From 0dc23bbfa855ae0560acb5760d2e92d295faa7f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=CC=81bastien=20De=CC=81le=CC=80ze?= Date: Thu, 25 Jun 2020 15:41:43 +0200 Subject: [PATCH] search: fix query for resources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Allows search for records when user is not logged and check permissions is disabled. Co-Authored-by: Sébastien Délèze --- sonar/modules/deposits/query.py | 4 ++++ sonar/modules/documents/query.py | 7 +++++-- sonar/modules/documents/serializers/__init__.py | 2 +- sonar/modules/organisations/query.py | 4 ++++ sonar/modules/users/query.py | 4 ++++ tests/api/deposits/test_deposits_permissions.py | 11 +++++++++-- tests/api/documents/test_documents_permissions.py | 11 +++++++++-- .../organisations/test_organisations_permissions.py | 12 +++++++++--- tests/api/users/test_users_permissions.py | 10 +++++++++- 9 files changed, 54 insertions(+), 11 deletions(-) diff --git a/sonar/modules/deposits/query.py b/sonar/modules/deposits/query.py index 5ee4064e..3e6c317b 100644 --- a/sonar/modules/deposits/query.py +++ b/sonar/modules/deposits/query.py @@ -17,6 +17,7 @@ """Query for deposits.""" +from flask import current_app from invenio_records_rest.query import es_search_factory from sonar.modules.organisations.api import current_organisation @@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None): """ search, urlkwargs = es_search_factory(self, search) + if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'): + return (search, urlkwargs) + # For superusers, records are not filtered. if current_user_record.is_superuser: return (search, urlkwargs) diff --git a/sonar/modules/documents/query.py b/sonar/modules/documents/query.py index 946f5c3b..84156a9c 100644 --- a/sonar/modules/documents/query.py +++ b/sonar/modules/documents/query.py @@ -31,10 +31,13 @@ def search_factory(self, search, query_parser=None): :param query_parser: Url arguments. :returns: Tuple with search instance and URL arguments. """ - view = request.args.get('view') - search, urlkwargs = es_search_factory(self, search) + if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'): + return (search, urlkwargs) + + view = request.args.get('view') + # Public search if view: # Filter record by organisation view. diff --git a/sonar/modules/documents/serializers/__init__.py b/sonar/modules/documents/serializers/__init__.py index ae125bc3..f96fcf60 100644 --- a/sonar/modules/documents/serializers/__init__.py +++ b/sonar/modules/documents/serializers/__init__.py @@ -43,7 +43,7 @@ def post_process_serialize_search(self, results, pid_fetcher): 'SONAR_APP_DEFAULT_ORGANISATION'): results['aggregations'].pop('organisation', {}) else: - if not current_user_record.is_superuser: + if current_user_record and not current_user_record.is_superuser: results['aggregations'].pop('organisation', {}) if results['aggregations'].get('year'): diff --git a/sonar/modules/organisations/query.py b/sonar/modules/organisations/query.py index 5a1d88cc..e561f8d5 100644 --- a/sonar/modules/organisations/query.py +++ b/sonar/modules/organisations/query.py @@ -17,6 +17,7 @@ """Query for organisations.""" +from flask import current_app from invenio_records_rest.query import es_search_factory from sonar.modules.organisations.api import current_organisation @@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None): """ search, urlkwargs = es_search_factory(self, search) + if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'): + return (search, urlkwargs) + # Records are not filtered for superusers. if current_user_record.is_superuser: return (search, urlkwargs) diff --git a/sonar/modules/users/query.py b/sonar/modules/users/query.py index 008eb27a..c12f05f1 100644 --- a/sonar/modules/users/query.py +++ b/sonar/modules/users/query.py @@ -17,6 +17,7 @@ """Query for users.""" +from flask import current_app from invenio_records_rest.query import es_search_factory from sonar.modules.organisations.api import current_organisation @@ -32,6 +33,9 @@ def search_factory(self, search, query_parser=None): """ search, urlkwargs = es_search_factory(self, search) + if current_app.config.get('SONAR_APP_DISABLE_PERMISSION_CHECKS'): + return (search, urlkwargs) + # Searching for existing email, everybody can do that if urlkwargs.get('q') and urlkwargs['q'].startswith('email:'): search = search.source(includes=['pid']) diff --git a/tests/api/deposits/test_deposits_permissions.py b/tests/api/deposits/test_deposits_permissions.py index d048bff7..5111e6c9 100644 --- a/tests/api/deposits/test_deposits_permissions.py +++ b/tests/api/deposits/test_deposits_permissions.py @@ -25,8 +25,8 @@ from sonar.modules.deposits.api import DepositRecord -def test_list(client, make_deposit, superuser, admin, moderator, submitter, - user): +def test_list(app, client, make_deposit, superuser, admin, moderator, + submitter, user): """Test list deposits permissions.""" make_deposit('submitter', 'org') make_deposit('admin', 'org') @@ -36,6 +36,13 @@ def test_list(client, make_deposit, superuser, admin, moderator, submitter, res = client.get(url_for('invenio_records_rest.depo_list')) assert res.status_code == 401 + # Not logged but permission checks disabled + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True) + res = client.get(url_for('invenio_records_rest.depo_list')) + assert res.status_code == 200 + assert res.json['hits']['total'] == 3 + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False) + # Logged as user login_user_via_session(client, email=user['email']) res = client.get(url_for('invenio_records_rest.depo_list')) diff --git a/tests/api/documents/test_documents_permissions.py b/tests/api/documents/test_documents_permissions.py index b658d2d9..b2cc5d9a 100644 --- a/tests/api/documents/test_documents_permissions.py +++ b/tests/api/documents/test_documents_permissions.py @@ -23,8 +23,8 @@ from invenio_accounts.testutils import login_user_via_session -def test_list(client, make_document, superuser, admin, moderator, submitter, - user): +def test_list(app, client, make_document, superuser, admin, moderator, + submitter, user): """Test list documents permissions.""" make_document(None) make_document('org') @@ -33,6 +33,13 @@ def test_list(client, make_document, superuser, admin, moderator, submitter, res = client.get(url_for('invenio_records_rest.doc_list')) assert res.status_code == 401 + # Not logged but permission checks disabled + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True) + res = client.get(url_for('invenio_records_rest.doc_list')) + assert res.status_code == 200 + assert res.json['hits']['total'] == 2 + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False) + # Logged as user login_user_via_session(client, email=user['email']) res = client.get(url_for('invenio_records_rest.doc_list')) diff --git a/tests/api/organisations/test_organisations_permissions.py b/tests/api/organisations/test_organisations_permissions.py index 50e68988..d6f98f7d 100644 --- a/tests/api/organisations/test_organisations_permissions.py +++ b/tests/api/organisations/test_organisations_permissions.py @@ -23,7 +23,7 @@ from invenio_accounts.testutils import login_user_via_session -def test_list(client, make_organisation, superuser, admin, moderator, +def test_list(app, client, make_organisation, superuser, admin, moderator, submitter, user): """Test list organisations permissions.""" make_organisation('org2') @@ -32,6 +32,13 @@ def test_list(client, make_organisation, superuser, admin, moderator, res = client.get(url_for('invenio_records_rest.org_list')) assert res.status_code == 401 + # Not logged but permission checks disabled + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True) + res = client.get(url_for('invenio_records_rest.org_list')) + assert res.status_code == 200 + assert res.json['hits']['total'] == 2 + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False) + # Logged as user login_user_via_session(client, email=user['email']) res = client.get(url_for('invenio_records_rest.org_list')) @@ -235,8 +242,7 @@ def test_update(client, make_organisation, superuser, admin, moderator, assert res.status_code == 200 -def test_delete(client, superuser, admin, - moderator, submitter, user): +def test_delete(client, superuser, admin, moderator, submitter, user): """Test delete organisations permissions.""" # Not logged res = client.delete( diff --git a/tests/api/users/test_users_permissions.py b/tests/api/users/test_users_permissions.py index 2060cb0a..f876266d 100644 --- a/tests/api/users/test_users_permissions.py +++ b/tests/api/users/test_users_permissions.py @@ -23,7 +23,8 @@ from invenio_accounts.testutils import login_user_via_session -def test_list(client, make_user, superuser, admin, moderator, submitter, user): +def test_list(app, client, make_user, superuser, admin, moderator, submitter, + user): """Test list users permissions.""" make_user('user', 'org2') @@ -31,6 +32,13 @@ def test_list(client, make_user, superuser, admin, moderator, submitter, user): res = client.get(url_for('invenio_records_rest.user_list')) assert res.status_code == 401 + # Not logged but permission checks disabled + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=True) + res = client.get(url_for('invenio_records_rest.user_list')) + assert res.status_code == 200 + assert res.json['hits']['total'] == 6 + app.config.update(SONAR_APP_DISABLE_PERMISSION_CHECKS=False) + # Logged as user login_user_via_session(client, email=user['email']) res = client.get(url_for('invenio_records_rest.user_list'))