1792 superuser can search all #75
Conversation
|
Dropping that in the back office project board given @ntarocco is saying you are having a hard time tracking open pull requests https://discord.com/channels/692989811736182844/704625518552547329/1009003421023617074 |
| """ | ||
| query_filters = permission.query_filters if permission is not None else [] | ||
| query_filters = query_filters or [Q()] | ||
| return reduce(lambda f1, f2: f1 | f2, query_filters) |
There was a problem hiding this comment.
This keeps the same functionality as before while fixing the bug.
It is a little strange that our default is MatchAll() but it has worked so far. I was looking for an no-op Query() but no luck.
There was a problem hiding this comment.
question (making sure I got it). The case that was breaking is when permission is not None, but permission.query_filters = [] then it was returning None instead of [Q()]?
There was a problem hiding this comment.
It looks like the case, given the tests
| identity_provides = identity.provides if identity else set() | ||
| if superuser_needs & identity_provides: | ||
| filters.append(Q("match_all")) | ||
|
|
There was a problem hiding this comment.
This assumes that the way to set a superuser is via the setup of ActionRole or ActionUser... This is how needs and excludes get it, so the same mechanism is used, but it's surprising that it's not just a check for the superuser_access Need directly. I remember some vague performance considerations, but I don't understand how checking for this one Need isn't performant enough... 🤔
To be candid, permissions are hard and it would be worth revisiting some of our mechanics. See thread starting here: https://discord.com/channels/692989811736182844/724974365451747329/1007312461831094404
tests/conftest.py
Outdated
| logout_user() | ||
| identity.provides.add(Need(method="role", value="superuser-access")) | ||
|
|
||
| return identity |
There was a problem hiding this comment.
Not pleasant, but it works...
fenekku
force-pushed
the
1792_superuser_can_search_all
branch
from
99eada9
to
68efddf
Compare
|
Hi, can I get a status update on this PR? Our librarians (admins) can't effectively review restricted records without it. |
|
@fenekku is this needed for RDM v9? Could you please rebase it? |
superuser-access logic was already injected in Permission.needs/excludes, but was missing from query_filters. This caused searches by superusers to not return all records, even though all records can be seen by superusers. closes inveniosoftware/invenio-app-rdm#1792
There was a problem (a form of Liskov violation) with permission_filter where None would be returned if query_filters returned []. This would break the search. Now, that issue is solved, permission_filter is tested, and refactored a little. A better refactoring IMO would place the permission_filter code in Permission.query_filters directly and remove the need for search to call this dangling function.
fenekku
force-pushed
the
1792_superuser_can_search_all
branch
from
68efddf
to
4621b35
Compare
fenekku
force-pushed
the
1792_superuser_can_search_all
branch
from
4621b35
to
440f001
Compare
|
Rebase done. Yes we want it for v9 too. |
|
@fenekku can you please review my last commit in this PR? |
ntarocco
force-pushed
the
1792_superuser_can_search_all
branch
from
150f53f
to
f5daa52
Compare
- Remove SuperUser generator, which is not needed anymore, given that needs are already added by invenio-access and search is granted by the new query_filters implementation. - Improve tests code.
ntarocco
force-pushed
the
1792_superuser_can_search_all
branch
from
f5daa52
to
49d2608
Compare
|
@fenekku I am merging this so we can continue with OpenSearch v2 and I am preparing the new commit to backport. |
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
|
For this PR per se:
For the rest, I will contact you directly. |
|
Thank you for your feedback:
|
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from #75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
permission: inject superuser-access logic in query_filter [+]
superuser-access logic was already injected in Permission.needs/excludes, but
was missing from query_filters. This caused searches by superusers to not
return all records, even though all records can be seen by superusers.
closes Super user REST API search doesn't return restricted records/communities invenio-app-rdm#1792
permission_filter: fix empty query_filters bug, test and refactor
There was a problem (a form of Liskov violation) with permission_filter where
Nonewould be returned if query_filters returned []. This would break the search.Now, that issue is solved, permission_filter is tested, and refactored a little.
A better refactoring IMO would place the permission_filter code in Permission.query_filters
directly and remove the need for search to call this dangling function. If you agree I can create a ticket for this.