Skip to content

Commit

Permalink
api: create new endpoint for access/users
Browse files Browse the repository at this point in the history
* add resource and service layer
* add error handerls
* add links
* cover with tests
* closes #1671
  • Loading branch information
anikachurilova committed Feb 26, 2024
1 parent ab5797a commit ce5b6c4
Show file tree
Hide file tree
Showing 13 changed files with 897 additions and 4 deletions.
7 changes: 7 additions & 0 deletions invenio_rdm_records/ext.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
RDMRecordRequestsResourceConfig,
RDMRecordResource,
RDMRecordResourceConfig,
RDMUserAccessResource,
RDMUserAccessResourceConfig,
)
from .resources.config import (
RDMDraftMediaFilesResourceConfig,
Expand Down Expand Up @@ -223,6 +225,11 @@ def init_resource(self, app):
config=RDMParentGrantsResourceConfig.build(app),
)

self.user_access_resource = RDMUserAccessResource(
service=self.records_service,
config=RDMUserAccessResourceConfig.build(app),
)

# Record's communities
self.record_communities_resource = RDMRecordCommunitiesResource(
service=self.record_communities_service,
Expand Down
4 changes: 4 additions & 0 deletions invenio_rdm_records/resources/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
RDMRecordFilesResourceConfig,
RDMRecordRequestsResourceConfig,
RDMRecordResourceConfig,
RDMUserAccessResourceConfig,
)
from .resources import (
IIIFResource,
Expand All @@ -26,6 +27,7 @@
RDMParentRecordLinksResource,
RDMRecordRequestsResource,
RDMRecordResource,
RDMUserAccessResource,
)

__all__ = (
Expand All @@ -35,7 +37,9 @@
"RDMCommunityRecordsResourceConfig",
"RDMDraftFilesResourceConfig",
"RDMParentGrantsResource",
"RDMUserAccessResource",
"RDMParentGrantsResourceConfig",
"RDMUserAccessResourceConfig",
"RDMParentRecordLinksResource",
"RDMParentRecordLinksResourceConfig",
"RDMRecordCommunitiesResourceConfig",
Expand Down
52 changes: 49 additions & 3 deletions invenio_rdm_records/resources/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

from ..services.errors import (
AccessRequestExistsError,
GrantExistsError,
InvalidAccessRestrictions,
RecordDeletedException,
ReviewExistsError,
Expand Down Expand Up @@ -357,7 +358,23 @@ class RDMDraftMediaFilesResourceConfig(FileResourceConfig, ConfiguratorMixin):
{
LookupError: create_error_handler(
HTTPJSONException(code=404, description="No grant found with the given ID.")
)
),
GrantExistsError: create_error_handler(
lambda e: HTTPJSONException(
code=400,
description=e.description,
)
),
}
)

user_access_error_handlers = RecordResourceConfig.error_handlers.copy()

user_access_error_handlers.update(
{
LookupError: create_error_handler(
HTTPJSONException(code=404, description="No grant found by given user id.")
),
}
)

Expand Down Expand Up @@ -399,8 +416,8 @@ class RDMParentGrantsResourceConfig(RecordResourceConfig, ConfiguratorMixin):
url_prefix = "/records/<pid_value>/access"

routes = {
"list": "/users",
"item": "/users/<grant_id>",
"list": "/grants",
"item": "/grants/<grant_id>",
}

links_config = {}
Expand All @@ -421,6 +438,35 @@ class RDMParentGrantsResourceConfig(RecordResourceConfig, ConfiguratorMixin):
error_handlers = grants_error_handlers


class RDMUserAccessResourceConfig(RecordResourceConfig, ConfiguratorMixin):
"""Record user access resource configuration."""

blueprint_name = "record_user_access"

url_prefix = "/records/<pid_value>/access"

routes = {
"item": "/users/<user_id>",
"list": "/users",
}

links_config = {}

request_view_args = {
"pid_value": ma.fields.Str(),
"user_id": ma.fields.Str(),
}

response_handlers = {
"application/vnd.inveniordm.v1+json": RecordResourceConfig.response_handlers[
"application/json"
],
**RecordResourceConfig.response_handlers,
}

error_handlers = user_access_error_handlers


#
# Community's records
#
Expand Down
70 changes: 70 additions & 0 deletions invenio_rdm_records/resources/resources.py
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,76 @@ def search(self):
return items.to_dict(), 200


class RDMUserAccessResource(RecordResource):
"""User access resource."""

def create_url_rules(self):
"""Create the URL rules for the record resource."""

def p(route_name):
"""Prefix a route with the URL prefix."""
return f"{self.config.url_prefix}{self.config.routes[route_name]}"

return [
route("GET", p("item"), self.read),
route("DELETE", p("item"), self.delete),
route("GET", p("list"), self.search),
route("PATCH", p("item"), self.partial_update),
]

@request_extra_args
@request_view_args
@response_handler()
def read(self):
"""Read an access grant for a record by user id."""
item = self.service.access.read_grant_by_user_id(
identity=g.identity,
id_=resource_requestctx.view_args["pid_value"],
user_id=resource_requestctx.view_args["user_id"],
expand=resource_requestctx.args.get("expand", False),
)

return item.to_dict(), 200

@request_view_args
def delete(self):
"""Delete an access grant for a record by user id."""
self.service.access.delete_grant_by_user_id(
identity=g.identity,
id_=resource_requestctx.view_args["pid_value"],
user_id=resource_requestctx.view_args["user_id"],
)
return "", 204

@request_extra_args
@request_search_args
@request_view_args
@response_handler(many=True)
def search(self):
"""List user access grants for a record."""
items = self.service.access.read_all_user_grants(
identity=g.identity,
id_=resource_requestctx.view_args["pid_value"],
expand=resource_requestctx.args.get("expand", False),
)
return items.to_dict(), 200

@request_extra_args
@request_view_args
@request_data
@response_handler()
def partial_update(self):
"""Patch user access grant for a record."""
item = self.service.access.update_grant_by_user_id(
identity=g.identity,
id_=resource_requestctx.view_args["pid_value"],
user_id=resource_requestctx.view_args["user_id"],
data=resource_requestctx.data,
expand=resource_requestctx.args.get("expand", False),
)
return item.to_dict(), 200


#
# Community's records
#
Expand Down
138 changes: 137 additions & 1 deletion invenio_rdm_records/services/access/service.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@

from ...requests.access import AccessRequestToken, GuestAccessRequest, UserAccessRequest
from ...secret_links.errors import InvalidPermissionLevelError
from ..errors import AccessRequestExistsError
from ..errors import AccessRequestExistsError, GrantExistsError
from ..results import GrantSubjectExpandableField


Expand Down Expand Up @@ -365,6 +365,13 @@ def create_grant(self, identity, id_, data, expand=False, uow=None):
data, context={"identity": identity}, raise_errors=True
)

for grant in parent.access.grants:
if (
grant.subject_id == data["subject"]["id"]
and grant.subject_type == data["subject"]["type"]
):
raise GrantExistsError()

# Creation
grant = parent.access.grants.create(
subject_type=data["subject"]["type"],
Expand Down Expand Up @@ -407,6 +414,28 @@ def read_grant(self, identity, id_, grant_id, expand=False):
expand=expand,
)

def read_grant_by_user_id(self, identity, id_, user_id, expand=False):
"""Read a specific access grant of a record by user id."""
record, parent = self.get_parent_and_record_or_draft(id_)

# Permissions
self.require_permission(identity, "manage", record=record)

result = None
for grant in parent.access.grants:
if grant.subject_id == user_id and grant.subject_type == "user":
result = grant

if not result:
raise LookupError(user_id)

return self.grant_result_item(
self,
identity,
result,
expand=expand,
)

@unit_of_work()
def update_grant(
self,
Expand Down Expand Up @@ -481,6 +510,91 @@ def read_all_grants(self, identity, id_, expand=False):
expand=expand,
)

def read_all_user_grants(self, identity, id_, expand=False):
"""Read the user access grants of a record (resp. its parent)."""
record, parent = self.get_parent_and_record_or_draft(id_)

# Permissions
self.require_permission(identity, "manage", record=record)

user_grants = []
for grant in parent.access.grants:
if grant.subject_type == "user":
user_grants.append(grant)

# Fetching
return self.grant_result_list(
service=self,
identity=identity,
results=user_grants,
expand=expand,
)

@unit_of_work()
def update_grant_by_user_id(
self,
identity,
id_,
user_id,
data,
expand=False,
uow=None,
):
"""Update user access grant for a record (resp. its parent)."""
record, parent = self.get_parent_and_record_or_draft(id_)

# Permissions
self.require_permission(identity, "manage", record=record)

# Fetching (required for parts of the validation)
grant_id = None
for grant in parent.access.grants:
if grant.subject_id == user_id and grant.subject_type == "user":
grant_id = parent.access.grants.index(grant)

if grant_id is None:
raise LookupError(user_id)

old_grant = parent.access.grants[grant_id]
data = {
"permission": data.get("permission", old_grant.permission),
"subject": {
"type": data.get("subject", {}).get("type", old_grant.subject_type),
"id": data.get("subject", {}).get("id", old_grant.subject_id),
},
"origin": data.get("origin", old_grant.origin),
}

# Validation
data, __ = self.schema_grant.load(
data, context={"identity": identity}, raise_errors=True
)

# Update
try:
new_grant = parent.access.grants.grant_cls.create(
origin=data["origin"],
permission=data["permission"],
subject_type=data["subject"]["type"],
subject_id=data["subject"]["id"],
resolve_subject=True,
)
except LookupError:
raise ValidationError(
_("Could not find the specified subject."), field_name="subject.id"
)

parent.access.grants[grant_id] = new_grant

uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))

return self.grant_result_item(
self,
identity,
new_grant,
expand=expand,
)

@unit_of_work()
def delete_grant(self, identity, id_, grant_id, uow=None):
"""Delete an access grant for a record (resp. its parent)."""
Expand All @@ -500,6 +614,28 @@ def delete_grant(self, identity, id_, grant_id, uow=None):

return True

@unit_of_work()
def delete_grant_by_user_id(self, identity, id_, user_id, uow=None):
"""Delete an access grant for a record by user id."""
record, parent = self.get_parent_and_record_or_draft(id_)

# Permissions
self.require_permission(identity, "manage", record=record)

# Deletion
result = None
for grant in parent.access.grants:
if grant.subject_id == user_id and grant.subject_type == "user":
result = grant
parent.access.grants.remove(grant)

if not result:
raise LookupError(user_id)

uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))

return True

def _exists(self, created_by, record_id, request_type):
"""Return the request id if an open request already exists, else None."""
query_terms = [
Expand Down
1 change: 1 addition & 0 deletions invenio_rdm_records/services/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -428,6 +428,7 @@ class RDMRecordServiceConfig(RecordServiceConfig, ConfiguratorMixin):
),
"versions": RecordLink("{+api}/records/{id}/versions"),
"access_links": RecordLink("{+api}/records/{id}/access/links"),
"access_grants": RecordLink("{+api}/records/{id}/access/grants"),
"access_users": RecordLink("{+api}/records/{id}/access/users"),
"access_request": RecordLink("{+api}/records/{id}/access/request"),
"access": RecordLink("{+api}/records/{id}/access"),
Expand Down
6 changes: 6 additions & 0 deletions invenio_rdm_records/services/errors.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ class RDMRecordsException(Exception):
"""Base exception for RDMRecords errors."""


class GrantExistsError(RDMRecordsException):
"""Exception raised when trying to create a grant that already exists for user/role."""

description = _("Grant for this user/role already exists within this record.")


class RecordDeletedException(RDMRecordsException):
"""Exception denoting that the record was deleted."""

Expand Down
Loading

0 comments on commit ce5b6c4

Please sign in to comment.