guest user and records in restricted collection (invenio 1.2)

[martinkoehler]

There seems to be a bug in invenio 1.2
When a record is in a public collection in the global collection tree and restricted collection, while the latter is not in the collection tree, but guest is allowed to see records in this collection, this record will not be displayed in search.
How to reproduce:

• Enable ´CFG_WEBSEARCH_VIEWRESTRCOLL_POLICY = ANY`
• Define a public collection in the collection tree (e.g. Public)
• Define a restricted collection outside the collection tree (e.g. Unrestricted) with fireroll viewrestrcol allow any
• Put a record in both collection
  Now guest user should be able to view the record
• Search for the record as guest user
  The record is not displayed

This seemed due to a "short cut" in webuser.py and search_engine.py
A quick fix is:
in webuser.py

1393,1395d1392
< else: # guest user
< user_info['precached_permitted_restricted_collections'] = get_permitted_restricted_collections(user_info)
< 

Which ensures that the user Object of the guest user gets a possible non empty precached_permitted_restricted_collections

In search_engine.py the code wrongly assumes that for a guest user precached_permitted_restricted_collections is always empty.
A fix here:

<             permitted_restricted_collections = []
<             ## For guest users that are actually authorized to some restricted
<             ## collection (by virtue of the IP address in a FireRole rule)
<             ## we explicitly build the list of permitted_restricted_collections

---
>             permitted_restricted_collections =  user_info.get('precached_permitted_restricted_collections', [])
>             # For guest users that are actually authorized to some restricted
>             # collection (by virtue of the IP address in a FireRole rule)
>             # we explicitly build the list of permitted_restricted_collections and we make sure that these are used in the search engine`

Note:
The code

for coll in colls:
                if collection_restricted_p(coll) and (acc_authorize_action(user_info, 'viewrestrcoll', collection=coll)[0] == 0):
                    permitted_restricted_collections.append(coll)

is not enough, since e.g. the restricted collection "Unrestricted" is not in colls

@tiborsimko and @kaplun: Does it help if I prepare a pull-reqest for this fix?

[rthieledesy]

After the changes, is the flag on the left side --"Restricted"-- also correct?

[martinkoehler]

The flag is there:
It is a consequence of #867
IHMO it should honor record_public_p as well (e.g.
786+ if (get_restricted_collections_for_recid(recid, recreate_cache_if_needed=False) and not record_public_p(recid)):
NB: record_public_p must be of of course imported again above

[aw-bib]

It seems at least closely related to if not dupe to #3619

[aw-bib]

The above PR should contain the code by @martinkoehler