permissions: add generator for handling groups enabled feature flag

* closes inveniosoftware/invenio-rdm-records#1672
inveniosoftware · May 7, 2024 · 9b44d62 · 9b44d62
1 parent 4c31af2
commit 9b44d62
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 7 deletions.
diff --git a/invenio_users_resources/config.py b/invenio_users_resources/config.py
@@ -240,3 +240,6 @@ class OrgPropsSchema(Schema):
 
 USERS_RESOURCES_DOMAINS_ORG_SCHEMA = OrgPropsSchema
 """Domains organisation schema config."""
+
+USERS_RESOURCES_GROUPS_ENABLED = True
+"""Config to enable features related to existence of groups."""
diff --git a/invenio_users_resources/services/generators.py b/invenio_users_resources/services/generators.py
@@ -11,6 +11,8 @@
 """Permission generators for users and groups."""
 
 
+from flask import current_app
+from invenio_access.permissions import any_user
 from invenio_records.dictutils import dict_lookup
 from invenio_records_permissions.generators import (
     ConditionalGenerator,
@@ -123,3 +125,28 @@ def query_filter(self, **kwargs):
                     return q_all & else_query
 
         return q_not_managed & then_query
+
+
+class GroupsEnabled(Generator):
+    """Generator to restrict if the groups are not enabled.
+
+    If the groups are not enabled, exclude any user for adding members of the
+    param member type.
+
+    A system process is allowed to do anything.
+    """
+
+    def __init__(self, *need_groups_enabled_types):
+        """Types that need the groups enabled."""
+        self.need_groups_enabled_types = need_groups_enabled_types
+
+    def excludes(self, member_types=None, **kwargs):
+        """Preventing needs."""
+        member_types = member_types or {"group"}
+        for m in member_types:
+            if (
+                m in self.need_groups_enabled_types
+                and not current_app.config["USERS_RESOURCES_GROUPS_ENABLED"]
+            ):
+                return [any_user]
+        return []
diff --git a/invenio_users_resources/services/permissions.py b/invenio_users_resources/services/permissions.py
@@ -18,7 +18,13 @@
 
 from invenio_users_resources.permissions import user_management_action
 
-from .generators import IfGroupNotManaged, IfPublicEmail, IfPublicUser, Self
+from .generators import (
+    GroupsEnabled,
+    IfGroupNotManaged,
+    IfPublicEmail,
+    IfPublicUser,
+    Self,
+)
 
 UserManager = AdminAction(user_management_action)
 
@@ -53,14 +59,17 @@ class UsersPermissionPolicy(BasePermissionPolicy):
 class GroupsPermissionPolicy(BasePermissionPolicy):
     """Permission policy for users and user groups."""
 
-    can_create = [SystemProcess()]
-    can_read = [
-        IfGroupNotManaged([AuthenticatedUser()], [UserManager]),
+    _can_any = [
+        GroupsEnabled("group"),
         SystemProcess(),
     ]
-    can_search = [AuthenticatedUser(), SystemProcess()]
-    can_update = [SystemProcess()]
-    can_delete = [SystemProcess()]
+    can_create = _can_any
+    can_read = _can_any + [
+        IfGroupNotManaged([AuthenticatedUser()], [UserManager]),
+    ]
+    can_search = _can_any + [AuthenticatedUser()]
+    can_update = _can_any
+    can_delete = _can_any
 
 
 class DomainPermissionPolicy(BasePermissionPolicy):

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -64,6 +64,8 @@ def app_config(app_config):
     # setting preferences schema to test notifications
     app_config["ACCOUNTS_USER_PREFERENCES_SCHEMA"] = UserPreferencesNotificationsSchema
 
+    app_config["USERS_RESOURCES_GROUPS_ENABLED"] = True
+
     return app_config