Implements permissions per transition inveniosoftware#26

Permissions factory per transition.

Rebased on master.

Loading permission factory from config for tests.

Clean up.

invenio_circulation/config.py

@@ -8,6 +8,8 @@
 
 """Invenio module for the circulation of bibliographic items."""
 
+from invenio_records_rest.utils import allow_all
+
 from .api import Loan
 from .links import loan_links_factory
 from .transitions.transitions import CreatedToItemOnLoan, CreatedToPending, \
@@ -33,6 +35,8 @@
 _CIRCULATION_LOAN_LINKS_FACTORY = loan_links_factory
 """."""
 
+CIRCULATION_PERMISSION_FACTORY = allow_all
+"""."""
 
 CIRCULATION_STATES_ITEM_AVAILABLE = ['ITEM_RETURNED']
 """."""

invenio_circulation/errors.py

@@ -37,5 +37,9 @@ class LoanActionError(CirculationException):
     """."""
 
 
+class InvalidCirculationPermission(CirculationException):
+    """Raised when permissions are not satisfied for transition."""
+
+
 class TransitionConstraintsViolation(CirculationException):
     """Exception raised when constraints for the transition failed."""

invenio_circulation/transitions/base.py

@@ -85,7 +85,8 @@ def __init__(self, src, dest, trigger='next', permission_factory=None,
         self.src = src
         self.dest = dest
         self.trigger = trigger
-        self.permission_factory = permission_factory
+        self.permission_factory = permission_factory or \
+            current_app.config['CIRCULATION_PERMISSION_FACTORY']
         # validate states
         self.validate_transition_states()
 
@@ -110,6 +111,10 @@ def validate_transition_states(self):
     @check_trigger
     def before(self, loan, **kwargs):
         """Validate input, evaluate conditions and raise if failed."""
+        if self.permission_factory and not self.permission_factory(loan).can():
+            msg = 'Invalid circulation permission'
+            raise InvalidCirculationPermission(msg=msg)
+
         kwargs.setdefault('transaction_date', datetime.now())
         kwargs['transaction_date'] = parse_date(kwargs['transaction_date'])
         loan.update(kwargs)

invenio_circulation/views.py

@@ -19,8 +19,8 @@
 from invenio_rest import ContentNegotiatedMethodView
 from invenio_rest.views import create_api_errorhandler
 
-from invenio_circulation.errors import ItemNotAvailable, LoanActionError, \
-    NoValidTransitionAvailable
+from invenio_circulation.errors import InvalidCirculationPermission, \
+    ItemNotAvailable, LoanActionError, NoValidTransitionAvailable
 from invenio_circulation.proxies import current_circulation
 
 HTTP_CODES = {
@@ -125,7 +125,11 @@ def post(self, pid, record, action, **kwargs):
                 record, **dict(params, trigger=action)
             )
             db.session.commit()
-        except (ItemNotAvailable, NoValidTransitionAvailable) as ex:
+        except (
+            ItemNotAvailable,
+            InvalidCirculationPermission,
+            NoValidTransitionAvailable
+        ) as ex:
             current_app.logger.exception(ex.msg)
             raise LoanActionError(ex)
 

tests/test_permissions.py

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of CDS.
+# Copyright (C) 2015, 2016, 2018 CERN.
+#
+# CDS is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+#
+# CDS is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with CDS; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+# MA 02111-1307, USA.
+#
+# In applying this license, CERN does not
+# waive the privileges and immunities granted to it by virtue of its status
+# as an Intergovernmental Organization or submit itself to any jurisdiction.
+
+"""Test circulation permissions."""
+
+
+def test_permission(app):
+    """Test permission factories."""
+    factory = app.config['CIRCULATION_PERMISSION_FACTORY']
+    assert factory().can()