Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permissions: refactor to use flask-principal #14

Open
lnielsen opened this issue Aug 29, 2016 · 3 comments
Open

permissions: refactor to use flask-principal #14

lnielsen opened this issue Aug 29, 2016 · 3 comments
Labels
enhancement
Milestone
v1.0.0

Comments

@lnielsen
Copy link
Member

Refactor the permissions to rely on Flask-Principal instead - a token with extra data {'recid': '1'} could e.g. update the current identity with a Need(value='1', method='recid').

Then a permission check if a specific user or token gives access could look like e.g.:

Permission(Need('recid', '1'), UserNeed(1234)).can()

Issues:
This has to work for both logged in and anonymous users. However, identity-loaded signal is only sent when a user is logged in. Probably Zenodo-AccessRequests can provide an identity_loader which runs after Flask-Security, and which sets the anonymous identity. This way the identity-loaded signal is also sent for anonymous users, and we can use the signal to provide the need for the identity.
@lnielsen lnielsen added this to the v1.0.0 milestone Aug 29, 2016
@nharraud
Copy link

nharraud commented Sep 2, 2016

How many secret links are there per user on the current Zenodo? Are some tokens unlimited in time?
If there are too many tokens the loading of the user identity will take a long time.

Also how would it work for search? Are the shared records supposed to appear in the search results?

@lnielsen
Copy link
Member Author

lnielsen commented Sep 2, 2016

It's rather the other way around… it's only when a user users a link ?token=…., that the need will be set in the current identity. This is because links are not given are not tied to users in anyway. They are just tokens that given you posses the token you can access the given resource.

Hence, it won't cause any loading issues, since you're just loading one token at a time.

Currently in zenodo all records are searchable, so there's no difference. However I don't think it would be difficult to add support for showing hidden records if you have a given token…..

@nharraud
Copy link

nharraud commented Sep 2, 2016

It's rather the other way around… it's only when a user users a link ?token=…., that the need will be set in the current identity.

Ok I understand better what you want to do. Seems simple enough.

Currently in zenodo all records are searchable, so there's no difference.

Ah yes you are right, I forgot that only the files are hidden. No problem on this side then. And yes for those who need to index the tokens in the records, they could use the request_accepted signal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@lnielsen @nharraud