From ae46c0a129799a163142df98e1ed49d2351f4e33 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 1 Feb 2024 21:33:01 +0000 Subject: [PATCH 1/6] Update _frontend.codex submodule to HEAD of codex-frontend@develop --- _frontend.codex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_frontend.codex b/_frontend.codex index a2f489fe1..68b49199d 160000 --- a/_frontend.codex +++ b/_frontend.codex @@ -1 +1 @@ -Subproject commit a2f489fe1c30b90a0975273d9651e62abd9e9ae4 +Subproject commit 68b49199da61281e0341b3eed0462e0583800ba7 From e6f6b2c48bb8efe8272a92c3075e977054e1a3ec Mon Sep 17 00:00:00 2001 From: Jon Van Oast Date: Thu, 1 Feb 2024 13:49:19 -0700 Subject: [PATCH 2/6] drop export --- app/extensions/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/extensions/__init__.py b/app/extensions/__init__.py index 4b5d91c0e..a0306815b 100644 --- a/app/extensions/__init__.py +++ b/app/extensions/__init__.py @@ -498,7 +498,7 @@ def current_user_has_export_permission(self): from app.modules.users.permissions.rules import ObjectActionRule from app.modules.users.permissions.types import AccessOperation - rule = ObjectActionRule(obj=self, action=AccessOperation.EXPORT) + rule = ObjectActionRule(obj=self, action=AccessOperation.READ) return rule.check() def current_user_has_edit_permission(self): @@ -512,7 +512,7 @@ def user_has_export_permission(self, user): from app.modules.users.permissions.rules import ObjectActionRule from app.modules.users.permissions.types import AccessOperation - rule = ObjectActionRule(obj=self, action=AccessOperation.EXPORT, user=user) + rule = ObjectActionRule(obj=self, action=AccessOperation.READ, user=user) return rule.check() def user_has_view_permission(self, user): From efc3c7c78e694a33d71fa616e31105cb4fab1c9f Mon Sep 17 00:00:00 2001 From: Jon Van Oast Date: Thu, 1 Feb 2024 13:54:31 -0700 Subject: [PATCH 3/6] loosen READ restrictions to include admin --- app/modules/users/permissions/rules.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/modules/users/permissions/rules.py b/app/modules/users/permissions/rules.py index 35b5936f2..12a204525 100644 --- a/app/modules/users/permissions/rules.py +++ b/app/modules/users/permissions/rules.py @@ -119,13 +119,13 @@ 'is_admin', 'is_researcher', ], - ('Encounter', AccessOperation.READ): ['is_researcher'], + ('Encounter', AccessOperation.READ): ['is_researcher', 'is_admin'], ('Encounter', AccessOperation.EXPORT): ['is_researcher'], ('Encounter', AccessOperation.WRITE): ['is_active'], # TODO is this still correct - ('Sighting', AccessOperation.READ): ['is_researcher'], + ('Sighting', AccessOperation.READ): ['is_researcher', 'is_admin'], ('Sighting', AccessOperation.WRITE): ['is_active'], ('Sighting', AccessOperation.DELETE): ['is_admin'], - ('Individual', AccessOperation.READ): ['is_researcher'], + ('Individual', AccessOperation.READ): ['is_researcher', 'is_admin'], ('Individual', AccessOperation.EXPORT): ['is_researcher'], ('Individual', AccessOperation.WRITE): ['is_researcher'], ('Individual', AccessOperation.DELETE): ['is_admin'], From d6243cbe0a50b8b9ff854afe0a1ee57476f469c2 Mon Sep 17 00:00:00 2001 From: Jon Van Oast Date: Thu, 1 Feb 2024 15:55:39 -0700 Subject: [PATCH 4/6] test fix --- .../collaborations/resources/test_collaboration_usage.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/modules/collaborations/resources/test_collaboration_usage.py b/tests/modules/collaborations/resources/test_collaboration_usage.py index afd490f0c..4871386e8 100644 --- a/tests/modules/collaborations/resources/test_collaboration_usage.py +++ b/tests/modules/collaborations/resources/test_collaboration_usage.py @@ -58,7 +58,7 @@ def test_use_collaboration( assert sighting.user_has_view_permission(researcher_1) assert sighting.user_has_export_permission(researcher_1) assert sighting.user_has_view_permission(researcher_2) - assert not sighting.user_has_export_permission(researcher_2) + assert sighting.user_has_export_permission(researcher_2) # Researcher 2 should be able to view all the data but edit none of it asset_group_utils.read_asset_group(flask_app_client, researcher_2, asset_group_uuid) From 7bc9e50200f913613fa6e78111b310237feb11c2 Mon Sep 17 00:00:00 2001 From: Jon Van Oast Date: Thu, 1 Feb 2024 16:37:28 -0700 Subject: [PATCH 5/6] allow some "reasonable" huge number of export --- app/modules/encounters/resources.py | 2 +- app/modules/individuals/resources.py | 2 +- app/modules/sightings/resources.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/modules/encounters/resources.py b/app/modules/encounters/resources.py index a88209bc4..761efe324 100644 --- a/app/modules/encounters/resources.py +++ b/app/modules/encounters/resources.py @@ -249,7 +249,7 @@ class EncounterExport(Resource): ) def post(self): search = request.get_json() - encs = Encounter.elasticsearch(search) + encs = Encounter.elasticsearch(search, limit=15000) if not encs: abort(400, 'No results to export') from flask import send_file diff --git a/app/modules/individuals/resources.py b/app/modules/individuals/resources.py index f0fad8e2c..145549b63 100644 --- a/app/modules/individuals/resources.py +++ b/app/modules/individuals/resources.py @@ -272,7 +272,7 @@ class IndividualExport(Resource): ) def post(self): search = request.get_json() - indivs = Individual.elasticsearch(search) + indivs = Individual.elasticsearch(search, limit=15000) if not indivs: abort(400, 'No results to export') from flask import send_file diff --git a/app/modules/sightings/resources.py b/app/modules/sightings/resources.py index b22aca7b9..21b2f2777 100644 --- a/app/modules/sightings/resources.py +++ b/app/modules/sightings/resources.py @@ -149,7 +149,7 @@ class SightingExport(Resource): ) def post(self): search = request.get_json() - sights = Sighting.elasticsearch(search) + sights = Sighting.elasticsearch(search, limit=15000) if not sights: abort(400, 'No results to export') from flask import send_file From 6de11937fcdc1686626e9b0ea1a79279bf82a725 Mon Sep 17 00:00:00 2001 From: Jon Van Oast Date: Fri, 2 Feb 2024 12:59:39 -0700 Subject: [PATCH 6/6] export permissions fixes --- app/extensions/__init__.py | 4 +-- .../resources/test_collaboration_usage.py | 27 ++++++++++++++++--- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/app/extensions/__init__.py b/app/extensions/__init__.py index a0306815b..4b5d91c0e 100644 --- a/app/extensions/__init__.py +++ b/app/extensions/__init__.py @@ -498,7 +498,7 @@ def current_user_has_export_permission(self): from app.modules.users.permissions.rules import ObjectActionRule from app.modules.users.permissions.types import AccessOperation - rule = ObjectActionRule(obj=self, action=AccessOperation.READ) + rule = ObjectActionRule(obj=self, action=AccessOperation.EXPORT) return rule.check() def current_user_has_edit_permission(self): @@ -512,7 +512,7 @@ def user_has_export_permission(self, user): from app.modules.users.permissions.rules import ObjectActionRule from app.modules.users.permissions.types import AccessOperation - rule = ObjectActionRule(obj=self, action=AccessOperation.READ, user=user) + rule = ObjectActionRule(obj=self, action=AccessOperation.EXPORT, user=user) return rule.check() def user_has_view_permission(self, user): diff --git a/tests/modules/collaborations/resources/test_collaboration_usage.py b/tests/modules/collaborations/resources/test_collaboration_usage.py index 4871386e8..a1830112a 100644 --- a/tests/modules/collaborations/resources/test_collaboration_usage.py +++ b/tests/modules/collaborations/resources/test_collaboration_usage.py @@ -16,7 +16,14 @@ module_unavailable('collaborations'), reason='Collaborations module disabled' ) def test_use_collaboration( - flask_app_client, researcher_1, researcher_2, admin_user, test_root, db, request + flask_app_client, + researcher_1, + researcher_2, + admin_user, + user_manager_user, + test_root, + db, + request, ): from app.modules.sightings.models import Sighting @@ -33,6 +40,7 @@ def test_use_collaboration( assert sighting.user_has_export_permission(researcher_1) assert not sighting.user_has_view_permission(researcher_2) assert not sighting.user_has_export_permission(researcher_2) + assert not sighting.user_has_export_permission(user_manager_user) # should not work and should give informative error ags_resp = asset_group_utils.read_asset_group_sighting( @@ -44,7 +52,20 @@ def test_use_collaboration( ) assert ags_resp['message'] == access_error - # create a (view) collab and approve + # create a (view) collab (between researcher1 and user_manager_user) and approve + create_resp = collab_utils.create_simple_collaboration( + flask_app_client, researcher_1, user_manager_user + ) + collab_guid = create_resp.json['guid'] + collab = collab_utils.get_collab_object_for_user(researcher_1, collab_guid) + request.addfinalizer(collab.delete) + collab_utils.approve_view_on_collaboration( + flask_app_client, collab_guid, user_manager_user, researcher_1 + ) + assert sighting.user_has_view_permission(user_manager_user) + assert not sighting.user_has_export_permission(user_manager_user) + + # create a (view) collab (between researchers) and approve create_resp = collab_utils.create_simple_collaboration( flask_app_client, researcher_1, researcher_2 ) @@ -58,7 +79,7 @@ def test_use_collaboration( assert sighting.user_has_view_permission(researcher_1) assert sighting.user_has_export_permission(researcher_1) assert sighting.user_has_view_permission(researcher_2) - assert sighting.user_has_export_permission(researcher_2) + assert not sighting.user_has_export_permission(researcher_2) # Researcher 2 should be able to view all the data but edit none of it asset_group_utils.read_asset_group(flask_app_client, researcher_2, asset_group_uuid)