Merge dd2787a into e7b28c3

MANIFEST.in

@@ -108,3 +108,4 @@ recursive-include data *.crt
 # added by check_manifest.py
 recursive-include sonar *.babelrc
 recursive-include sonar *.eslintignore
+recursive-include tests *.json

data/users.json

@@ -0,0 +1,39 @@
+[
+  {
+    "first_name": "Jorg",
+    "last_name": "Mueller",
+    "email": "rero.sonar+superadmin@gmail.com",
+    "password": "123456",
+    "roles": ["superadmin"]
+  },
+  {
+    "first_name": "Elia",
+    "last_name": "Rossi",
+    "email": "rero.sonar+admin@gmail.com",
+    "password": "123456",
+    "roles": ["admin"],
+    "institution": {
+      "$ref": "https://sonar.ch/api/institutions/usi"
+    }
+  },
+  {
+    "first_name": "Emanuele",
+    "last_name": "Fiorentini",
+    "email": "rero.sonar+moderator@gmail.com",
+    "password": "123456",
+    "roles": ["moderator"],
+    "institution": {
+      "$ref": "https://sonar.ch/api/institutions/usi"
+    }
+  },
+  {
+    "first_name": "Jules",
+    "last_name": "Brochu",
+    "email": "rero.sonar+user@gmail.com",
+    "password": "123456",
+    "roles": ["user"],
+    "institution": {
+      "$ref": "https://sonar.ch/api/institutions/usi"
+    }
+  }
+]

scripts/setup

@@ -27,16 +27,16 @@ pipenv run invenio index init --force
 pipenv run invenio index queue init purge
 
 # Create admin role to restrict access
+pipenv run invenio roles create superadmin
 pipenv run invenio roles create admin
+pipenv run invenio roles create moderator
 pipenv run invenio roles create user
-pipenv run invenio roles create librarian
-pipenv run invenio access allow superuser-access role admin
-
-# Create admin user and assign admin role
-pipenv run invenio users create admin@sonar.ch --password 123456 --active
-pipenv run invenio roles add admin@sonar.ch admin
+pipenv run invenio access allow superuser-access role superadmin
+pipenv run invenio access allow admin-access role admin
+pipenv run invenio access allow admin-access role moderator
 
 # Import fixtures
 pipenv run invenio fixtures institutions import
+pipenv run invenio fixtures users import $(pipenv --where)/data/users.json
 pipenv run invenio fixtures documents import hevs
 pipenv run invenio fixtures documents import usi

setup.py

@@ -52,9 +52,7 @@
             'fixtures = sonar.modules.cli:fixtures'
         ],
         'invenio_base.apps': [
-            'documents = sonar.modules.documents:Documents',
-            'shibboleth_authenticator = \
-                sonar.modules.shibboleth_authenticator:ShibbolethAuthenticator',
+            'sonar = sonar.modules:Sonar'
         ],
         'invenio_base.blueprints': [
             'sonar = sonar.theme.views:blueprint',
@@ -83,27 +81,34 @@
         ],
         'invenio_base.api_apps': [
             'documents = sonar.modules.documents:Documents',
-            'institutions = sonar.modules.institutions:Institutions'
-         ],
+            'institutions = sonar.modules.institutions:Institutions',
+            'sonar = sonar.modules:Sonar'
+        ],
         'invenio_jsonschemas.schemas': [
             'documents = sonar.modules.documents.jsonschemas',
-            'institutions = sonar.modules.institutions.jsonschemas'
+            'institutions = sonar.modules.institutions.jsonschemas',
+            'users = sonar.modules.users.jsonschemas'
         ],
         'invenio_search.mappings': [
             'documents = sonar.modules.documents.mappings',
-            'institutions = sonar.modules.institutions.mappings'
+            'institutions = sonar.modules.institutions.mappings',
+            'users = sonar.modules.users.mappings'
         ],
         'invenio_pidstore.minters': [
             'document_id = \
                 sonar.modules.documents.api:document_pid_minter',
             'institution_id = \
-                sonar.modules.institutions.api:institution_pid_minter'
+                sonar.modules.institutions.api:institution_pid_minter',
+            'user_id = \
+                sonar.modules.users.api:user_pid_minter'
         ],
         'invenio_pidstore.fetchers': [
             'document_id = \
                 sonar.modules.documents.api:document_pid_fetcher',
             'institution_id = \
-                sonar.modules.institutions.api:institution_pid_fetcher'
+                sonar.modules.institutions.api:institution_pid_fetcher',
+            'user_id = \
+                sonar.modules.users.api:user_pid_fetcher'
         ],
         "invenio_records.jsonresolver": [
             "institution = sonar.modules.institutions.jsonresolvers"

sonar/config.py

@@ -31,10 +31,13 @@
 from invenio_indexer.api import RecordIndexer
 from invenio_oauthclient.contrib import orcid
 from invenio_records_rest.facets import terms_filter
-from invenio_records_rest.utils import allow_all, check_elasticsearch
 
 from sonar.modules.documents.api import DocumentRecord, DocumentSearch
 from sonar.modules.institutions.api import InstitutionRecord, InstitutionSearch
+from sonar.modules.permissions import can_create_record_factory, \
+    can_delete_record_factory, can_list_record_factory, \
+    can_read_record_factory, can_update_record_factory
+from sonar.modules.users.api import UserRecord, UserSearch
 
 
 def _(x):
@@ -87,6 +90,8 @@ def _(x):
 #: Theme logo
 THEME_LOGO = 'images/sonar-logo.svg'
 
+THEME_ERROR_TEMPLATE = 'sonar/page_error.html'
+
 # Email configuration
 # ===================
 #: Email address for support.
@@ -241,11 +246,11 @@ def _(x):
         default_media_type='application/json',
         max_result_window=10000,
         error_handlers=dict(),
-        create_permission_factory_imp=allow_all,
-        read_permission_factory_imp=check_elasticsearch,
-        update_permission_factory_imp=allow_all,
-        delete_permission_factory_imp=allow_all,
-        list_permission_factory_imp=allow_all
+        create_permission_factory_imp=can_create_record_factory,
+        read_permission_factory_imp=can_read_record_factory,
+        update_permission_factory_imp=can_update_record_factory,
+        delete_permission_factory_imp=can_delete_record_factory,
+        list_permission_factory_imp=can_list_record_factory
     ),
     'inst': dict(
         pid_type='inst',
@@ -274,11 +279,44 @@ def _(x):
         default_media_type='application/json',
         max_result_window=10000,
         error_handlers=dict(),
-        create_permission_factory_imp=allow_all,
-        read_permission_factory_imp=check_elasticsearch,
-        update_permission_factory_imp=allow_all,
-        delete_permission_factory_imp=allow_all,
-        list_permission_factory_imp=allow_all
+        create_permission_factory_imp=can_create_record_factory,
+        read_permission_factory_imp=can_read_record_factory,
+        update_permission_factory_imp=can_update_record_factory,
+        delete_permission_factory_imp=can_delete_record_factory,
+        list_permission_factory_imp=can_list_record_factory
+    ),
+    'user': dict(
+        pid_type='user',
+        pid_minter='user_id',
+        pid_fetcher='user_id',
+        default_endpoint_prefix=True,
+        record_class=UserRecord,
+        search_class=UserSearch,
+        indexer_class=RecordIndexer,
+        search_index='users',
+        search_type=None,
+        record_serializers={
+            'application/json': ('sonar.modules.users.serializers'
+                                 ':json_v1_response'),
+        },
+        search_serializers={
+            'application/json': ('sonar.modules.users.serializers'
+                                 ':json_v1_search'),
+        },
+        record_loaders={
+            'application/json': ('sonar.modules.users.loaders'
+                                 ':json_v1'),
+        },
+        list_route='/users/',
+        item_route='/users/<pid(user):pid_value>',
+        default_media_type='application/json',
+        max_result_window=10000,
+        error_handlers=dict(),
+        create_permission_factory_imp=can_create_record_factory,
+        read_permission_factory_imp=can_read_record_factory,
+        update_permission_factory_imp=can_update_record_factory,
+        delete_permission_factory_imp=can_delete_record_factory,
+        list_permission_factory_imp=can_list_record_factory
     )
 }
 """REST endpoints."""
@@ -386,3 +424,8 @@ def _(x):
 )
 
 WEBPACKEXT_PROJECT = 'sonar.theme.webpack:project'
+
+# Admin layout
+# =========================
+ADMIN_BASE_TEMPLATE = 'sonar/page_admin.html'
+ADMIN_PERMISSION_FACTORY = 'sonar.modules.permissions.admin_permission_factory'

sonar/modules/__init__.py

@@ -16,3 +16,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 """SONAR Modules."""
+
+from .ext import Sonar
+
+__all__ = ('Sonar', )

sonar/modules/api.py

@@ -21,6 +21,7 @@
 
 from flask import current_app
 from invenio_db import db
+from invenio_indexer.api import RecordIndexer
 from invenio_jsonschemas import current_jsonschemas
 from invenio_pidstore.errors import PIDDoesNotExistError
 from invenio_pidstore.models import PersistentIdentifier
@@ -90,6 +91,10 @@ def dbcommit(self):
         """Commit changes to db."""
         db.session.commit()
 
+    def reindex(self):
+        """Reindex record."""
+        RecordIndexer().index(self)
+
 
 class SonarSearch(RecordsSearch):
     """Search Class SONAR."""

sonar/modules/cli.py

@@ -21,6 +21,7 @@
 
 from .documents.cli import documents
 from .institutions.cli import institutions
+from .users.cli import users
 
 
 @click.group()
@@ -29,3 +30,4 @@ def fixtures():
 
 fixtures.add_command(documents)
 fixtures.add_command(institutions)
+fixtures.add_command(users)

sonar/modules/documents/jsonschemas/documents/document-v1.0.0.json

@@ -83,8 +83,7 @@
           "title": "ISBN",
           "description": "ISBN of the resource.",
           "type": "string",
-          "pattern": "^97[8|9][0-9]{10}$",
-          "validationMessage": "Should be a valid ISBN-13 without dashes."
+          "pattern": "^97[8|9][0-9]{10}$"
         }
       }
     },
@@ -111,7 +110,6 @@
             "description": "Bibligraphic code of language.",
             "type": "string",
             "default": "fre",
-            "validationMessage": "Bibliographic language code is required.",
             "enum": [
               "fre",
               "ger",

sonar/modules/documents/templates/documents/record.html

@@ -47,7 +47,7 @@
   {% endfor %}
 {%- endmacro %}
 
-{%- block page_body %}
+{%- block body %}
 <!--
 <ul class="list-group">
   {{ record_content(record.replace_refs()) }}

sonar/modules/ext.py

@@ -20,9 +20,16 @@
 
 from __future__ import absolute_import, print_function
 
+from sonar.modules.permissions import has_admin_access
+
 from . import config
 
 
+def utility_processor():
+    """Dictionary for checking admin access."""
+    return dict(has_admin_access=has_admin_access)
+
+
 class Sonar(object):
     """SONAR extension."""
 
@@ -36,6 +43,8 @@ def init_app(self, app):
         self.init_config(app)
         app.extensions['sonar_app'] = self
 
+        app.context_processor(utility_processor)
+
     def init_config(self, app):
         """Initialize configuration."""
         for k in dir(config):

sonar/modules/pdf_extractor/templates/test.html

@@ -17,7 +17,7 @@
 
 {%- extends config.RECORDS_UI_BASE_TEMPLATE %}
 
-{%- block page_body %}
+{%- block body %}
 <h1>PDF metadata extraction</h1>
 <form id="pdfForm">
     <input type="file" class="form-control-file my-4" id="file">

sonar/modules/permissions.py

@@ -0,0 +1,65 @@
+# -*- coding: utf-8 -*-
+#
+# Swiss Open Access Repository
+# Copyright (C) 2019 RERO
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""Project permissions management."""
+
+from flask_principal import ActionNeed
+from invenio_access import Permission
+from invenio_records_rest.utils import check_elasticsearch
+
+superuser_access_permission = Permission(ActionNeed('superuser-access'))
+admin_access_permission = Permission(ActionNeed('admin-access'))
+
+
+def has_admin_access():
+    """Check if current user has access to admin panel.
+
+    This function is used in app context and can be called in all templates.
+    """
+    return admin_access_permission.can()
+
+
+def admin_permission_factory(admin_view):
+    """Admin permission factory."""
+    if admin_view.name in ['Home']:
+        return admin_access_permission
+    return superuser_access_permission
+
+
+def can_list_record_factory(**kwargs):
+    """Factory to check if a ressource can be listed."""
+    return type('Allow', (), {'can': lambda self: True})()
+
+
+def can_read_record_factory(record):
+    """Factory to check if a record can be read."""
+    return check_elasticsearch(record)
+
+
+def can_create_record_factory(**kwargs):
+    """Factory to check if a record can be created."""
+    return admin_access_permission
+
+
+def can_update_record_factory(**kwargs):
+    """Factory to check if a record can be updated."""
+    return admin_access_permission
+
+
+def can_delete_record_factory(**kwargs):
+    """Factory to check if a record can be deleted."""
+    return admin_access_permission