions / Python / Tests (3.9, postgresql14, opensearch2)
Check failure on line 1 in invenio_vocabularies/contrib/names/permissions.py GitHub Actions / Python / Tests (3.12, postgresql14, opensearch2)
|
||
# | ||
# Copyright (C) 2020-2024 CERN. | ||
# | ||
# Invenio-Vocabularies is free software; you can redistribute it and/or | ||
# modify it under the terms of the MIT License; see LICENSE file for more | ||
# details. | ||
|
||
"""Vocabulary permissions.""" | ||
|
||
from invenio_records_permissions.generators import SystemProcess, AuthenticatedUser | ||
|
||
from invenio_vocabularies.services.generators import Tags | ||
from invenio_vocabularies.services.permissions import PermissionPolicy | ||
|
||
|
||
class NamesPermissionPolicy(PermissionPolicy): | ||
"""Names permission policy.""" | ||
|
||
can_search = [ | ||
SystemProcess(), | ||
Tags(exclude=["non-searchable"], only_authenticated=True), | ||
] | ||
can_read = [SystemProcess(), AuthenticatedUser()] | ||
# this permission is needed for the /api/vocabularies/ endpoint | ||
can_list_vocabularies = [ | ||
SystemProcess(), | ||
Tags(exclude=["non-searchable"], only_authenticated=True), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# -*- coding: utf-8 -*- | ||
# | ||
# Copyright (C) 2024 CERN. | ||
# | ||
# Invenio-Vocabularies is free software; you can redistribute it and/or | ||
# modify it under the terms of the MIT License; see LICENSE file for more | ||
# details. | ||
# | ||
|
||
"""Vocabulary generators.""" | ||
|
||
from invenio_access import any_user, authenticated_user | ||
from invenio_records_permissions.generators import Generator | ||
from invenio_search.engine import dsl | ||
|
||
|
||
class AnyUser(Generator): | ||
"""Allows any user.""" | ||
|
||
def needs(self, **kwargs): | ||
"""Enabling Needs.""" | ||
return [any_user] | ||
|
||
def query_filter(self, **kwargs): | ||
"""Match only searchable values in search.""" | ||
return dsl.Q( | ||
"bool", | ||
must_not=[dsl.Q("term", tags="non-searchable")], | ||
) | ||
|
||
|
||
class Tags(Generator): | ||
"""Allows any user.""" | ||
|
||
def __init__(self, include=None, exclude=None, only_authenticated=False): | ||
"""Constructor.""" | ||
self.include = include or [] | ||
self.exclude = exclude or [] | ||
self.only_authenticated = only_authenticated | ||
|
||
def needs(self, **kwargs): | ||
"""Enabling Needs.""" | ||
return [authenticated_user] if self.only_authenticated else [any_user] | ||
|
||
def query_filter(self, **kwargs): | ||
"""Search based on configured tags.""" | ||
must_clauses = [] | ||
must_not_clauses = [] | ||
|
||
if self.include: | ||
must_clauses.append(dsl.Q("terms", tags=self.include)) | ||
|
||
if self.exclude: | ||
must_not_clauses.append(dsl.Q("terms", tags=self.exclude)) | ||
|
||
return dsl.Q( | ||
"bool", | ||
must=must_clauses, | ||
must_not=must_not_clauses, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# -*- coding: utf-8 -*- | ||
# | ||
# This file is part of Invenio. | ||
# Copyright (C) 2024 CERN. | ||
# | ||
# Invenio-Vocabularies is free software; you can redistribute it and/or | ||
# modify it under the terms of the MIT License; see LICENSE file for more | ||
# details. | ||
|
||
"""Test the names vocabulary permissions.""" | ||
|
||
import pytest | ||
from flask_principal import Identity | ||
from invenio_access.permissions import any_user | ||
|
||
from invenio_vocabularies.records.api import Vocabulary | ||
|
||
|
||
# | ||
# Fixtures | ||
# | ||
@pytest.fixture() | ||
def anyuser_idty(): | ||
"""Simple identity to interact with the service.""" | ||
identity = Identity(1) | ||
identity.provides.add(any_user) | ||
return identity | ||
|
||
|
||
def test_non_searchable_tag( | ||
app, | ||
service, | ||
identity, | ||
non_searchable_name_data, | ||
anyuser_idty, | ||
example_affiliation, | ||
superuser_identity, | ||
): | ||
"""Test that non-searchable tags are not returned in search results.""" | ||
# Service | ||
assert service.id == "names" | ||
assert service.config.indexer_queue_name == "names" | ||
|
||
# Create it | ||
item = service.create(identity, non_searchable_name_data) | ||
id_ = item.id | ||
|
||
# Refresh index to make changes live. | ||
Vocabulary.index.refresh() | ||
|
||
# Search - only searchable values should be returned | ||
res = service.search(anyuser_idty, type="names", q=f"id:{id_}", size=25, page=1) | ||
assert res.total == 0 | ||
|
||
# Admins should be able to see the non-searchable tags | ||
res = service.search( | ||
superuser_identity, type="names", q=f"id:{id_}", size=25, page=1 | ||
) | ||
assert res.total == 1 | ||
Check failure on line 59 in tests/contrib/names/test_name_permissions.py GitHub Actions / Python / Tests (3.9, postgresql14, opensearch2)
Check failure on line 59 in tests/contrib/names/test_name_permissions.py GitHub Actions / Python / Tests (3.12, postgresql14, opensearch2)
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters