forked from inveniosoftware/invenio-records-rest
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* NEW Adds customizable access control to record views. Allow configuring different permissions per endpoint. (reference inveniosoftware#14) Signed-off-by: Nicolas Harraudeau <[email protected]>
- Loading branch information
Nicolas Harraudeau
committed
Dec 14, 2015
1 parent
26ae5f7
commit 2a924a0
Showing
8 changed files
with
658 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,3 +55,6 @@ docs/_build/ | |
|
||
# PyBuilder | ||
target/ | ||
|
||
# Sqlite databases | ||
*.db |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
# -*- coding: utf-8 -*- | ||
# | ||
# This file is part of Invenio. | ||
# Copyright (C) 2015 CERN. | ||
# | ||
# Invenio is free software; you can redistribute it | ||
# and/or modify it under the terms of the GNU General Public License as | ||
# published by the Free Software Foundation; either version 2 of the | ||
# License, or (at your option) any later version. | ||
# | ||
# Invenio is distributed in the hope that it will be | ||
# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with Invenio; if not, write to the | ||
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, | ||
# MA 02111-1307, USA. | ||
# | ||
# In applying this license, CERN does not | ||
# waive the privileges and immunities granted to it by virtue of its status | ||
# as an Intergovernmental Organization or submit itself to any jurisdiction. | ||
|
||
|
||
"""Minimal Flask application example with access control enabled. | ||
Run example development server: | ||
.. code-block:: console | ||
$ cd examples | ||
$ flask -a permsapp.py db init | ||
$ flask -a permsapp.py db create | ||
$ flask -a permsapp.py fixtures records | ||
$ flask -a permsapp.py fixtures access | ||
$ flask -a permsapp.py --debug run | ||
Try to get record 1: | ||
.. code-block:: console | ||
$ curl -XGET http://localhost:5000/records/1 | ||
Login as [email protected] (password 123456) and get record 1: | ||
.. code-block:: console | ||
$ curl -XPOST http://localhost:5000/login/ -d 'email=admin%40invenio-software.org&password=123456' -c mycookie | ||
$ curl -XGET http://localhost:5000/records/1 -b mycookie | ||
Login as [email protected] (password 123456), who has not | ||
the permission to read record 1, and try to get record 1: | ||
.. code-block:: console | ||
$ curl -XPOST http://localhost:5000/login/ -d 'email=forbidden%40invenio-software.org&password=123456' -c mycookie2 | ||
$ curl -XGET http://localhost:5000/records/1 -b mycookie2 | ||
""" # noqa | ||
|
||
from __future__ import absolute_import, print_function | ||
|
||
import os | ||
|
||
from flask import Flask | ||
from flask_celeryext import FlaskCeleryExt | ||
from flask_cli import FlaskCLI | ||
from flask_menu import Menu | ||
from flask_security.utils import encrypt_password | ||
from invenio_accounts import InvenioAccounts | ||
from invenio_accounts.views import blueprint | ||
from invenio_db import InvenioDB, db | ||
from invenio_pidstore import InvenioPIDStore | ||
from invenio_records import InvenioRecords | ||
from invenio_records.permissions import records_create_all, \ | ||
records_delete_all, records_read_all, records_update_all | ||
from invenio_rest import InvenioREST | ||
|
||
from invenio_access import InvenioAccess | ||
from invenio_access.models import ActionUsers | ||
from invenio_records_rest import InvenioRecordsREST | ||
|
||
|
||
# create application's instance directory. Needed for this example only. | ||
current_dir = os.path.dirname(os.path.realpath(__file__)) | ||
instance_dir = os.path.join(current_dir, 'permsapp') | ||
if not os.path.exists(instance_dir): | ||
os.makedirs(instance_dir) | ||
|
||
# Create Flask application | ||
app = Flask(__name__, instance_path=instance_dir) | ||
app.config.update( | ||
CELERY_ALWAYS_EAGER=True, | ||
CELERY_CACHE_BACKEND="memory", | ||
CELERY_EAGER_PROPAGATES_EXCEPTIONS=True, | ||
CELERY_RESULT_BACKEND="cache", | ||
# Install Principal and Login extensions | ||
WTF_CSRF_ENABLED=False, | ||
ACCOUNTS_USE_CELERY=False, | ||
SECRET_KEY='CHANGE_ME', | ||
SECURITY_PASSWORD_SALT='CHANGE_ME_ALSO', | ||
) | ||
FlaskCLI(app) | ||
FlaskCeleryExt(app) | ||
InvenioDB(app) | ||
InvenioREST(app) | ||
InvenioPIDStore(app) | ||
InvenioRecords(app) | ||
Menu(app) | ||
accounts = InvenioAccounts(app) | ||
app.register_blueprint(blueprint) | ||
InvenioAccess(app) | ||
InvenioRecordsREST(app) | ||
|
||
rec_uuid = 'deadbeef-1234-5678-ba11-b100dc0ffee5' | ||
|
||
|
||
@app.cli.group() | ||
def fixtures(): | ||
"""Command for working with test data.""" | ||
|
||
|
||
@fixtures.command() | ||
def records(): | ||
"""Load test data fixture.""" | ||
from invenio_records.api import Record | ||
from invenio_pidstore.models import PersistentIdentifier, PIDStatus | ||
|
||
# Record 1 - Live record | ||
with db.session.begin_nested(): | ||
PersistentIdentifier.create( | ||
'recid', '1', object_type='rec', object_uuid=rec_uuid, | ||
status=PIDStatus.REGISTERED) | ||
Record.create({'title': 'Registered '}, id_=rec_uuid) | ||
|
||
|
||
@fixtures.command() | ||
def access(): | ||
"""Load access fixtures.""" | ||
admin = accounts.datastore.create_user( | ||
email='[email protected]', | ||
password=encrypt_password('123456'), | ||
active=True, | ||
) | ||
forbidden = accounts.datastore.create_user( | ||
email='[email protected]', | ||
password=encrypt_password('123456'), | ||
active=True, | ||
) | ||
# Give all permissions on the record to admin user | ||
db.session.add(ActionUsers( | ||
action=records_create_all.value, | ||
user=admin)) | ||
db.session.add(ActionUsers( | ||
action=records_read_all.value, argument=rec_uuid, | ||
user=admin)) | ||
db.session.add(ActionUsers( | ||
action=records_update_all.value, argument=rec_uuid, | ||
user=admin)) | ||
db.session.add(ActionUsers( | ||
action=records_delete_all.value, argument=rec_uuid, | ||
user=admin)) | ||
# Exclude all permission on the record to the forbidden user | ||
db.session.add(ActionUsers( | ||
action=records_create_all.value, | ||
user=forbidden, exclude=True)) | ||
db.session.add(ActionUsers( | ||
action=records_read_all.value, argument=rec_uuid, | ||
user=forbidden, exclude=True)) | ||
db.session.add(ActionUsers( | ||
action=records_update_all.value, argument=rec_uuid, | ||
user=forbidden, exclude=True)) | ||
db.session.add(ActionUsers( | ||
action=records_delete_all.value, argument=rec_uuid, | ||
user=forbidden, exclude=True)) | ||
db.session.commit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.