Only give guest access to public objects without authentication

694c04ca · Erwan Rouchet · 287eed8f · 694c04ca · 694c04ca · 694c04ca
Verified Commit 694c04ca authored 10 months ago by Erwan Rouchet
--- a/arkindex/documents/tests/test_corpus.py
+++ b/arkindex/documents/tests/test_corpus.py
@@ -74,7 +74,6 @@ class TestCorpus(FixtureAPITestCase):
            mock_now.return_value = FAKE_NOW
            cls.corpus_hidden = Corpus.objects.create(name="C Hidden")
-    @expectedFailure
    def test_anon(self):
        # An anonymous user has only access to public
        with self.assertNumQueries(4):
@@ -225,7 +224,6 @@ class TestCorpus(FixtureAPITestCase):
        self.assertEqual(len(data), 13)
        self.assertSetEqual({corpus["top_level_type"] for corpus in data}, {None, "top_level"})
-    @expectedFailure
    def test_mixin(self):
        vol1 = Element.objects.get(name="Volume 1")
        vol2 = Element.objects.get(name="Volume 2")
@@ -345,7 +343,7 @@ class TestCorpus(FixtureAPITestCase):
            "description": self.corpus_public.description,
            "public": True,
            "indexable": False,
-            "rights": ["read", "write", "admin"],
+            "rights": ["read"],
            "created": DB_CREATED,
            "authorized_users": 1,
            "top_level_type": None,

--- a/arkindex/documents/tests/test_retrieve_elements.py
+++ b/arkindex/documents/tests/test_retrieve_elements.py
@@ -43,7 +43,7 @@ class TestRetrieveElements(FixtureAPITestCase):
                "public": True,
            },
            "thumbnail_url": self.vol.thumbnail.s3_url,
-            "thumbnail_put_url": self.vol.thumbnail.s3_put_url,
+            "thumbnail_put_url": None,
            "worker_version": None,
            "confidence": None,
            "zone": None,
@@ -51,7 +51,7 @@ class TestRetrieveElements(FixtureAPITestCase):
            "mirrored": False,
            "created": "2020-02-02T01:23:45.678000Z",
            "creator": None,
-            "rights": ["read", "write", "admin"],
+            "rights": ["read"],
            "metadata_count": 0,
            "classifications": [
                {
@@ -102,6 +102,8 @@ class TestRetrieveElements(FixtureAPITestCase):
        """
        Check getting an element only gives a thumbnail URL with folders
        """
+        self.client.force_login(self.user)
        self.assertTrue(self.vol.type.folder)
        response = self.client.get(reverse("api:element-retrieve", kwargs={"pk": str(self.vol.id)}))
        self.assertEqual(response.status_code, status.HTTP_200_OK)
@@ -230,7 +232,7 @@ class TestRetrieveElements(FixtureAPITestCase):
                "public": True,
            },
            "thumbnail_url": self.vol.thumbnail.s3_url,
-            "thumbnail_put_url": self.vol.thumbnail.s3_put_url,
+            "thumbnail_put_url": None,
            "worker_version": str(self.worker_version.id),
            "confidence": None,
            "zone": None,
@@ -238,7 +240,7 @@ class TestRetrieveElements(FixtureAPITestCase):
            "mirrored": False,
            "created": "2020-02-02T01:23:45.678000Z",
            "creator": None,
-            "rights": ["read", "write", "admin"],
+            "rights": ["read"],
            "metadata_count": 0,
            "classifications": [],
            "worker_run": {
@@ -265,7 +267,7 @@ class TestRetrieveElements(FixtureAPITestCase):
                "public": True,
            },
            "thumbnail_url": self.vol.thumbnail.s3_url,
-            "thumbnail_put_url": self.vol.thumbnail.s3_put_url,
+            "thumbnail_put_url": None,
            "worker_version": None,
            "confidence": None,
            "zone": None,
@@ -273,7 +275,7 @@ class TestRetrieveElements(FixtureAPITestCase):
            "mirrored": False,
            "created": "2020-02-02T01:23:45.678000Z",
            "creator": None,
-            "rights": ["read", "write", "admin"],
+            "rights": ["read"],
            "metadata_count": 0,
            "classifications": [
                {

--- a/arkindex/users/allow_all.py
+++ b/arkindex/users/allow_all.py
@@ -10,6 +10,8 @@ def has_access(user: User, instance, level: int, skip_public: bool = False) -> b
    Check if the user has access to a generic instance with a minimum level
    If skip_public parameter is set to true, exclude rights on public instances
    """
+    if user.is_anonymous:
+        return level <= Role.Guest.value and not skip_public and getattr(instance, "public", False)
    return True
@@ -18,6 +20,11 @@ def filter_rights(user: User, model, level: int):
    Return a generic queryset of objects with access rights for this user.
    Level filtering parameter should be an integer between 1 and 100.
    """
+    if user.is_anonymous:
+        if hasattr(model, "public"):
+            return model.objects.filter(public=True).annotate(max_level=Value(Role.Guest.value, IntegerField()))
+        return model.objects.none()
    return model.objects.annotate(max_level=Value(Role.Admin.value, IntegerField()))
@@ -25,4 +32,9 @@ def get_max_level(user: User, instance) -> Optional[int]:
    """
    Returns the maximum access level on a given model instance
    """
+    if user.is_anonymous:
+        if getattr(instance, "public", False):
+            return Role.Guest.value
+        return None
    return Role.Admin.value