search: fix query for resources

* Allows search for records when user is not logged and check permissions is disabled.

Co-Authored-by: Sébastien Délèze <sebastien.deleze@rero.ch>

sonar/modules/deposits/query.py

@@ -17,6 +17,7 @@
 
 """Query for deposits."""
 
+from flask import current_app
 from invenio_records_rest.query import es_search_factory
 
 from sonar.modules.organisations.api import current_organisation
@@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None):
     """
     search, urlkwargs = es_search_factory(self, search)
 
+    if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'):
+        return (search, urlkwargs)
+
     # For superusers, records are not filtered.
     if current_user_record.is_superuser:
         return (search, urlkwargs)

sonar/modules/documents/query.py

@@ -31,10 +31,13 @@ def search_factory(self, search, query_parser=None):
     :param query_parser: Url arguments.
     :returns: Tuple with search instance and URL arguments.
     """
-    view = request.args.get('view')
-
     search, urlkwargs = es_search_factory(self, search)
 
+    if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'):
+        return (search, urlkwargs)
+
+    view = request.args.get('view')
+
     # Public search
     if view:
         # Filter record by organisation view.

sonar/modules/documents/serializers/__init__.py

@@ -43,7 +43,7 @@ def post_process_serialize_search(self, results, pid_fetcher):
                     'SONAR_APP_DEFAULT_ORGANISATION'):
                 results['aggregations'].pop('organisation', {})
         else:
-            if not current_user_record.is_superuser:
+            if current_user_record and not current_user_record.is_superuser:
                 results['aggregations'].pop('organisation', {})
 
         if results['aggregations'].get('year'):

sonar/modules/organisations/query.py

@@ -17,6 +17,7 @@
 
 """Query for organisations."""
 
+from flask import current_app
 from invenio_records_rest.query import es_search_factory
 
 from sonar.modules.organisations.api import current_organisation
@@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None):
     """
     search, urlkwargs = es_search_factory(self, search)
 
+    if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'):
+        return (search, urlkwargs)
+
     # Records are not filtered for superusers.
     if current_user_record.is_superuser:
         return (search, urlkwargs)

sonar/modules/users/query.py

@@ -17,6 +17,7 @@
 
 """Query for users."""
 
+from flask import current_app
 from invenio_records_rest.query import es_search_factory
 
 from sonar.modules.organisations.api import current_organisation
@@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None):
     """
     search, urlkwargs = es_search_factory(self, search)
 
+    if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'):
+        return (search, urlkwargs)
+
     # Searching for existing email, everybody can do that
     if urlkwargs.get('q') and urlkwargs['q'].startswith('email:'):
         search = search.source(includes=['pid'])

tests/api/deposits/test_deposits_permissions.py

@@ -25,8 +25,8 @@
 from sonar.modules.deposits.api import DepositRecord
 
 
-def test_list(client, make_deposit, superuser, admin, moderator, submitter,
-              user):
+def test_list(app, client, make_deposit, superuser, admin, moderator,
+              submitter, user):
     """Test list deposits permissions."""
     make_deposit('submitter', 'org')
     make_deposit('admin', 'org')
@@ -36,6 +36,13 @@ def test_list(client, make_deposit, superuser, admin, moderator, submitter,
     res = client.get(url_for('invenio_records_rest.depo_list'))
     assert res.status_code == 401
 
+    # Not logged but permission checks disabled
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True)
+    res = client.get(url_for('invenio_records_rest.depo_list'))
+    assert res.status_code == 200
+    assert res.json['hits']['total'] == 3
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False)
+
     # Logged as user
     login_user_via_session(client, email=user['email'])
     res = client.get(url_for('invenio_records_rest.depo_list'))

tests/api/documents/test_documents_permissions.py

@@ -23,8 +23,8 @@
 from invenio_accounts.testutils import login_user_via_session
 
 
-def test_list(client, make_document, superuser, admin, moderator, submitter,
-              user):
+def test_list(app, client, make_document, superuser, admin, moderator,
+              submitter, user):
     """Test list documents permissions."""
     make_document(None)
     make_document('org')
@@ -33,6 +33,13 @@ def test_list(client, make_document, superuser, admin, moderator, submitter,
     res = client.get(url_for('invenio_records_rest.doc_list'))
     assert res.status_code == 401
 
+    # Not logged but permission checks disabled
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True)
+    res = client.get(url_for('invenio_records_rest.doc_list'))
+    assert res.status_code == 200
+    assert res.json['hits']['total'] == 2
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False)
+
     # Logged as user
     login_user_via_session(client, email=user['email'])
     res = client.get(url_for('invenio_records_rest.doc_list'))

tests/api/organisations/test_organisations_permissions.py

@@ -23,7 +23,7 @@
 from invenio_accounts.testutils import login_user_via_session
 
 
-def test_list(client, make_organisation, superuser, admin, moderator,
+def test_list(app, client, make_organisation, superuser, admin, moderator,
               submitter, user):
     """Test list organisations permissions."""
     make_organisation('org2')
@@ -32,6 +32,13 @@ def test_list(client, make_organisation, superuser, admin, moderator,
     res = client.get(url_for('invenio_records_rest.org_list'))
     assert res.status_code == 401
 
+    # Not logged but permission checks disabled
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True)
+    res = client.get(url_for('invenio_records_rest.org_list'))
+    assert res.status_code == 200
+    assert res.json['hits']['total'] == 2
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False)
+
     # Logged as user
     login_user_via_session(client, email=user['email'])
     res = client.get(url_for('invenio_records_rest.org_list'))
@@ -235,8 +242,7 @@ def test_update(client, make_organisation, superuser, admin, moderator,
     assert res.status_code == 200
 
 
-def test_delete(client, superuser, admin,
-                moderator, submitter, user):
+def test_delete(client, superuser, admin, moderator, submitter, user):
     """Test delete organisations permissions."""
     # Not logged
     res = client.delete(

tests/api/users/test_users_permissions.py

@@ -23,14 +23,22 @@
 from invenio_accounts.testutils import login_user_via_session
 
 
-def test_list(client, make_user, superuser, admin, moderator, submitter, user):
+def test_list(app, client, make_user, superuser, admin, moderator, submitter,
+              user):
     """Test list users permissions."""
     make_user('user', 'org2')
 
     # Not logged
     res = client.get(url_for('invenio_records_rest.user_list'))
     assert res.status_code == 401
 
+    # Not logged but permission checks disabled
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True)
+    res = client.get(url_for('invenio_records_rest.user_list'))
+    assert res.status_code == 200
+    assert res.json['hits']['total'] == 6
+    app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False)
+
     # Logged as user
     login_user_via_session(client, email=user['email'])
     res = client.get(url_for('invenio_records_rest.user_list'))