fix #59547

modules/weko-records-ui/tests/conftest.py

@@ -533,18 +533,20 @@ def users(app, db):
 
 
 @pytest.fixture()
-def indextree(client, users):
+def indextree(client, users, user_activity_log_partition_table):
     index_metadata = {
         "id": 1,
         "parent": 0,
         "value": "Index(public_state = True,harvest_public_state = True)",
     }
 
     with patch("flask_login.utils._get_user", return_value=users[2]["obj"]):
-        ret = Indexes.create(0, index_metadata)
         index = Index.get_index_by_id(1)
-        index.public_state = True
-        index.harvest_public_state = True
+        if index is None:
+            Indexes.create(0, index_metadata)
+            index = Index.get_index_by_id(1)
+            index.public_state = True
+            index.harvest_public_state = True
 
     index_metadata = {
         "id": 2,
@@ -553,10 +555,12 @@ def indextree(client, users):
     }
 
     with patch("flask_login.utils._get_user", return_value=users[2]["obj"]):
-        Indexes.create(0, index_metadata)
         index = Index.get_index_by_id(2)
-        index.public_state = True
-        index.harvest_public_state = False
+        if index is None:
+            Indexes.create(0, index_metadata)
+            index = Index.get_index_by_id(2)
+            index.public_state = True
+            index.harvest_public_state = False
 
     index_metadata = {
         "id": 3,
@@ -565,10 +569,12 @@ def indextree(client, users):
     }
 
     with patch("flask_login.utils._get_user", return_value=users[2]["obj"]):
-        Indexes.create(0, index_metadata)
         index = Index.get_index_by_id(3)
-        index.public_state = False
-        index.harvest_public_state = True
+        if index is None:
+            Indexes.create(0, index_metadata)
+            index = Index.get_index_by_id(3)
+            index.public_state = False
+            index.harvest_public_state = True
 
     index_metadata = {
         "id": 4,
@@ -577,10 +583,12 @@ def indextree(client, users):
     }
 
     with patch("flask_login.utils._get_user", return_value=users[2]["obj"]):
-        Indexes.create(0, index_metadata)
         index = Index.get_index_by_id(4)
-        index.public_state = False
-        index.harvest_public_state = False
+        if index is None:
+            Indexes.create(0, index_metadata)
+            index = Index.get_index_by_id(4)
+            index.public_state = False
+            index.harvest_public_state = False
 
 
 @pytest.fixture()
@@ -6405,3 +6413,21 @@ def users_storage_info(db, users):
     db.session.commit()
 
     yield users_info
+
+@pytest.fixture()
+def user_activity_log_partition_table(app, db):
+    """Create user activity log partition."""
+    # Create partition for current month
+    now = datetime.now()
+    start = now.date().replace(day=1)
+    end = (start + timedelta(days=31)).replace(day=1)
+    partition_name = f"user_activity_logs_{now.year}_{now.month:02d}"
+    create_partition_sql = f"""
+        CREATE TABLE IF NOT EXISTS {partition_name}
+        PARTITION OF user_activity_logs
+        FOR VALUES FROM ('{start}') TO ('{end}');
+    """
+
+    with db.session.begin_nested():
+        db.session.execute(create_partition_sql)
+    db.session.commit()

modules/weko-records-ui/tests/test_permissions.py

@@ -164,6 +164,7 @@ def test_check_file_download_permission(app, records, users, db_file_permission,
             fjson['roles'] = [{'role':'Contributor'}]
             assert check_file_download_permission(record, fjson, False) == True
 
+            # Test Case: accessrole=open_login, logged in user, any role
             fjson['accessrole'] = 'open_login'
             fjson['roles'] = [{'role':'none_loggin'},{'role':'1'},{'role':'2'},{'role':'3'},{'role':'4'},{'role':'5'}]
             assert check_file_download_permission(record, fjson, True) == True
@@ -192,23 +193,45 @@ def test_check_file_download_permission(app, records, users, db_file_permission,
             assert check_file_download_permission(record, fjson, True) == False
             assert check_file_download_permission(record, fjson, False) == False
 
+            # Test Case: accessrole=open_restricted, logged in user, site license check returns False
             fjson['accessrole'] = 'open_restricted'
-            assert check_file_download_permission(record, fjson, True) == False
+            with patch("weko_records_ui.permissions.check_site_license_permission", return_value=False):
+                assert check_file_download_permission(record, fjson, True) == False
+
+            # Test Case: accessrole=open_restricted, logged in user, site license check returns True
+            fjson["accessrole"] = "open_restricted"
+            with patch("weko_records_ui.permissions.check_site_license_permission", return_value=True):
+                assert check_file_download_permission(record, fjson, True) == True
+
+            # Test Case: accessrole=open_restricted, check_open_restricted_permission returns True
+            fjson["accessrole"] = "open_restricted"
+            with patch("weko_records_ui.permissions.check_open_restricted_permission", return_value=True):
+                assert check_file_download_permission(record, fjson, True) == True
 
         with patch("weko_records_ui.utils.is_future",return_value=False):
             fjson['accessrole'] = 'open_date'
             fjson['accessdate'] = (datetime.now().date() + timedelta(weeks = 1)).strftime('%Y-%m-%d')
             fjson['roles'] = [{'role':'none_loggin'},{'role':'System Administrator'},{'role':'Repository Administrator'},{'role':'Contributor'},{'role':'Community Administrator'},{'role':'General'}]
             assert check_file_download_permission(record, fjson, False) == True
 
+            # Test Case: accessrole=open_login, not logged in user, any role
             fjson['accessrole'] = 'open_login'
             assert check_file_download_permission(record, fjson, False) == False
 
+            # Test Case: accessrole=open_login, not logged in user, but site license check returns True
+            fjson['accessrole'] = 'open_login'
+            with patch("weko_records_ui.permissions.check_site_license_permission", return_value=True):
+                assert check_file_download_permission(record, fjson, False) == True
+
             fjson['roles'] = []
             fjson['groupsprice'] = ''
             fjson['groups'] = 'group'
             assert check_file_download_permission(record, fjson, False) == False
 
+            # Test Case: accessrole=invalid_value, not logged in user
+            fjson['accessrole'] = 'invalid_value'
+            assert check_file_download_permission(record, fjson, False) == False
+
     record = results[2]["record"]
     fjson = {'url': {'url': 'https://weko3.example.org/record/11/files/001.jpg'},
              'date': [{'dateType': 'Available', 'dateValue': '2022-09-27'}], 'format': 'image/jpeg',

modules/weko-records-ui/weko_records_ui/fd.py

@@ -54,6 +54,7 @@
 from werkzeug.urls import url_quote
 
 from weko_records_ui.errors import AvailableFilesNotFoundRESTError
+from weko_records_ui.ipaddr import check_site_license_permission
 from weko_records_ui.models import (
     FileOnetimeDownload, FileSecretDownload, PDFCoverPageSettings
 )
@@ -248,7 +249,11 @@ def file_ui(
                 return _redirect_method(has_next=True)
             abort(403)
 
-    if not is_preview:
+    # Check site license user for open_restricted download
+    is_site_license_user = check_site_license_permission()
+
+    # Check action is not preview and user is not site license user
+    if not is_site_license_user and not is_preview:
         # open_restricted download
         if 'open_restricted' in fileobj.get('accessrole', '') \
             and not is_terms_of_use_only \

modules/weko-records-ui/weko_records_ui/permissions.py

@@ -295,12 +295,13 @@ def __check_user_permission(user_id_list):
                                 is_billing_can = check_user_group_permission(fjson.get('groups'))
                             else:
                                 is_billing_can = True
-                        if not is_billing_can:
-                            # site license permission check
-                            is_billing_can = site_license_check(item_type)
 
                     is_can = is_login_user and is_role_can and is_billing_can
 
+                    # Grant download permission if user is site license user
+                    if not is_can:
+                        is_can = site_license_check(item_type)
+
             #  can not access
             elif 'open_no' in acsrole:
                 if is_display_file_info:
@@ -319,6 +320,9 @@ def __check_user_permission(user_id_list):
                         is_can = False
             elif 'open_restricted' in acsrole:
                 is_can = check_open_restricted_permission(record, fjson)
+                # Grant download permission if user is site license user
+                if not is_can:
+                    is_can = site_license_check(item_type)
         except BaseException:
             abort(500)
         return is_can

scripts/demo/resticted_access.sql

@@ -16,10 +16,10 @@ BEGIN;
 --
 
 INSERT INTO item_type_name (created, updated, id, name, has_site_license, is_active) VALUES
-('2021-03-20 06:37:13.052787', '2021-03-20 06:37:13.052812', 31001, '利用申請', true, true),
-('2021-03-20 06:39:00.459722', '2021-03-20 06:39:00.459741', 31002, '二段階利用申請', true, true),
-('2021-03-20 06:42:51.677528', '2021-03-20 06:42:51.677548', 31003, '利用報告-Data Usage Report', true, true),
-('2023-12-22 02:53:51.907000', '2023-12-22 02:54:55.171000', 31004, '制限公開用アイテムタイプ', true, true)
+('2021-03-20 06:37:13.052787', '2021-03-20 06:37:13.052812', 31001, '利用申請', false, true),
+('2021-03-20 06:39:00.459722', '2021-03-20 06:39:00.459741', 31002, '二段階利用申請', false, true),
+('2021-03-20 06:42:51.677528', '2021-03-20 06:42:51.677548', 31003, '利用報告-Data Usage Report', false, true),
+('2023-12-22 02:53:51.907000', '2023-12-22 02:54:55.171000', 31004, '制限公開用アイテムタイプ', false, true)
 ON CONFLICT (id) DO NOTHING;
 
 --