-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1792 superuser can search all #75
1792 superuser can search all #75
Conversation
Dropping that in the back office project board given @ntarocco is saying you are having a hard time tracking open pull requests https://discord.com/channels/692989811736182844/704625518552547329/1009003421023617074 |
""" | ||
query_filters = permission.query_filters if permission is not None else [] | ||
query_filters = query_filters or [Q()] | ||
return reduce(lambda f1, f2: f1 | f2, query_filters) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This keeps the same functionality as before while fixing the bug.
It is a little strange that our default is MatchAll() but it has worked so far. I was looking for an no-op Query() but no luck.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question (making sure I got it). The case that was breaking is when permission is not None
, but permission.query_filters = []
then it was returning None
instead of [Q()]
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the case, given the tests
identity_provides = identity.provides if identity else set() | ||
if superuser_needs & identity_provides: | ||
filters.append(Q("match_all")) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This assumes that the way to set a superuser is via the setup of ActionRole or ActionUser... This is how needs and excludes get it, so the same mechanism is used, but it's surprising that it's not just a check for the superuser_access
Need directly. I remember some vague performance considerations, but I don't understand how checking for this one Need isn't performant enough... 🤔
To be candid, permissions are hard and it would be worth revisiting some of our mechanics. See thread starting here: https://discord.com/channels/692989811736182844/724974365451747329/1007312461831094404
tests/conftest.py
Outdated
logout_user() | ||
identity.provides.add(Need(method="role", value="superuser-access")) | ||
|
||
return identity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not pleasant, but it works...
99eada9
to
68efddf
Compare
Hi, can I get a status update on this PR? Our librarians (admins) can't effectively review restricted records without it. |
@fenekku is this needed for RDM v9? Could you please rebase it? |
superuser-access logic was already injected in Permission.needs/excludes, but was missing from query_filters. This caused searches by superusers to not return all records, even though all records can be seen by superusers. closes inveniosoftware/invenio-app-rdm#1792
There was a problem (a form of Liskov violation) with permission_filter where None would be returned if query_filters returned []. This would break the search. Now, that issue is solved, permission_filter is tested, and refactored a little. A better refactoring IMO would place the permission_filter code in Permission.query_filters directly and remove the need for search to call this dangling function.
68efddf
to
4621b35
Compare
4621b35
to
440f001
Compare
Rebase done. Yes we want it for v9 too. |
@fenekku can you please review my last commit in this PR? |
150f53f
to
f5daa52
Compare
- Remove SuperUser generator, which is not needed anymore, given that needs are already added by invenio-access and search is granted by the new query_filters implementation. - Improve tests code.
f5daa52
to
49d2608
Compare
@fenekku I am merging this so we can continue with OpenSearch v2 and I am preparing the new commit to backport. |
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
For this PR per se:
For the rest, I will contact you directly. |
Thank you for your feedback:
|
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from inveniosoftware#75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
* commit copied from #75 * closes #1792 Co-Authored-by: Guillaume Viger <fenekku@fenekku.com>
permission: inject superuser-access logic in query_filter [+]
superuser-access logic was already injected in Permission.needs/excludes, but
was missing from query_filters. This caused searches by superusers to not
return all records, even though all records can be seen by superusers.
closes Super user REST API search doesn't return restricted records/communities invenio-app-rdm#1792
permission_filter: fix empty query_filters bug, test and refactor
There was a problem (a form of Liskov violation) with permission_filter where
None
would be returned if query_filters returned []. This would break the search.Now, that issue is solved, permission_filter is tested, and refactored a little.
A better refactoring IMO would place the permission_filter code in Permission.query_filters
directly and remove the need for search to call this dangling function. If you agree I can create a ticket for this.