oarepo-runtime 1.5.97__py3-none-any.whl → 1.5.100__py3-none-any.whl

oarepo_runtime/cli/__init__.py

@@ -4,6 +4,7 @@ from .check import check
 from .configuration import configuration_command
 from .fixtures import fixtures
 from .index import index
+from .permissions import permissions
 from .validate import validate
 
 __all__ = (
@@ -15,4 +16,5 @@ __all__ = (
     "validate",
     "fixtures",
     "configuration_command",
+    "permissions",
 )

oarepo_runtime/cli/permissions/__init__.py

@@ -0,0 +1,6 @@
+from .base import permissions
+from .evaluate import evaluate_permissions  # noqa
+from .list import list_permissions  # noqa
+from .search import search_permissions  # noqa
+
+__all__ = ["permissions"]

oarepo_runtime/cli/permissions/base.py

@@ -0,0 +1,25 @@
+from flask import current_app
+from flask_principal import Identity, identity_loaded
+from invenio_access.models import User
+
+from ..base import oarepo
+
+
+@oarepo.group()
+def permissions():
+    """Commands for checking and explaining permissions."""
+
+
+def get_user_and_identity(user_id_or_email):
+    try:
+        user_id = int(user_id_or_email)
+        user = User.query.filter_by(id=user_id).one()
+    except ValueError:
+        user = User.query.filter_by(email=user_id_or_email).one()
+
+    identity = Identity(user.id)
+    api_app = current_app.wsgi_app.mounts["/api"]
+    with api_app.app_context():
+        with current_app.test_request_context("/api"):
+            identity_loaded.send(api_app, identity=identity)
+    return user, identity

oarepo_runtime/cli/permissions/evaluate.py

@@ -0,0 +1,63 @@
+import json
+
+import click
+from invenio_records_permissions.policies.records import RecordPermissionPolicy
+from invenio_records_resources.proxies import current_service_registry
+
+from oarepo_runtime.info.permissions.debug import add_debugging
+
+from .base import get_user_and_identity, permissions
+
+
+@permissions.command(name="evaluate")
+@click.argument("user_id_or_email")
+@click.argument("service_name")
+@click.argument("record_id", required=False)
+@click.option("--data", "-d", help="Data to pass to the policy check")
+@click.option("--explain/--no-explain", default=False)
+@click.option("--draft/--published", default=False)
+def evaluate_permissions(
+    user_id_or_email: str,
+    service_name: str,
+    record_id: str | None = None,
+    data: str | None = None,
+    explain: bool = False,
+    draft: bool = False,
+):
+    """Evaluate permissions for a given workflow, community or service."""
+    service = current_service_registry.get(service_name)
+    user, identity = get_user_and_identity(user_id_or_email)
+
+    over = {}
+    if record_id:
+        if draft:
+            over["record"] = service.config.draft_cls.pid.resolve(
+                record_id, registered_only=False
+            )
+        else:
+            over["record"] = service.config.record_cls.pid.resolve(record_id)
+    if data:
+        over["data"] = json.loads(data)
+
+    if explain:
+        over["debug_identity"] = identity
+        add_debugging()
+
+    policy_cls = service.config.permission_policy_cls
+    click.secho(f"Policy: {policy_cls}")
+
+    for action_name in dir(policy_cls):
+        if not action_name.startswith("can_"):
+            continue
+
+        policy: RecordPermissionPolicy = policy_cls(action_name[4:], **over)
+        if explain:
+            click.secho()
+            click.secho(f"## {action_name}")
+        try:
+            if policy.allows(identity):
+                click.secho(f"{action_name}: True", fg="green")
+            else:
+                click.secho(f"{action_name}: False", fg="red")
+        except Exception as e:
+            click.secho(f"{action_name}: {e}", fg="yellow")

oarepo_runtime/cli/permissions/list.py

@@ -0,0 +1,239 @@
+from typing import get_type_hints
+
+import click
+
+from oarepo_runtime.info.permissions.debug import add_debugging
+
+from .base import permissions
+
+
+@permissions.command(name="list")
+@click.option("--workflow", "-w", help="Workflow name")
+@click.option("--community", "-c", help="Community name")
+@click.option("--service", "-s", help="Service name")
+def list_permissions(workflow, community, service):
+    """List all permissions for a given workflow, community or service."""
+    # intentionally import here to enable oarepo-runtime to be used
+    # without oarepo-workflows and oarepo-communities
+    from invenio_communities.communities.records.api import Community
+    from invenio_communities.communities.records.models import CommunityMetadata
+    from oarepo_workflows.proxies import current_oarepo_workflows
+
+    if workflow:
+        wf = current_oarepo_workflows.record_workflows[workflow]
+        permission_policy = wf.permission_policy_cls
+    elif community:
+        community_db = CommunityMetadata.query.filter_by(slug=community).one()
+        community_obj = Community(community_db.data, model=community_db)
+        workflow = community_obj["custom_fields"].get("workflow", "default")
+        wf = current_oarepo_workflows.record_workflows[workflow]
+        permission_policy = wf.permission_policy_cls
+    elif service:
+        from invenio_records_resources.proxies import current_service_registry
+
+        swc = current_service_registry.get(service)
+        permission_policy = swc.config.permission_policy_cls
+    else:
+        raise click.UsageError(
+            "You must specify either --workflow, --community or --service."
+        )
+
+    add_debugging()
+
+    p = permission_policy("read")
+
+    for action_name in dir(permission_policy):
+        if not action_name.startswith("can_"):
+            continue
+        action_permission_generators = getattr(p, action_name)
+        debugs = []
+        for x in action_permission_generators:
+            debugs.append(x.to_debug_dict())
+
+        print("")
+        print(f"## {action_name}")
+        print(get_permission_documentation(permission_policy, action_name))
+        for perm in debugs:
+            print_permission_markdown(perm)
+
+
+def is_simple_dict(d):
+    return all(isinstance(v, (str, int, float, bool)) for v in d.values())
+
+
+def format_simple_dict_values(d):
+    # returns k=v, k=v, ...
+    return ", ".join(f"{k}={v}" for k, v in d.items())
+
+
+def print_permission_markdown(p, level=0):
+    for k, v in p.items():
+        prologue = "  " * level + f"- {k}"
+        if v is None or v == {} or v == []:
+            print(prologue)
+            continue
+        elif isinstance(v, dict):
+            if is_simple_dict(v):
+                print(f"{prologue}: {format_simple_dict_values(v)}")
+            else:
+                print(prologue)
+                print_permission_markdown(v, level + 1)
+        elif isinstance(v, list):
+            print(prologue)
+            for x in v:
+                print_permission_markdown(x, level + 1)
+        else:
+            print("  " * (level + 1) + f"{v}")
+
+
+def get_permission_documentation(policy, permission_can_name):
+    type_hints = get_type_hints(policy, include_extras=True)
+    annotation = type_hints.get(permission_can_name)
+    if annotation:
+        for md in annotation.__metadata__:
+            if isinstance(md, str):
+                return md
+    ret = default_permissions_documentation.get(permission_can_name, "")
+    return "\n".join(x.strip() for x in ret.split("\n"))
+
+
+default_permissions_documentation = {
+    # records
+    "can_create": """
+        Grants users the ability to create new records in the 
+        repository, often assigned to roles like submitters, owners, or curators.
+        The result of this action is typically a draft record.
+    """,
+    "can_read": """
+        Allows users to view or access records, with access 
+        possibly dependent on the record's state (e.g., draft or published) and the 
+        user's role.
+    """,
+    "can_read_deleted": """
+        Permission to view or access records, including soft-deleted ones. This 
+        permission is used to filter search results. It should include an 
+        `IfRecordDeleted` permission generator, which grants access to deleted 
+        records to a subset of users (e.g., owners, curators, etc.). For 
+        `service.read`, this permission is applied when record is deleted and 
+        `include_deleted` is passed; otherwise, a `RecordDeletedException` is raised.
+    """,
+    "can_search": """
+        Grants users the ability to search for records within the 
+        repository, typically available to all users. The search results are
+        filtered based on the can_read_deleted permission for published records (/api/datasets)
+        and the can_read_draft permission for draft records (/api/user/datasets).
+    """,
+    "can_update": """
+        Grants users the ability to update or modify published records.
+        In NRP repositories, this is normally disabled as updates are performed
+        on draft records, which are then published.
+    """,
+    "can_delete": """
+        Grants users the ability to delete records, often restricted 
+        to owners, curators, or specific roles, and dependent on the record's 
+        state (e.g., draft). For published records, the deletion is performed
+        via a specialized request, not directly.
+    """,
+    "can_new_version": """
+        Allows users to create a new version of a record. In NRP,
+        this is not used directly but always via a request, which is mostly
+        auto-approved.
+    """,
+    "can_edit": """
+        Grants users the ability to modify the metadata of a record. In NRP, this
+        is not used directly but always via a request, which is mostly auto-approved.
+    """,
+    "can_manage": """
+        Grants users the ability to manage records. Currently it is used just
+        for reindexing records with latest version first (reindex_latest_first)
+        service call, not mapped to REST API.
+    """,
+    "can_manage_record_access": """
+        Grants users the ability to manage record access.
+    """,
+    # draft records
+    "can_read_draft": """
+        Enables users to view or access draft records, typically equivalent to 
+        the general 'can_read' permission but specific to drafts.
+    """,
+    "can_delete_draft": """
+        Allows users to delete draft records, typically equivalent to the general 
+        'can_delete' permission but specific to drafts.
+    """,
+    "can_update_draft": """
+        Allows users to update draft records. It is typically granted to record
+        owner, but can be restricted by the record status (such as records submitted
+        to review being locked).
+    """,
+    "can_publish": """
+        Grants users the ability to publish records, making them publicly 
+        available or finalizing their state. In NRP repositories, this is
+        not used directly but always via a request.
+    """,
+    # files
+    "can_read_files": """
+        Grants users the ability to view or access file metadata associated with records, 
+        with access dependent on the record's state and the user's role.
+    """,
+    "can_create_files": """
+        Enables users to create new files within published records in the repository.
+        Normally disabled as files are created in draft records and then published.
+    """,
+    "can_delete_files": """
+        Enables users to delete files associated with published records in the repository.
+        Normally disabled as files can not be deleted from published records.
+    """,
+    "can_update_files": """
+        Enables users to update or modify files within published records in the repository.
+        Normally disabled as files are updated in draft records and then published.
+    """,
+    "can_commit_files": """
+        Allows users to finalize file upload to published records in the repository.
+        Normally disabled as files are uploaded to draft records and then published.
+    """,
+    "can_get_content_files": """
+        Allows users to access or retrieve the content of files on records published 
+        in the repository, with access depending on the record's state and the user's role.
+    """,
+    "can_manage_files": """
+        Grants users the ability to manage files (that is, change if the files are
+        required on the record or not).
+    """,
+    "can_read_deleted_files": """
+        Allows users to view or access files associated with deleted records, 
+        often restricted to specific conditions.
+    """,
+    "can_set_content_files": """
+        Enables users to upload files to published records. Normally disabled as files
+        are uploaded to draft records and then published.
+    """,
+    # draft files
+    "can_draft_read_files": """
+        Allows users to view or access file metadata associated with draft records,
+        typically equivalent to the general 'can_read_files' permission but specific
+        to drafts.
+    """,
+    "can_draft_create_files": """
+        Allows users to create files specifically for draft records.
+    """,
+    "can_draft_get_content_files": """
+        Allows users to access or retrieve the content of files on draft records.
+    """,
+    "can_draft_set_content_files": """
+        Allows users to upload files to draft records.
+    """,
+    "can_draft_commit_files": """
+        Allows users to finalize file upload to draft records.
+    """,
+    "can_draft_update_files": """
+        Allows users to update or modify files within draft records.
+    """,
+    "can_draft_delete_files": """
+        Allows users to delete files associated with draft records.
+    """,
+    # misc
+    "can_create_or_update_many": """
+        Allows bulk creation or updating of multiple records or files.
+        Not used at the moment.
+    """,
+}

oarepo_runtime/cli/permissions/search.py

@@ -0,0 +1,121 @@
+import json
+import sys
+
+import click
+import yaml
+from invenio_records_resources.proxies import current_service_registry
+
+from oarepo_runtime.info.permissions.debug import add_debugging, merge_communities
+
+from .base import get_user_and_identity, permissions
+
+
+@permissions.command(name="search")
+@click.argument("user_id_or_email")
+@click.argument("service_name")
+@click.option("--explain/--no-explain", default=False)
+@click.option("--user/--published", "user_call", default=False)
+@click.option("--full-query/--query-filters", default=False)
+@click.option("--merge-communities", "do_merge_communities", is_flag=True)
+@click.option("--json/--yaml", "as_json", default=False)
+def search_permissions(
+    user_id_or_email,
+    service_name,
+    explain,
+    user_call,
+    full_query,
+    do_merge_communities,
+    as_json,
+):
+    """Get search parameters for a given service."""
+    try:
+        service = current_service_registry.get(service_name)
+    except KeyError:
+        raise click.UsageError(
+            f"Service {service_name} not found in {current_service_registry._services.keys()}"
+        )
+    user, identity = get_user_and_identity(user_id_or_email)
+
+    permission_policy = service.config.permission_policy_cls
+
+    add_debugging(print_search=explain, print_needs=False, print_excludes=False)
+
+    if full_query:
+        previous_search = service._search
+
+        class NoExecute:
+            def __init__(self, query):
+                self.query = query
+
+            def execute(self):
+                return self.query
+
+        def _patched_search(*args, **kwargs):
+            ret = previous_search(*args, **kwargs)
+            return NoExecute(ret)
+
+        def _patched_result_list(self, identity, results, params, **kwargs):
+            return results
+
+        service._search = _patched_search
+        service.result_list = _patched_result_list
+
+        if user_call:
+            ret = service.search_drafts(identity)
+        else:
+            ret = service.search(identity)
+        ret = ret.to_dict()
+        if do_merge_communities:
+            ret = merge_communities(ret)
+        ret = {
+            "query": ret["query"],
+        }
+        dump_dict(ret, as_json)
+    else:
+
+        over = {}
+        if explain:
+            over["debug_identity"] = identity
+            print("## Explaining search:")
+
+        if user_call:
+            p = permission_policy("read_draft", identity=identity, **over)
+        else:
+            p = permission_policy("read_deleted", identity=identity, **over)
+        query_filters = p.query_filters
+
+        print()
+        print("## Query filters:")
+        for qf in query_filters:
+            dict_qf = qf.to_dict()
+            if explain:
+                dict_qf = merge_communities(dict_qf)
+            dump_dict(dict_qf, as_json)
+            print(json.dumps(dict_qf, indent=2))
+
+
+def merge_name(d):
+    if isinstance(d, list):
+        return [merge_name(x) for x in d]
+    if isinstance(d, dict):
+        ret = {}
+        for k, v in d.items():
+            v = merge_name(v)
+            if isinstance(v, dict) and "_name" in v:
+                _name = v.pop("_name")
+                _name = _name.split("@")[0].strip()
+                k = f"{k}[{_name}]"
+            ret[k] = v
+        return ret
+    return d
+
+
+def dump_dict(d, as_json=False):
+    if as_json:
+        print(json.dumps(d, indent=2))
+    else:
+        yaml.safe_dump(
+            merge_name(json.loads(json.dumps(d))),
+            sys.stdout,
+            default_flow_style=False,
+        )

oarepo_runtime/info/permissions/debug.py

@@ -0,0 +1,191 @@
+"""Instrumentors for debugging permissions."""
+
+import contextvars
+import inspect
+import json
+import sys
+
+from invenio_records_permissions.generators import ConditionalGenerator, Generator
+
+
+def generator_to_debug_dict(self: Generator):
+    ret = {
+        "name": self.__class__.__name__,
+    }
+    ret = {}
+    for fld in self.__dict__:
+        if fld.startswith("__"):
+            continue
+        if fld in ("then_", "else_"):
+            continue
+        value = self.__dict__[fld]
+        if not isinstance(value, (str, int, float, bool)):
+            value = str(value)
+        ret[fld] = value
+
+    return {self.__class__.__name__: ret}
+
+
+def conditional_generator_to_debug_dict(self: ConditionalGenerator):
+    ret = generator_to_debug_dict(self)
+    r = ret[self.__class__.__name__]
+    if self.then_:
+        r["then"] = [x.to_debug_dict() for x in self.then_]
+    if self.else_:
+        r["else"] = [x.to_debug_dict() for x in self.else_]
+    return ret
+
+
+def get_all_generators():
+    generator_classes = set()
+    queue = [Generator]
+    while queue:
+        gen = queue.pop()
+        generator_classes.add(gen)
+        for cls in gen.__subclasses__():
+            if cls in generator_classes:
+                continue
+            queue.append(cls)
+    return generator_classes
+
+
+debugging_level = contextvars.ContextVar("debugging_level", default=0)
+
+
+def debug_needs_output(clz, method_name):
+    method = getattr(clz, method_name)
+
+    def wrapper(self, *args, **kwargs):
+        dd = json.dumps(self.to_debug_dict())
+        print(f"{'  ' * debugging_level.get()}{dd}.{method_name} ->", file=sys.stderr)
+        reset = debugging_level.set(debugging_level.get() + 1)
+        ret = method(self, *args, **kwargs)
+        debugging_level.reset(reset)
+        if "debug_identity" in kwargs:
+            matched_needs = set(ret) & set(kwargs["debug_identity"].provides)
+            print(
+                f"{'  ' * debugging_level.get()}  -> match: {matched_needs}",
+                file=sys.stderr,
+            )
+        else:
+            print(f"{'  ' * debugging_level.get()}  -> {ret}", file=sys.stderr)
+        return ret
+
+    return wrapper
+
+
+def debug_search_output(clz, method_name, print_search):
+    method = getattr(clz, method_name)
+
+    def wrapper(self, *args, **kwargs):
+        dd = json.dumps(self.to_debug_dict())
+        if print_search:
+            print(f"{'  ' * debugging_level.get()}{dd}.{method_name}:", file=sys.stderr)
+        reset = debugging_level.set(debugging_level.get() + 2)
+        ret = method(self, *args, **kwargs)
+        debugging_level.reset(reset)
+        if isinstance(ret, list):
+            r = merge_communities([x.to_dict() for x in ret])
+        elif ret:
+            r = merge_communities(ret.to_dict())
+        else:
+            r = None
+        if print_search:
+            print(
+                f"{'  ' * debugging_level.get()}{dd}.{method_name} -> {r}",
+                file=sys.stderr,
+            )
+        return ret
+
+    wrapper.__module__ = clz.__module__
+    wrapper.__qualname__ = f"{clz.__qualname__}.{method_name}"
+    wrapper.__name__ = method_name
+    return wrapper
+
+
+def merge_communities(x):
+    if isinstance(x, list):
+        return [merge_communities(y) for y in x]
+    if isinstance(x, dict):
+        ret = {k: merge_communities(v) for k, v in x.items()}
+        if "parent.communities.default" in ret:
+            ret["parent.communities.default"] = "#communities#"
+        if "parent.communities.ids" in ret:
+            ret["parent.communities.ids"] = "#communities#"
+        return ret
+    return x
+
+
+def get_opensearch_caller():
+    # Get the current call stack
+    stack = inspect.stack()
+    # Extract function names from the stack frames
+    function_names = []
+    state = "skipping_to_opensearch"
+    for frame in stack:
+        module_name = frame.frame.f_globals["__name__"]
+        if state == "skipping_to_opensearch":
+            if module_name.startswith("opensearch_dsl.") or module_name.startswith(
+                "oarepo_runtime.info"
+            ):
+                state = "found_opensearch"
+        if state == "found_opensearch":
+            if not module_name.startswith(
+                "opensearch_dsl."
+            ) and not module_name.startswith("oarepo_runtime.info"):
+                state = "outside_opensearch"
+        if state == "outside_opensearch":
+            if frame.function == "<lambda>":
+                continue
+            if "self" in frame.frame.f_locals:
+                self_instance = frame.frame.f_locals["self"]
+                class_name = self_instance.__class__.__name__
+                function_names.append(
+                    f"{class_name}.{frame.function} @ {frame.filename}:{frame.lineno}"
+                )
+            else:
+                function_names.append(
+                    f"{frame.function} @ {frame.filename}:{frame.lineno}"
+                )
+        del frame
+
+    return function_names
+
+
+def add_debugging(print_needs=True, print_excludes=True, print_search=True):
+    for generator in get_all_generators():
+        if issubclass(generator, ConditionalGenerator):
+            generator.to_debug_dict = conditional_generator_to_debug_dict
+        else:
+            generator.to_debug_dict = generator_to_debug_dict
+        if print_needs and not hasattr(generator.needs, "__is_debug_instrumented__"):
+            generator.needs = debug_needs_output(generator, "needs")
+            generator.needs.__is_debug_instrumented__ = True
+        if print_excludes and not hasattr(
+            generator.excludes, "__is_debug_instrumented__"
+        ):
+            generator.excludes = debug_needs_output(generator, "excludes")
+            generator.excludes.__is_debug_instrumented__ = True
+
+        if hasattr(generator, "query_filters"):
+            if not hasattr(generator.query_filters, "__is_debug_instrumented__"):
+                generator.query_filters = debug_search_output(
+                    generator, "query_filters", print_search
+                )
+                generator.query_filters.__is_debug_instrumented__ = True
+        if hasattr(generator, "query_filter"):
+            if not hasattr(generator.query_filter, "__is_debug_instrumented__"):
+                generator.query_filter = debug_search_output(
+                    generator, "query_filter", print_search
+                )
+                generator.query_filter.__is_debug_instrumented__ = True
+    # try to add _name to queries
+    from opensearch_dsl.query import Query
+
+    previous_init = Query.__init__
+
+    def new_init(self, *args, **kwargs):
+        previous_init(self, *args, **kwargs)
+        self._params["_name"] = get_opensearch_caller()[0]
+
+    Query.__init__ = new_init

oarepo_runtime/services/config/permissions_presets.py

@@ -80,6 +80,11 @@ class ReadOnlyPermissionPolicy(RecordPermissionPolicy):
     can_add_community = [SystemProcess()]
     can_remove_community = [SystemProcess()]
 
+    can_read_deleted = [SystemProcess()]
+    can_manage_record_access = [SystemProcess()]
+    can_lift_embargo = [SystemProcess()]
+
+
 
 class EveryonePermissionPolicy(RecordPermissionPolicy):
     """record policy for read only repository"""
@@ -119,12 +124,17 @@ class EveryonePermissionPolicy(RecordPermissionPolicy):
     can_add_community = [SystemProcess(), AnyUser()]
     can_remove_community = [SystemProcess(), AnyUser()]
 
+    can_read_deleted = [SystemProcess(), AnyUser()]
+    can_manage_record_access = [SystemProcess(), AnyUser()]
+    can_lift_embargo = [SystemProcess(), AnyUser()]
+
 
 class AuthenticatedPermissionPolicy(RecordPermissionPolicy):
     """record policy for read only repository"""
 
     can_search = [SystemProcess(), AuthenticatedUser()]
     can_read = [SystemProcess(), AnyUser()]
+    can_read_deleted = [SystemProcess(), AnyUser()]
     can_create = [SystemProcess(), AuthenticatedUser()]
     can_update = [SystemProcess(), AuthenticatedUser()]
     can_delete = [SystemProcess(), AuthenticatedUser()]
@@ -136,7 +146,6 @@ class AuthenticatedPermissionPolicy(RecordPermissionPolicy):
     can_commit_files = [SystemProcess(), AuthenticatedUser()]
     can_read_files = [SystemProcess(), AnyUser()]
     can_update_files = [SystemProcess(), AuthenticatedUser()]
-    can_delete_files = [SystemProcess(), AuthenticatedUser()]
     can_list_files = [SystemProcess(), AuthenticatedUser()]
     can_manage_files = [SystemProcess(), AuthenticatedUser()]
 
@@ -157,3 +166,7 @@ class AuthenticatedPermissionPolicy(RecordPermissionPolicy):
 
     can_add_community = [SystemProcess(), AuthenticatedUser()]
     can_remove_community = [SystemProcess(), AuthenticatedUser()]
+
+    can_delete_files = [SystemProcess(), AuthenticatedUser()]
+    can_manage_record_access = [SystemProcess(), AuthenticatedUser()]
+    can_lift_embargo = [SystemProcess(), AuthenticatedUser()]

oarepo_runtime/services/custom_fields/mappings.py

@@ -121,6 +121,9 @@ def prepare_parent_mapping(parent_class, config):
     if not parent_class:
         return
 
+    if not config.record_cls.index._name:
+        return
+
     script_dir = str(Path(__file__).resolve().parent)
     path_parts = script_dir.split('/')
     path_parts = path_parts[:-2]

oarepo_runtime/services/facets/params.py

@@ -1,5 +1,7 @@
 import copy
 import logging
+import operator
+from functools import partial, reduce
 from typing import List
 
 from flask import current_app
@@ -8,6 +10,12 @@ from invenio_access.permissions import system_user_id
 from invenio_app.helpers import obj_or_import_string
 from invenio_records_resources.services.records.facets import FacetsResponse
 from invenio_records_resources.services.records.params import FacetsParam
+from invenio_access.permissions import authenticated_user
+from invenio_records_resources.services.records.params.base import ParamInterpreter
+from invenio_search.engine import dsl
+from invenio_rdm_records.records.systemfields.deletion_status import (
+    RecordDeletionStatusEnum,
+)
 
 log = logging.getLogger(__name__)
 
@@ -96,7 +104,7 @@ class GroupedFacetsParam(FacetsParam):
         for f in filters[1:]:
             _filter &= f
 
-        return search.filter(_filter)
+        return search.filter(_filter).post_filter(_filter)
 
     def apply(self, identity, search, params):
         """Evaluate the facets on the search."""
@@ -129,3 +137,56 @@ class GroupedFacetsParam(FacetsParam):
         for group in groups:
             user_facets.update(self.facet_groups.get(group, {}))
         return user_facets
+
+
+class OARepoAllVersionsParam(ParamInterpreter):
+    """Evaluates the 'allversions' parameter."""
+    def __init__(self, field_names, config):
+        """Construct."""
+        self.field_names = field_names
+        super().__init__(config)
+
+    @classmethod
+    def factory(cls, field_names: list[str]):
+        """Create a new filter parameter."""
+        return partial(cls, field_names)
+
+    def apply(self, identity, search, params):
+        """Evaluate the allversions parameter on the search."""
+        if not params.get("allversions"):
+            queries = [dsl.query.Q("term", **{field_name: True}) for field_name in self.field_names]
+            query = reduce(operator.or_, queries)
+            search = search.filter(query)
+        return search
+
+class OARepoPublishedRecordsParam(ParamInterpreter):
+    """Evaluates the include_deleted parameter."""
+
+    def apply(self, identity, search, params):
+        """Evaluate the include_deleted parameter on the search."""
+
+        value = params.pop("include_deleted", None)
+        # Filter prevents from displaying deleted records on mainsite search
+        # deleted records should appear only in admins panel
+        if value is None:
+            query = dsl.query.Q(
+                "bool",
+                should=[
+                    dsl.query.Q(
+                        "bool",
+                        must=[
+                            dsl.query.Q(
+                                "term",
+                                deletion_status=RecordDeletionStatusEnum.PUBLISHED.value,
+                            )
+                        ],
+                    ),
+                    # Drafts does not have deletion_status so this clause is needed to
+                    # prevent the above clause from filtering out the drafts
+                    dsl.query.Q(
+                        "bool", must_not=[dsl.query.Q("exists", field="deletion_status")]
+                    ),
+                ],
+            )
+            search = search.filter(query)
+        return search

oarepo_runtime/services/schema/ui.py

@@ -11,6 +11,7 @@ from invenio_rdm_records.records.systemfields.access.field.record import (
 from invenio_rdm_records.resources.serializers.ui.fields import (
     UIObjectAccessStatus as InvenioUIObjectAccessStatus,
 )
+from invenio_rdm_records.services.schemas.versions import VersionsSchema
 from marshmallow_utils.fields import (
     BabelGettextDictField,
     FormatDate,
@@ -181,6 +182,7 @@ class AccessStatusField(ma.fields.Field):
 class InvenioRDMUISchema(InvenioUISchema, RDMBaseRecordSchema):
     is_draft = ma.fields.Boolean(dump_only=True)
     access_status = AccessStatusField(attribute="access", dump_only=True)
+    versions = ma.fields.Nested(VersionsSchema, dump_only=True)
 
     def hide_tombstone(self, data):
         """Hide tombstone info if the record isn't deleted and metadata if it is."""

oarepo_runtime/services/search.py

@@ -10,6 +10,7 @@ from invenio_records_resources.proxies import current_service_registry
 from invenio_records_resources.services.records import (
     SearchOptions as InvenioSearchOptions,
 )
+from invenio_drafts_resources.services.records.config import SearchDraftsOptions as InvenioSearchDraftsOptions
 from invenio_records_resources.services.records.params import (
     FacetsParam,
     PaginationParam,
@@ -18,14 +19,16 @@ from invenio_records_resources.services.records.params import (
 )
 from invenio_records_resources.services.records.queryparser import SuggestQueryParser
 from invenio_search.engine import dsl
-
+from invenio_drafts_resources.services.records.search_params import AllVersionsParam
 # TODO: integrate this to invenio_records_resources.services.records and remove SearchOptions class
 from oarepo_runtime.i18n import lazy_gettext as _
 from oarepo_runtime.records.systemfields.icu import ICUSuggestField
 from oarepo_runtime.utils.functools import class_property
 
-from .facets.params import GroupedFacetsParam
-
+from .facets.params import GroupedFacetsParam, OARepoAllVersionsParam, OARepoPublishedRecordsParam
+from invenio_drafts_resources.services.records.search_params import AllVersionsParam
+from invenio_rdm_records.services.search_params import PublishedRecordsParam
+from functools import partial
 try:
     from invenio_i18n import get_locale
 except ImportError:
@@ -57,11 +60,19 @@ class SearchOptionsMixin:
     @class_property
     def params_interpreters_cls(cls):
         """Replaces FacetsParam with GroupedFacetsParam."""
+        params_replace_map = {FacetsParam: GroupedFacetsParam, AllVersionsParam:
+            OARepoAllVersionsParam.factory(["versions.is_latest", "versions.is_latest_draft"]),
+                              PublishedRecordsParam: OARepoPublishedRecordsParam}
+
         param_interpreters = [*super(SearchOptionsMixin, cls).params_interpreters_cls]
         # replace FacetsParam with GroupedFacetsParam
         for idx, interpreter in enumerate(param_interpreters):
-            if interpreter == FacetsParam:
-                param_interpreters[idx] = GroupedFacetsParam
+            if interpreter in params_replace_map:
+                param_interpreters[idx] = params_replace_map[interpreter]
+            elif isinstance(interpreter, partial):
+                fn = interpreter.func
+                if fn in params_replace_map:
+                    param_interpreters[idx] = params_replace_map[fn]
         return param_interpreters
 
     sort_options = {
@@ -113,6 +124,7 @@ class SearchOptionsDraftMixin(SearchOptionsMixin):
     }
 
 
+
 class SearchOptions(SearchOptionsMixin, InvenioSearchOptions):
     # TODO: should be changed
     params_interpreters_cls = [
@@ -122,6 +134,16 @@ class SearchOptions(SearchOptionsMixin, InvenioSearchOptions):
         GroupedFacetsParam,
     ]
 
+class SearchDraftsOptions(SearchOptionsMixin, InvenioSearchDraftsOptions):
+    # TODO: should be changed
+    params_interpreters_cls = [
+        QueryStrParam,
+        PaginationParam,
+        SortParam,
+        GroupedFacetsParam,
+        AllVersionsParam.factory("versions.is_latest_draft")
+    ]
+
 
 class RDMSearchOptions(SearchOptionsMixin, BaseRDMSearchOptions):
     pass

{oarepo_runtime-1.5.97.dist-info → oarepo_runtime-1.5.100.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: oarepo-runtime
-Version: 1.5.97
+Version: 1.5.100
 Summary: A set of runtime extensions of Invenio repository
 Description-Content-Type: text/markdown
 License-File: LICENSE

{oarepo_runtime-1.5.97.dist-info → oarepo_runtime-1.5.100.dist-info}/RECORD

@@ -5,7 +5,7 @@ oarepo_runtime/profile.py,sha256=QzrQoZncjoN74ZZnpkEKakNk08KCzBU7m6y42RN8AMY,163
 oarepo_runtime/proxies.py,sha256=NN_WNj1xuKc-OveoZmzvTFlUonNjSmLIGsv_JUcHGls,285
 oarepo_runtime/tasks.py,sha256=AciXN1fUq6tzfzNSICh1S6XoHGWiuH76bUqXyzTsOPU,140
 oarepo_runtime/uow.py,sha256=iyF3R2oCPSVUu38GXoxZallgRD-619q1fWTb8sSaeyQ,4412
-oarepo_runtime/cli/__init__.py,sha256=daAODgUAB9Nb0O0Kg8vSgJIPKJm92EHMTRuoKwxBCug,373
+oarepo_runtime/cli/__init__.py,sha256=e175jnb1xQlPgMhhgihn3y-lkmlqcMFCnJvQNMZ_fgs,429
 oarepo_runtime/cli/assets.py,sha256=ZG80xIOKch7rsU_7QlvZxBQAXNQ9ow5xLsUREsl5MEE,4076
 oarepo_runtime/cli/base.py,sha256=94RBTa8TOSPxEyEUmYLGXaWen-XktP2-MIbTtZSlCZo,544
 oarepo_runtime/cli/cf.py,sha256=W0JEJK2JqKubQw8qtZJxohmADDRUBode4JZAqYLDGvc,339
@@ -14,6 +14,11 @@ oarepo_runtime/cli/configuration.py,sha256=_iMmESs2dd1Oif95gxgpnkSxc13ymwr82_sTJ
 oarepo_runtime/cli/fixtures.py,sha256=l6zHpz1adjotrbFy_wcN2TOL8x20i-1jbQmaoEEo-UU,5419
 oarepo_runtime/cli/index.py,sha256=KH5PArp0fCNbgJI1zSz0pb69U9eyCdnJuy0aMIgf2tg,8685
 oarepo_runtime/cli/validate.py,sha256=HpSvHQCGHlrdgdpKix9cIlzlBoJEiT1vACZdMnOUGEY,2827
+oarepo_runtime/cli/permissions/__init__.py,sha256=2qufYdUoCb9kG7Zy0gKNW5lpRyqbVQSNsf7shLwrThM,198
+oarepo_runtime/cli/permissions/base.py,sha256=USzA5LNFPpR7tvM_uan70GI7oO6FrGlHzODU_Z4Tl6c,744
+oarepo_runtime/cli/permissions/evaluate.py,sha256=gxkHySd1vM7lSjR-xXzcACkCKDYurl5c567Kq5FVzpM,2086
+oarepo_runtime/cli/permissions/list.py,sha256=TYntLPqHGCcs73FzHX-nEnh-2TtUoNwRN8aJ5358xE4,9853
+oarepo_runtime/cli/permissions/search.py,sha256=2e1NHxNk72T93U3eB6BDoSr-qL_O6aySujw0YB4OQmE,3528
 oarepo_runtime/datastreams/__init__.py,sha256=_i52Ek9J8DMARST0ejZAZPzUKm55xrrlKlCSO7dl6y4,1008
 oarepo_runtime/datastreams/asynchronous.py,sha256=JwT-Hx6P7KwV0vSJlxX6kLSIX5vtsekVsA2p_hZpJ_U,7402
 oarepo_runtime/datastreams/catalogue.py,sha256=D6leq-FPT3RP3SniEAXPm66v3q8ZdQnaUYJ5XM0dIFY,5021
@@ -44,6 +49,8 @@ oarepo_runtime/i18n/__init__.py,sha256=h0knW_HwiyIt5TBHfdGqN7_BBYfpz1Fw6zhVy0C28
 oarepo_runtime/info/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 oarepo_runtime/info/check.py,sha256=6O5Wjsdorx4eqiBiPU3z33XhCiwPTO_FGkzMDK7UH6I,3049
 oarepo_runtime/info/views.py,sha256=5ygLgiZilk33OhrnB0h83-MG6K8nsmJFOiJaTBQc43c,21070
+oarepo_runtime/info/permissions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+oarepo_runtime/info/permissions/debug.py,sha256=2gak5W64g_AAZoX8cCII2di4G_jBo1ZvnU5ceP_u6z4,6722
 oarepo_runtime/records/__init__.py,sha256=JUf9_o09_6q4vuG43JzhSeTu7c-m_CVDSmgTQ7epYEo,1776
 oarepo_runtime/records/dumpers/__init__.py,sha256=OmzNhLdMNKibmCksnj9eTX9xPBG30dziiK3j3bAAp3k,233
 oarepo_runtime/records/dumpers/edtf_interval.py,sha256=YCShZAoqBQYaxVilEVotS-jXZsxxoXO67yu2urhkaMA,1198
@@ -76,13 +83,13 @@ oarepo_runtime/services/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG
 oarepo_runtime/services/components.py,sha256=QKrdFmroE1hSrRjRkqinynCTb0KSqBhytTb9FoY0OEE,11023
 oarepo_runtime/services/generators.py,sha256=j87HitHA_w2awsz0C5IAAJ0qjg9JMtvdO3dvh6FQyfg,250
 oarepo_runtime/services/results.py,sha256=Ap2mUJHl3V4BSduTrBWPuco0inQVq0QsuCbVhez48uY,5705
-oarepo_runtime/services/search.py,sha256=mUycojDo26p54ZZPqXcXmdhUrzAP_eKCWls2XYJSM6c,8186
+oarepo_runtime/services/search.py,sha256=t0WEe2VrbCzZ06-Jgz7C9-pc9y27BqAgTEXldEHskfk,9409
 oarepo_runtime/services/config/__init__.py,sha256=559w4vphVAipa420OwTsxGUP-b7idoqSIX13FSJyVz0,783
 oarepo_runtime/services/config/link_conditions.py,sha256=evPRd5XU76Ok4J-08bBfplbHZ019rl74FpJmO8iM5yg,3298
-oarepo_runtime/services/config/permissions_presets.py,sha256=YF99Vjh1fGqSEXNw7qIfcUQFvzpE54_BafqkO6wlYHk,6668
+oarepo_runtime/services/config/permissions_presets.py,sha256=jV3Ft7xFdBaeShoa3Q3Q-HHWP-wOX4XYDTRzWwUVL7g,7151
 oarepo_runtime/services/config/service.py,sha256=s-dVbGkLICpsce6jgu7b5kzYFz9opWjSQFDBgbIhKio,4002
 oarepo_runtime/services/custom_fields/__init__.py,sha256=_gqMcA_I3rdEZcBtCuDjO4wdVCqFML5NzaccuPx5a3o,2565
-oarepo_runtime/services/custom_fields/mappings.py,sha256=Y1d0s9lG_VThkzSNlxAS94_9eOFZe9N2C1hpYDZvnvI,7457
+oarepo_runtime/services/custom_fields/mappings.py,sha256=3CIvjWzVRO3fZ2r-3taK1rwuLH9wj5Lguo-GvsbLBf4,7515
 oarepo_runtime/services/entity/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 oarepo_runtime/services/entity/config.py,sha256=1jfdPrxSbMuKj7eOUNKRWTCPbBPyRV6MrWE4Vgf9rX0,399
 oarepo_runtime/services/entity/schema.py,sha256=8TBpUFRITaBO7qCMz36cly1Hj4I1nLa9PeSAfWSa2YM,157
@@ -97,7 +104,7 @@ oarepo_runtime/services/facets/enum.py,sha256=3LrShQIt9Vt5mkqUkc6FNxXCW5JEFdPwtG
 oarepo_runtime/services/facets/facet_groups_names.py,sha256=RR8eeUmD8d9t966JqfhslZnILn_xDSfYlL0hjyJT92Y,468
 oarepo_runtime/services/facets/max_facet.py,sha256=TZ4KMKKVJHzyU1KgNne4V7IMQPu1ALRpkz61Y0labrc,407
 oarepo_runtime/services/facets/nested_facet.py,sha256=y0xgjx37HsSj2xW7URxNemYTksD8hpPs7kOEfIBw22k,971
-oarepo_runtime/services/facets/params.py,sha256=IiRKbR0jIm67hucj3fINosUAysZQSSKqhusEXXub-hA,4194
+oarepo_runtime/services/facets/params.py,sha256=270La-A9582aDF3D4_bMSLWv4VsPeMiqbb9jA301Q5w,6585
 oarepo_runtime/services/facets/year_histogram.py,sha256=kdfwx1lgw4UmfjdaqqeElJCB8rAduMH2hy42aZjY37w,6257
 oarepo_runtime/services/files/__init__.py,sha256=K8MStrEQf_BUhvzhwPTF93Hkhwrd1dtv35LDo7iZeTM,268
 oarepo_runtime/services/files/components.py,sha256=x6Wd-vvkqTqB1phj2a6h42DNQksN8PuR2XKaOGoNHfw,2400
@@ -120,7 +127,7 @@ oarepo_runtime/services/schema/marshmallow_to_json_schema.py,sha256=VYLnVWHOoaxW
 oarepo_runtime/services/schema/oneofschema.py,sha256=GnWH4Or_G5M0NgSmCoqMI6PBrJg5AC9RHrcB5QDKRq0,6661
 oarepo_runtime/services/schema/polymorphic.py,sha256=bAbUoTIeDBiJPYPhpLEKKZekEdkHlpqkmNxk1hN3PDw,564
 oarepo_runtime/services/schema/rdm.py,sha256=4gi44LIMWS9kWcZfEoHaJSq585qfZfMuUYM5IvL1nQo,531
-oarepo_runtime/services/schema/ui.py,sha256=qS9ZnKlo1xib8VJe3uFEff8mCQF5qtjoyOqfa0xOT70,6055
+oarepo_runtime/services/schema/ui.py,sha256=hHbj1S-DW1WqgYX31f6UjarY4wrE-qFLpH3oUhvGLyE,6192
 oarepo_runtime/services/schema/validation.py,sha256=VFOKSxQLHwFb7bW8BJAFXWe_iTAZFOfqOnb2Ko_Yxxc,2085
 oarepo_runtime/translations/default_translations.py,sha256=060GBlA1ghWxfeumo6NqxCCZDb-6OezOuF6pr-_GEOQ,104
 oarepo_runtime/translations/messages.pot,sha256=wr1vDKjsngqS9e5zQmSAsF3qUAtpQ41SUXwzEKRCnWw,2406
@@ -135,9 +142,9 @@ tests/marshmallow_to_json/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 tests/marshmallow_to_json/test_datacite_ui_schema.py,sha256=82iLj8nW45lZOUewpWbLX3mpSkpa9lxo-vK-Qtv_1bU,48552
 tests/marshmallow_to_json/test_simple_schema.py,sha256=izZN9p0v6kovtSZ6AdxBYmK_c6ZOti2_z_wPT_zXIr0,1500
 tests/pkg_data/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-oarepo_runtime-1.5.97.dist-info/LICENSE,sha256=h2uWz0OaB3EN-J1ImdGJZzc7yvfQjvHVYdUhQ-H7ypY,1064
-oarepo_runtime-1.5.97.dist-info/METADATA,sha256=Od7dJAVmd0ukZLCwWRo486I-ymuFjovPPO57ZeoFsrM,4720
-oarepo_runtime-1.5.97.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-oarepo_runtime-1.5.97.dist-info/entry_points.txt,sha256=k7O5LZUOGsVeSpB7ulU0txBUNp1CVQG7Q7TJIVTPbzU,491
-oarepo_runtime-1.5.97.dist-info/top_level.txt,sha256=bHhlkT1_RQC4IkfTQCqA3iN4KCB6cSFQlsXpQMSP-bE,21
-oarepo_runtime-1.5.97.dist-info/RECORD,,
+oarepo_runtime-1.5.100.dist-info/LICENSE,sha256=h2uWz0OaB3EN-J1ImdGJZzc7yvfQjvHVYdUhQ-H7ypY,1064
+oarepo_runtime-1.5.100.dist-info/METADATA,sha256=Pv0Sq-lTvfpaoq3baSsGxFfNWXpeMwEQQexb16JrSeQ,4721
+oarepo_runtime-1.5.100.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
+oarepo_runtime-1.5.100.dist-info/entry_points.txt,sha256=k7O5LZUOGsVeSpB7ulU0txBUNp1CVQG7Q7TJIVTPbzU,491
+oarepo_runtime-1.5.100.dist-info/top_level.txt,sha256=bHhlkT1_RQC4IkfTQCqA3iN4KCB6cSFQlsXpQMSP-bE,21
+oarepo_runtime-1.5.100.dist-info/RECORD,,