diff --git a/modules/weko-records-ui/tests/conftest.py b/modules/weko-records-ui/tests/conftest.py index 4e0b498053..e7ecddd518 100644 --- a/modules/weko-records-ui/tests/conftest.py +++ b/modules/weko-records-ui/tests/conftest.py @@ -533,7 +533,7 @@ def users(app, db): @pytest.fixture() -def indextree(client, users): +def indextree(client, users, user_activity_log_partition_table): index_metadata = { "id": 1, "parent": 0, @@ -541,10 +541,12 @@ def indextree(client, users): } with patch("flask_login.utils._get_user", return_value=users[2]["obj"]): - ret = Indexes.create(0, index_metadata) index = Index.get_index_by_id(1) - index.public_state = True - index.harvest_public_state = True + if index is None: + Indexes.create(0, index_metadata) + index = Index.get_index_by_id(1) + index.public_state = True + index.harvest_public_state = True index_metadata = { "id": 2, @@ -553,10 +555,12 @@ def indextree(client, users): } with patch("flask_login.utils._get_user", return_value=users[2]["obj"]): - Indexes.create(0, index_metadata) index = Index.get_index_by_id(2) - index.public_state = True - index.harvest_public_state = False + if index is None: + Indexes.create(0, index_metadata) + index = Index.get_index_by_id(2) + index.public_state = True + index.harvest_public_state = False index_metadata = { "id": 3, @@ -565,10 +569,12 @@ def indextree(client, users): } with patch("flask_login.utils._get_user", return_value=users[2]["obj"]): - Indexes.create(0, index_metadata) index = Index.get_index_by_id(3) - index.public_state = False - index.harvest_public_state = True + if index is None: + Indexes.create(0, index_metadata) + index = Index.get_index_by_id(3) + index.public_state = False + index.harvest_public_state = True index_metadata = { "id": 4, @@ -577,10 +583,12 @@ def indextree(client, users): } with patch("flask_login.utils._get_user", return_value=users[2]["obj"]): - Indexes.create(0, index_metadata) index = Index.get_index_by_id(4) - index.public_state = False - index.harvest_public_state = False + if index is None: + Indexes.create(0, index_metadata) + index = Index.get_index_by_id(4) + index.public_state = False + index.harvest_public_state = False @pytest.fixture() @@ -6405,3 +6413,21 @@ def users_storage_info(db, users): db.session.commit() yield users_info + +@pytest.fixture() +def user_activity_log_partition_table(app, db): + """Create user activity log partition.""" + # Create partition for current month + now = datetime.now() + start = now.date().replace(day=1) + end = (start + timedelta(days=31)).replace(day=1) + partition_name = f"user_activity_logs_{now.year}_{now.month:02d}" + create_partition_sql = f""" + CREATE TABLE IF NOT EXISTS {partition_name} + PARTITION OF user_activity_logs + FOR VALUES FROM ('{start}') TO ('{end}'); + """ + + with db.session.begin_nested(): + db.session.execute(create_partition_sql) + db.session.commit() diff --git a/modules/weko-records-ui/tests/test_permissions.py b/modules/weko-records-ui/tests/test_permissions.py index a5539d6100..c28d07236e 100644 --- a/modules/weko-records-ui/tests/test_permissions.py +++ b/modules/weko-records-ui/tests/test_permissions.py @@ -164,6 +164,7 @@ def test_check_file_download_permission(app, records, users, db_file_permission, fjson['roles'] = [{'role':'Contributor'}] assert check_file_download_permission(record, fjson, False) == True + # Test Case: accessrole=open_login, logged in user, any role fjson['accessrole'] = 'open_login' fjson['roles'] = [{'role':'none_loggin'},{'role':'1'},{'role':'2'},{'role':'3'},{'role':'4'},{'role':'5'}] assert check_file_download_permission(record, fjson, True) == True @@ -192,8 +193,20 @@ def test_check_file_download_permission(app, records, users, db_file_permission, assert check_file_download_permission(record, fjson, True) == False assert check_file_download_permission(record, fjson, False) == False + # Test Case: accessrole=open_restricted, logged in user, site license check returns False fjson['accessrole'] = 'open_restricted' - assert check_file_download_permission(record, fjson, True) == False + with patch("weko_records_ui.permissions.check_site_license_permission", return_value=False): + assert check_file_download_permission(record, fjson, True) == False + + # Test Case: accessrole=open_restricted, logged in user, site license check returns True + fjson["accessrole"] = "open_restricted" + with patch("weko_records_ui.permissions.check_site_license_permission", return_value=True): + assert check_file_download_permission(record, fjson, True) == True + + # Test Case: accessrole=open_restricted, check_open_restricted_permission returns True + fjson["accessrole"] = "open_restricted" + with patch("weko_records_ui.permissions.check_open_restricted_permission", return_value=True): + assert check_file_download_permission(record, fjson, True) == True with patch("weko_records_ui.utils.is_future",return_value=False): fjson['accessrole'] = 'open_date' @@ -201,14 +214,24 @@ def test_check_file_download_permission(app, records, users, db_file_permission, fjson['roles'] = [{'role':'none_loggin'},{'role':'System Administrator'},{'role':'Repository Administrator'},{'role':'Contributor'},{'role':'Community Administrator'},{'role':'General'}] assert check_file_download_permission(record, fjson, False) == True + # Test Case: accessrole=open_login, not logged in user, any role fjson['accessrole'] = 'open_login' assert check_file_download_permission(record, fjson, False) == False + # Test Case: accessrole=open_login, not logged in user, but site license check returns True + fjson['accessrole'] = 'open_login' + with patch("weko_records_ui.permissions.check_site_license_permission", return_value=True): + assert check_file_download_permission(record, fjson, False) == True + fjson['roles'] = [] fjson['groupsprice'] = '' fjson['groups'] = 'group' assert check_file_download_permission(record, fjson, False) == False + # Test Case: accessrole=invalid_value, not logged in user + fjson['accessrole'] = 'invalid_value' + assert check_file_download_permission(record, fjson, False) == False + record = results[2]["record"] fjson = {'url': {'url': 'https://weko3.example.org/record/11/files/001.jpg'}, 'date': [{'dateType': 'Available', 'dateValue': '2022-09-27'}], 'format': 'image/jpeg', diff --git a/modules/weko-records-ui/weko_records_ui/fd.py b/modules/weko-records-ui/weko_records_ui/fd.py index 48a7264f40..89dab4f6a6 100644 --- a/modules/weko-records-ui/weko_records_ui/fd.py +++ b/modules/weko-records-ui/weko_records_ui/fd.py @@ -54,6 +54,7 @@ from werkzeug.urls import url_quote from weko_records_ui.errors import AvailableFilesNotFoundRESTError +from weko_records_ui.ipaddr import check_site_license_permission from weko_records_ui.models import ( FileOnetimeDownload, FileSecretDownload, PDFCoverPageSettings ) @@ -248,7 +249,11 @@ def file_ui( return _redirect_method(has_next=True) abort(403) - if not is_preview: + # Check site license user for open_restricted download + is_site_license_user = check_site_license_permission() + + # Check action is not preview and user is not site license user + if not is_site_license_user and not is_preview: # open_restricted download if 'open_restricted' in fileobj.get('accessrole', '') \ and not is_terms_of_use_only \ diff --git a/modules/weko-records-ui/weko_records_ui/permissions.py b/modules/weko-records-ui/weko_records_ui/permissions.py index 57f4673491..3abb163182 100644 --- a/modules/weko-records-ui/weko_records_ui/permissions.py +++ b/modules/weko-records-ui/weko_records_ui/permissions.py @@ -295,12 +295,13 @@ def __check_user_permission(user_id_list): is_billing_can = check_user_group_permission(fjson.get('groups')) else: is_billing_can = True - if not is_billing_can: - # site license permission check - is_billing_can = site_license_check(item_type) is_can = is_login_user and is_role_can and is_billing_can + # Grant download permission if user is site license user + if not is_can: + is_can = site_license_check(item_type) + # can not access elif 'open_no' in acsrole: if is_display_file_info: @@ -319,6 +320,9 @@ def __check_user_permission(user_id_list): is_can = False elif 'open_restricted' in acsrole: is_can = check_open_restricted_permission(record, fjson) + # Grant download permission if user is site license user + if not is_can: + is_can = site_license_check(item_type) except BaseException: abort(500) return is_can diff --git a/scripts/demo/resticted_access.sql b/scripts/demo/resticted_access.sql index 745f96b671..e8eb5b5d67 100644 --- a/scripts/demo/resticted_access.sql +++ b/scripts/demo/resticted_access.sql @@ -16,10 +16,10 @@ BEGIN; -- INSERT INTO item_type_name (created, updated, id, name, has_site_license, is_active) VALUES -('2021-03-20 06:37:13.052787', '2021-03-20 06:37:13.052812', 31001, '利用申請', true, true), -('2021-03-20 06:39:00.459722', '2021-03-20 06:39:00.459741', 31002, '二段階利用申請', true, true), -('2021-03-20 06:42:51.677528', '2021-03-20 06:42:51.677548', 31003, '利用報告-Data Usage Report', true, true), -('2023-12-22 02:53:51.907000', '2023-12-22 02:54:55.171000', 31004, '制限公開用アイテムタイプ', true, true) +('2021-03-20 06:37:13.052787', '2021-03-20 06:37:13.052812', 31001, '利用申請', false, true), +('2021-03-20 06:39:00.459722', '2021-03-20 06:39:00.459741', 31002, '二段階利用申請', false, true), +('2021-03-20 06:42:51.677528', '2021-03-20 06:42:51.677548', 31003, '利用報告-Data Usage Report', false, true), +('2023-12-22 02:53:51.907000', '2023-12-22 02:54:55.171000', 31004, '制限公開用アイテムタイプ', false, true) ON CONFLICT (id) DO NOTHING; --