permissions: add backoffice readonly action

* add `backoffice_readonly_access_action` and have it replace `backoffice_access_action` in read operations
   * Users with the `backoffice_readonly_access_action` can read everything that users with the `backoffice_access_action` could read before
* create `PatronOwnerReadPermission` and `backoffice_read_permission` that make use of `backoffice_readonly_access_action`

Author: JakobMiesner

invenio_app_ils/acquisition/config.py

@@ -10,7 +10,11 @@
 from invenio_records_rest.facets import terms_filter
 
 from invenio_app_ils.config import RECORDS_REST_MAX_RESULT_WINDOW
-from invenio_app_ils.permissions import backoffice_permission, superuser_permission
+from invenio_app_ils.permissions import (
+    backoffice_permission,
+    backoffice_read_permission,
+    superuser_permission,
+)
 
 from .api import ORDER_PID_FETCHER, ORDER_PID_MINTER, ORDER_PID_TYPE, Order
 from .search import OrderSearch
@@ -44,8 +48,8 @@
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=backoffice_permission,
-        list_permission_factory_imp=backoffice_permission,
+        read_permission_factory_imp=backoffice_read_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=backoffice_permission,
         update_permission_factory_imp=backoffice_permission,
         delete_permission_factory_imp=superuser_permission,

invenio_app_ils/circulation/config.py

@@ -41,7 +41,7 @@
 )
 from invenio_app_ils.patrons.api import patron_exists
 from invenio_app_ils.permissions import (
-    PatronOwnerPermission,
+    PatronOwnerReadPermission,
     authenticated_user_permission,
     backoffice_permission,
     loan_extend_circulation_permission,
@@ -254,7 +254,7 @@
         links_factory_imp="invenio_circulation.links:loan_links_factory",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=PatronOwnerPermission,
+        read_permission_factory_imp=PatronOwnerReadPermission,
         # auth via search_factory
         list_permission_factory_imp=authenticated_user_permission,
         create_permission_factory_imp=superuser_permission,

invenio_app_ils/cli.py

@@ -1308,6 +1308,7 @@ def data(
     # Create roles to restrict access
     _run_command("roles create admin", verbose)
     _run_command("roles create librarian", verbose)
+    _run_command("roles create librarian-readonly", verbose)
 
     # Create users
     patron1_profile = {"full_name": "Yannic Vilma"}
@@ -1328,6 +1329,12 @@ def data(
         verbose,
     )
 
+    readonly_profile = {"full_name": "Ro Only"}
+    _run_command(
+        f"users create [email protected] -a --password=123456 --profile '{json.dumps(readonly_profile)}'",
+        verbose,
+    )
+
     patron3_profile = {"full_name": "Medrod Tara"}
     _run_command(
         f"users create [email protected] -a --password=123456 --profile '{json.dumps(patron3_profile)}'",
@@ -1350,6 +1357,7 @@ def data(
 
     # assign roles
     _run_command("roles add [email protected] librarian", verbose)
+    _run_command("roles add [email protected] librarian-readonly", verbose)
 
     # Index vocabularies
     vocabularies_dir = os.path.join(CURRENT_DIR, "vocabularies", "data")
@@ -1368,6 +1376,9 @@ def data(
     # Assign actions
     _run_command("access allow superuser-access role admin", verbose)
     _run_command("access allow ils-backoffice-access role librarian", verbose)
+    _run_command(
+        "access allow ils-backoffice-readonly-access role librarian-readonly", verbose
+    )
 
     # Create demo locations
     click.echo("Creating locations and internal locations...")

invenio_app_ils/closures/views.py

@@ -16,7 +16,7 @@
 from invenio_app_ils.locations.api import LOCATION_PID_TYPE
 from invenio_app_ils.closures.serializers import closure_periods_response
 from invenio_app_ils.closures.api import get_closure_periods
-from invenio_app_ils.permissions import backoffice_permission
+from invenio_app_ils.permissions import backoffice_read_permission
 from invenio_app_ils.records.permissions import RecordPermission
 
 
@@ -53,7 +53,7 @@ def get(self, pid, record, year, **kwargs):
         """Get the date ranges for which a location is closure based in the specified year"""
 
         factory = RecordPermission(record, "read")
-        if not factory.is_public() and not backoffice_permission().can():
+        if not factory.is_public() and not backoffice_read_permission().can():
             if not current_user.is_authenticated:
                 abort(401)
             abort(403)

invenio_app_ils/config.py

@@ -91,9 +91,10 @@
 )
 from .patrons.search import PatronsSearch
 from .permissions import (
-    PatronOwnerPermission,
+    PatronOwnerReadPermission,
     authenticated_user_permission,
     backoffice_permission,
+    backoffice_read_permission,
     views_permissions_factory,
 )
 from .records.permissions import record_read_permission_factory
@@ -395,8 +396,8 @@ def _(x):
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=backoffice_permission,
-        list_permission_factory_imp=backoffice_permission,
+        read_permission_factory_imp=backoffice_read_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=backoffice_permission,
         update_permission_factory_imp=backoffice_permission,
         delete_permission_factory_imp=backoffice_permission,
@@ -427,8 +428,8 @@ def _(x):
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=backoffice_permission,
-        list_permission_factory_imp=backoffice_permission,
+        read_permission_factory_imp=backoffice_read_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=backoffice_permission,
         update_permission_factory_imp=backoffice_permission,
         delete_permission_factory_imp=backoffice_permission,
@@ -522,8 +523,8 @@ def _(x):
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=backoffice_permission,
-        list_permission_factory_imp=backoffice_permission,
+        read_permission_factory_imp=backoffice_read_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=backoffice_permission,
         update_permission_factory_imp=backoffice_permission,
         delete_permission_factory_imp=backoffice_permission,
@@ -552,7 +553,7 @@ def _(x):
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
         read_permission_factory_imp=deny_all,
-        list_permission_factory_imp=backoffice_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=deny_all,
         update_permission_factory_imp=deny_all,
         delete_permission_factory_imp=deny_all,
@@ -584,7 +585,7 @@ def _(x):
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=PatronOwnerPermission,
+        read_permission_factory_imp=PatronOwnerReadPermission,
         # auth via search_factory
         list_permission_factory_imp=authenticated_user_permission,
         create_permission_factory_imp=authenticated_user_permission,

invenio_app_ils/ill/config.py

@@ -11,7 +11,7 @@
 
 from invenio_app_ils.config import RECORDS_REST_MAX_RESULT_WINDOW
 from invenio_app_ils.permissions import (
-    PatronOwnerPermission,
+    PatronOwnerReadPermission,
     authenticated_user_permission,
     backoffice_permission,
     superuser_permission,
@@ -76,7 +76,7 @@
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=PatronOwnerPermission,
+        read_permission_factory_imp=PatronOwnerReadPermission,
         # auth via search_factory
         list_permission_factory_imp=authenticated_user_permission,
         create_permission_factory_imp=backoffice_permission,

invenio_app_ils/patrons/anonymization.py

@@ -170,7 +170,9 @@ def anonymize_patron_data(patron_pid, force=False):
         borrowing_request["patron"] = anonymous_patron_fields
         borrowing_request["patron_pid"] = anonymous_patron_fields["pid"]
         borrowing_request.commit()
-        anonymized_records[BORROWING_REQUEST_PID_TYPE]["records"].append(borrowing_request)
+        anonymized_records[BORROWING_REQUEST_PID_TYPE]["records"].append(
+            borrowing_request
+        )
         indices += 1
 
     DocumentRequestSearch = current_app_ils.document_request_search_cls

invenio_app_ils/permissions.py

@@ -20,6 +20,7 @@
 from invenio_app_ils.proxies import current_app_ils
 
 backoffice_access_action = action_factory("ils-backoffice-access")
+backoffice_readonly_access_action = action_factory("ils-backoffice-readonly-access")
 
 
 def need_permissions(action):
@@ -62,6 +63,11 @@ def backoffice_permission(*args, **kwargs):
     return Permission(backoffice_access_action)
 
 
+def backoffice_read_permission(*args, **kwargs):
+    """Return permission for backoffice (full or read-only) read access."""
+    return Permission(backoffice_access_action, backoffice_readonly_access_action)
+
+
 def superuser_permission(*args, **kwargs):
     """Return permission to allow only admins."""
     return Permission(superuser_access)
@@ -160,6 +166,18 @@ def loan_checkout_permission(*args, **kwargs):
     raise LoanCheckoutByPatronForbidden(int(loan["patron_pid"]), current_user.id)
 
 
+class PatronOwnerReadPermission(Permission):
+    """Return Permission to evaluate if the current user owns the record or has backoffice read access."""
+
+    def __init__(self, record):
+        """Constructor."""
+        super().__init__(
+            UserNeed(int(record["patron_pid"])),
+            backoffice_access_action,
+            backoffice_readonly_access_action,
+        )
+
+
 class PatronOwnerPermission(Permission):
     """Return Permission to evaluate if the current user owns the record."""
 
@@ -179,12 +197,14 @@ def __init__(self, record):
     "circulation-loan-update-dates",
     "relations-create",
     "relations-delete",
-    "stats-most-loaned",
     "document-request-actions",
     "bucket-create",
     "ill-brwreq-patron-loan-create",
     "ill-brwreq-patron-loan-extension-accept",
     "ill-brwreq-patron-loan-extension-decline",
+]
+_is_backoffice_read_permission = [
+    "stats-most-loaned",
     "send-notification-to-patron",
 ]
 _is_patron_owner_permission = [
@@ -199,6 +219,8 @@ def views_permissions_factory(action):
         return authenticated_user_permission()
     elif action in _is_backoffice_permission:
         return backoffice_permission()
+    elif action in _is_backoffice_read_permission:
+        return backoffice_read_permission()
     elif action in _is_patron_owner_permission:
         return PatronOwnerPermission
     elif action == "circulation-loan-checkout":

invenio_app_ils/providers/config.py

@@ -10,7 +10,10 @@
 from invenio_records_rest.facets import terms_filter
 
 from invenio_app_ils.config import RECORDS_REST_MAX_RESULT_WINDOW
-from invenio_app_ils.permissions import backoffice_permission
+from invenio_app_ils.permissions import (
+    backoffice_permission,
+    backoffice_read_permission,
+)
 
 from .api import PROVIDER_PID_FETCHER, PROVIDER_PID_MINTER, PROVIDER_PID_TYPE, Provider
 from .indexer import ProviderIndexer
@@ -47,8 +50,8 @@
         default_media_type="application/json",
         max_result_window=RECORDS_REST_MAX_RESULT_WINDOW,
         error_handlers=dict(),
-        read_permission_factory_imp=backoffice_permission,
-        list_permission_factory_imp=backoffice_permission,
+        read_permission_factory_imp=backoffice_read_permission,
+        list_permission_factory_imp=backoffice_read_permission,
         create_permission_factory_imp=backoffice_permission,
         update_permission_factory_imp=backoffice_permission,
         delete_permission_factory_imp=backoffice_permission,

invenio_app_ils/records/permissions.py

@@ -12,7 +12,10 @@
 from invenio_access import Permission, any_user
 from six import string_types
 
-from invenio_app_ils.permissions import backoffice_access_action
+from invenio_app_ils.permissions import (
+    backoffice_access_action,
+    backoffice_readonly_access_action,
+)
 
 create_records_action = ActionNeed("create-records")
 
@@ -68,7 +71,10 @@ def read_permissions(self):
         if self.is_public():
             return [any_user]
         else:
-            return self.record_needs() + [backoffice_access_action]
+            return self.record_needs() + [
+                backoffice_readonly_access_action,
+                backoffice_access_action,
+            ]
 
     def record_explicit_restrictions(self):
         """Return the list of user ids/roles allowed for the given action."""