diff --git a/api/nodes/views.py b/api/nodes/views.py index 93879e2d40a..2dcf7aa541e 100644 --- a/api/nodes/views.py +++ b/api/nodes/views.py @@ -125,7 +125,7 @@ RegistrationSerializer, RegistrationCreateSerializer, ) -from api.requests.permissions import NodeRequestPermission +from api.requests.permissions import NodeRequestPermission, InstitutionalAdminRequestTypePermission from api.requests.serializers import NodeRequestSerializer, NodeRequestCreateSerializer from api.requests.views import NodeRequestMixin from api.resources import annotations as resource_annotations @@ -2239,6 +2239,7 @@ class NodeRequestListCreate(JSONAPIBaseView, generics.ListCreateAPIView, ListFil drf_permissions.IsAuthenticatedOrReadOnly, base_permissions.TokenHasScope, NodeRequestPermission, + InstitutionalAdminRequestTypePermission, ) required_read_scopes = [CoreScopes.NODE_REQUESTS_READ] diff --git a/api/requests/permissions.py b/api/requests/permissions.py index 09c97f012ba..18aaae66682 100644 --- a/api/requests/permissions.py +++ b/api/requests/permissions.py @@ -1,11 +1,15 @@ from rest_framework import permissions as drf_permissions from api.base.utils import get_user_auth -from osf.models.action import NodeRequestAction, PreprintRequestAction +from osf.models import ( + Node, + NodeRequestAction, + PreprintRequestAction, + Preprint, + Institution, +) from osf.models.mixins import NodeRequestableMixin, PreprintRequestableMixin -from osf.models.node import Node -from osf.models.preprint import Preprint -from osf.utils.workflows import DefaultTriggers +from osf.utils.workflows import DefaultTriggers, NodeRequestTypes from osf.utils import permissions as osf_permissions @@ -52,8 +56,34 @@ def has_object_permission(self, request, view, obj): # Requesters may not be contributors # Requesters may edit their comment or submit their request return is_requester and auth.user not in node.contributors + + +class InstitutionalAdminRequestTypePermission(drf_permissions.BasePermission): + """ + Permission class for handling object permissions related to Node requests and actions. + """ + + def has_permission(self, request, view): + # Skip if not institutional_request request_type + request_type = request.data.get('request_type') + if request_type != NodeRequestTypes.INSTITUTIONAL_REQUEST.value: + return True + + auth = get_user_auth(request) + if not auth.user: return False + institution_id = request.data.get('institution') + if not institution_id: + return False + + try: + institution = Institution.objects.get(_id=institution_id) + except Institution.DoesNotExist: + return False + + return auth.user.is_institutional_admin(institution) + class PreprintRequestPermission(drf_permissions.BasePermission): def has_object_permission(self, request, view, obj): diff --git a/api/requests/serializers.py b/api/requests/serializers.py index 71ef190b50d..70bd2e30a27 100644 --- a/api/requests/serializers.py +++ b/api/requests/serializers.py @@ -4,10 +4,24 @@ from api.base.exceptions import Conflict from api.base.utils import absolute_reverse, get_user_auth -from api.base.serializers import JSONAPISerializer, LinksField, VersionedDateTimeField, RelationshipField -from osf.models import NodeRequest, PreprintRequest -from osf.utils.workflows import DefaultStates, RequestTypes +from api.base.serializers import ( + JSONAPISerializer, + LinksField, + VersionedDateTimeField, + RelationshipField, +) +from osf.models import ( + NodeRequest, + PreprintRequest, + Institution, + OSFUser, +) +from osf.utils.workflows import DefaultStates, RequestTypes, NodeRequestTypes from osf.utils import permissions as osf_permissions +from website import settings +from website.mails import send_mail, NODE_REQUEST_INSTITUTIONAL_ACCESS_REQUEST + +from rest_framework.exceptions import PermissionDenied, ValidationError class RequestSerializer(JSONAPISerializer): @@ -56,6 +70,8 @@ def create(self, validated_data): raise NotImplementedError() class NodeRequestSerializer(RequestSerializer): + request_type = ser.ChoiceField(read_only=True, required=False, choices=NodeRequestTypes.choices()) + class Meta: type_ = 'node-requests' @@ -66,6 +82,13 @@ class Meta: source='target__guids___id', ) + requested_permissions = ser.ChoiceField( + help_text='These are supposed to represent the default permission suggested when the Node admin sees users ' + 'listed in an `Request Access` list.', + choices=osf_permissions.API_CONTRIBUTOR_PERMISSIONS, + required=False, + ) + def get_target_url(self, obj): return absolute_reverse('nodes:node-detail', kwargs={'node_id': obj.target._id, 'version': self.context['request'].parser_context['kwargs']['version']}) @@ -89,40 +112,118 @@ def get_target_url(self, obj): }, ) + class NodeRequestCreateSerializer(NodeRequestSerializer): - request_type = ser.ChoiceField(required=True, choices=RequestTypes.choices()) + request_type = ser.ChoiceField(read_only=False, required=False, choices=NodeRequestTypes.choices()) + message_recipient = RelationshipField( + help_text='An optional user who will receive a an email explaining the nature of the request.', + required=False, + related_view='users:user-detail', + related_view_kwargs={'user_id': ''}, + ) + bcc_sender = ser.BooleanField( + required=False, + default=False, + help_text='If true, BCCs the sender, giving them a copy of the email message they sent.', + ) + reply_to = ser.BooleanField( + default=False, + help_text='Whether to set the sender\'s username as the `Reply-To` header in the email.', + ) - def create(self, validated_data): - auth = get_user_auth(self.context['request']) - if not auth.user: - raise exceptions.PermissionDenied + def to_internal_value(self, data): + instituion_id = data.pop('institution', None) + message_recipient_id = data.pop('message_recipient', None) + data = super().to_internal_value(data) + + if instituion_id: + data['institution'] = instituion_id + if message_recipient_id: + data['message_recipient'] = message_recipient_id + return data + + def get_node_and_validate_non_contributor(self, auth): + """ + Ensures request user isn't already a contributor. + """ try: - node = self.context['view'].get_target() + return self.context['view'].get_target() except exceptions.PermissionDenied: node = self.context['view'].get_target(check_object_permissions=False) if auth.user in node.contributors: raise exceptions.PermissionDenied('You cannot request access to a node you contribute to.') raise - comment = validated_data.pop('comment', '') - request_type = validated_data.pop('request_type', None) + def create(self, validated_data) -> NodeRequest: + auth = get_user_auth(self.context['request']) + if not auth.user: + raise exceptions.PermissionDenied - if request_type != RequestTypes.ACCESS.value: - raise exceptions.ValidationError('You must specify a valid request_type.') + node = self.get_node_and_validate_non_contributor(auth) + request_type = validated_data.get('request_type') + match request_type: + case NodeRequestTypes.ACCESS.value: + return self._create_node_request(node, validated_data) + case NodeRequestTypes.INSTITUTIONAL_REQUEST.value: + return self.make_node_institutional_access_request(node, validated_data) + case _: + raise ValidationError('You must specify a valid request_type.') + + def make_node_institutional_access_request(self, node, validated_data) -> NodeRequest: + node_request = self._create_node_request(node, validated_data) + + sender = self.context['request'].user + message_recipient_id = validated_data.get('message_recipient') + institution_id = validated_data.get('institution') + try: + recipient = OSFUser.objects.get(guids___id=message_recipient_id) + except OSFUser.DoesNotExist: + recipient = None + + institution = Institution.objects.get(_id=institution_id) + + if recipient: + if not recipient.is_affiliated_with_institution(institution): + raise PermissionDenied(f"User {recipient._id} is not affiliated with the institution.") + + if validated_data['comment']: + send_mail( + to_addr=recipient.username, + mail=NODE_REQUEST_INSTITUTIONAL_ACCESS_REQUEST, + user=recipient, + sender=sender, + bcc_addr=validated_data.get('bcc_sender', []), + reply_to=validated_data.get('reply_to', None), + recipient=recipient, + comment=validated_data['comment'], + institution=institution, + osf_url=settings.DOMAIN, + node=node_request.target, + ) + + return node_request + + def _create_node_request(self, node, validated_data) -> NodeRequest: + creator = self.context['request'].user + request_type = validated_data['request_type'] + comment = validated_data.get('comment', '') + requested_permissions = validated_data.get('requested_permissions') try: node_request = NodeRequest.objects.create( target=node, - creator=auth.user, + creator=creator, comment=comment, machine_state=DefaultStates.INITIAL.value, request_type=request_type, + requested_permissions=requested_permissions, ) node_request.save() except IntegrityError: - raise Conflict(f'Users may not have more than one {request_type} request per node.') - node_request.run_submit(auth.user) + raise Conflict(f"Users may not have more than one {request_type} request per node.") + + node_request.run_submit(creator) return node_request class PreprintRequestSerializer(RequestSerializer): diff --git a/api_tests/registries_moderation/test_submissions.py b/api_tests/registries_moderation/test_submissions.py index a7e0b3dbb6c..532f71d93fe 100644 --- a/api_tests/registries_moderation/test_submissions.py +++ b/api_tests/registries_moderation/test_submissions.py @@ -4,7 +4,7 @@ from api.base.settings.defaults import API_BASE from api.providers.workflows import Workflows -from osf.utils.workflows import RequestTypes, RegistrationModerationTriggers, RegistrationModerationStates +from osf.utils.workflows import NodeRequestTypes, RegistrationModerationTriggers, RegistrationModerationStates from osf_tests.factories import ( @@ -66,7 +66,7 @@ def registration_with_withdraw_request(self, provider): registration = RegistrationFactory(provider=provider) NodeRequest.objects.create( - request_type=RequestTypes.WITHDRAWAL.value, + request_type=NodeRequestTypes.WITHDRAWAL.value, target=registration, creator=registration.creator ) @@ -75,7 +75,7 @@ def registration_with_withdraw_request(self, provider): @pytest.fixture() def access_request(self, provider): - request = NodeRequestFactory(request_type=RequestTypes.ACCESS.value) + request = NodeRequestFactory(request_type=NodeRequestTypes.ACCESS.value) request.target.provider = provider request.target.save() diff --git a/api_tests/requests/views/test_node_request_list.py b/api_tests/requests/views/test_node_request_list.py new file mode 100644 index 00000000000..b0a18108c9f --- /dev/null +++ b/api_tests/requests/views/test_node_request_list.py @@ -0,0 +1,272 @@ +from unittest import mock +import pytest + +from api.base.settings.defaults import API_BASE +from api_tests.requests.mixins import NodeRequestTestMixin + +from osf_tests.factories import ( + NodeFactory, + NodeRequestFactory, + InstitutionFactory, + AuthUserFactory +) +from osf.utils.workflows import DefaultStates, NodeRequestTypes + + +@pytest.mark.django_db +class TestNodeRequestListCreate(NodeRequestTestMixin): + @pytest.fixture() + def url(self, project): + return f'/{API_BASE}nodes/{project._id}/requests/' + + @pytest.fixture() + def create_payload(self): + return { + 'data': { + 'attributes': { + 'comment': 'ASDFG', + 'request_type': NodeRequestTypes.ACCESS.value + }, + 'type': 'node-requests' + } + } + + def test_noncontrib_can_submit_to_public_node(self, app, project, noncontrib, url, create_payload): + project.is_public = True + project.save() + res = app.post_json_api(url, create_payload, auth=noncontrib.auth) + assert res.status_code == 201 + + def test_noncontrib_can_submit_to_private_node(self, app, project, noncontrib, url, create_payload): + assert not project.is_public + res = app.post_json_api(url, create_payload, auth=noncontrib.auth) + assert res.status_code == 201 + + def test_must_be_logged_in_to_create(self, app, url, create_payload): + res = app.post_json_api(url, create_payload, expect_errors=True) + assert res.status_code == 401 + + def test_contributor_cannot_submit_to_contributed_node(self, app, url, write_contrib, create_payload): + res = app.post_json_api(url, create_payload, auth=write_contrib.auth, expect_errors=True) + assert res.status_code == 403 + assert res.json['errors'][0]['detail'] == 'You cannot request access to a node you contribute to.' + + def test_admin_can_view_requests(self, app, url, admin, node_request): + res = app.get(url, auth=admin.auth) + assert res.status_code == 200 + assert res.json['data'][0]['id'] == node_request._id + + def test_write_contrib_cannot_view_requests(self, app, url, write_contrib, node_request): + res = app.get(url, auth=write_contrib.auth, expect_errors=True) + assert res.status_code == 403 + + def test_requester_cannot_view_requests(self, app, url, requester, node_request): + res = app.get(url, auth=requester.auth, expect_errors=True) + assert res.status_code == 403 + + def test_noncontrib_cannot_view_requests(self, app, url, noncontrib, node_request): + res = app.get(url, auth=noncontrib.auth, expect_errors=True) + assert res.status_code == 403 + + def test_requester_cannot_submit_again(self, app, url, requester, node_request, create_payload): + res = app.post_json_api(url, create_payload, auth=requester.auth, expect_errors=True) + assert res.status_code == 409 + assert res.json['errors'][0]['detail'] == 'Users may not have more than one access request per node.' + + def test_requests_disabled_create(self, app, url, create_payload, project, noncontrib): + project.access_requests_enabled = False + project.save() + res = app.post_json_api(url, create_payload, auth=noncontrib.auth, expect_errors=True) + assert res.status_code == 403 + + def test_requests_disabled_list(self, app, url, create_payload, project, admin): + project.access_requests_enabled = False + project.save() + res = app.get(url, create_payload, auth=admin.auth, expect_errors=True) + assert res.status_code == 403 + + @mock.patch('website.mails.mails.send_mail') + def test_email_sent_to_all_admins_on_submit(self, mock_mail, app, project, noncontrib, url, create_payload, second_admin): + project.is_public = True + project.save() + res = app.post_json_api(url, create_payload, auth=noncontrib.auth) + assert res.status_code == 201 + assert mock_mail.call_count == 2 + + @mock.patch('website.mails.mails.send_mail') + def test_email_not_sent_to_parent_admins_on_submit(self, mock_mail, app, project, noncontrib, url, create_payload, second_admin): + component = NodeFactory(parent=project, creator=second_admin) + component.is_public = True + project.save() + url = f'/{API_BASE}nodes/{component._id}/requests/' + res = app.post_json_api(url, create_payload, auth=noncontrib.auth) + assert res.status_code == 201 + assert component.parent_admin_contributors.count() == 1 + assert component.contributors.count() == 1 + assert mock_mail.call_count == 1 + + def test_request_followed_by_added_as_contrib(elf, app, project, noncontrib, admin, url, create_payload): + res = app.post_json_api(url, create_payload, auth=noncontrib.auth) + assert res.status_code == 201 + assert project.requests.filter(creator=noncontrib, machine_state='pending').exists() + + project.add_contributor(noncontrib, save=True) + assert project.is_contributor(noncontrib) + assert not project.requests.filter(creator=noncontrib, machine_state='pending').exists() + assert project.requests.filter(creator=noncontrib, machine_state='accepted').exists() + + def test_filter_by_machine_state(self, app, project, noncontrib, url, admin, node_request): + initial_node_request = NodeRequestFactory( + creator=noncontrib, + target=project, + request_type=NodeRequestTypes.ACCESS.value, + machine_state=DefaultStates.INITIAL.value + ) + filtered_url = f'{url}?filter[machine_state]=pending' + res = app.get(filtered_url, auth=admin.auth) + assert res.status_code == 200 + ids = [result['id'] for result in res.json['data']] + assert initial_node_request._id not in ids + assert node_request.machine_state == 'pending' and node_request._id in ids + +@pytest.mark.django_db +class TestNodeRequestListInstitutionalAccess(NodeRequestTestMixin): + + @pytest.fixture() + def url(self, project): + return f'/{API_BASE}nodes/{project._id}/requests/' + + @pytest.fixture() + def institution(self): + return InstitutionFactory() + + @pytest.fixture() + def user_with_affiliation(self, institution): + user = AuthUserFactory() + user.add_or_update_affiliated_institution(institution) + return user + + @pytest.fixture() + def user_without_affiliation(self): + return AuthUserFactory() + + @pytest.fixture() + def institutional_admin(self, institution): + admin_user = AuthUserFactory() + institution.get_group('institutional_admins').user_set.add(admin_user) + return admin_user + + @pytest.fixture() + def create_payload(self, institution, user_with_affiliation): + return { + 'data': { + 'attributes': { + 'comment': 'Wanna Philly Philly?', + 'request_type': NodeRequestTypes.INSTITUTIONAL_REQUEST.value, + }, + 'relationships': { + 'institution': { + 'data': { + 'id': institution._id, + 'type': 'institutions' + } + }, + 'message_recipient': { + 'data': { + 'id': user_with_affiliation._id, + 'type': 'users' + } + } + }, + 'type': 'node-requests' + } + } + + def test_institutional_admin_can_make_institutional_request(self, app, project, institutional_admin, url, create_payload): + """ + Test that an institutional admin can make an institutional access request. + """ + res = app.post_json_api(url, create_payload, auth=institutional_admin.auth) + assert res.status_code == 201 + + # Verify the NodeRequest object is created + node_request = project.requests.get(creator=institutional_admin) + assert node_request.request_type == NodeRequestTypes.INSTITUTIONAL_REQUEST.value + assert node_request.comment == 'Wanna Philly Philly?' + assert node_request.machine_state == DefaultStates.PENDING.value + + def test_non_admin_cant_make_institutional_request(self, app, project, noncontrib, url, create_payload): + """ + Test that a non-institutional admin cannot make an institutional access request. + """ + res = app.post_json_api(url, create_payload, auth=noncontrib.auth, expect_errors=True) + assert res.status_code == 403 + assert 'You do not have permission to perform this action' in res.json['errors'][0]['detail'] + + def test_institutional_admin_can_add_requested_permission(self, app, project, institutional_admin, url, create_payload): + """ + Test that an institutional admin can make an institutional access request with requested_permissions. + """ + create_payload['data']['attributes']['requested_permissions'] = 'admin' + + res = app.post_json_api(url, create_payload, auth=institutional_admin.auth) + assert res.status_code == 201 + + # Verify the NodeRequest object is created with the correct requested_permissions + node_request = project.requests.get(creator=institutional_admin) + assert node_request.request_type == NodeRequestTypes.INSTITUTIONAL_REQUEST.value + assert node_request.requested_permissions == 'admin' + + @mock.patch('api.requests.serializers.send_mail') + def test_email_not_sent_without_recipient(self, mock_mail, app, project, institutional_admin, url, + create_payload, institution): + """ + Test that an email is not sent when no recipient is listed when an institutional access request is made, + but the request is still made anyway without email. + """ + del create_payload['data']['relationships']['message_recipient'] + res = app.post_json_api(url, create_payload, auth=institutional_admin.auth) + assert res.status_code == 201 + + # Check that an email is sent + assert not mock_mail.called + + @mock.patch('api.requests.serializers.send_mail') + def test_email_not_sent_outside_institutiona(self, mock_mail, app, project, institutional_admin, url, + create_payload, user_without_affiliation, institution): + """ + Test that you are prevented from requesting a user with the correct institutional affiliation. + """ + create_payload['data']['relationships']['message_recipient']['data']['id'] = user_without_affiliation._id + res = app.post_json_api(url, create_payload, auth=institutional_admin.auth, expect_errors=True) + assert res.status_code == 403 + assert f'User {user_without_affiliation._id} is not affiliated with the institution.' in res.json['errors'][0]['detail'] + + # Check that an email is sent + assert not mock_mail.called + + @mock.patch('api.requests.serializers.send_mail') + def test_email_sent_on_creation(self, mock_mail, app, project, institutional_admin, url, + user_with_affiliation, create_payload, institution): + """ + Test that an email is sent to the appropriate recipients when an institutional access request is made. + """ + res = app.post_json_api(url, create_payload, auth=institutional_admin.auth) + assert res.status_code == 201 + + assert mock_mail.call_count == 1 + from website.mails import NODE_REQUEST_INSTITUTIONAL_ACCESS_REQUEST + + mock_mail.assert_called_with( + to_addr=user_with_affiliation.username, + mail=NODE_REQUEST_INSTITUTIONAL_ACCESS_REQUEST, + user=user_with_affiliation, + **{ + 'sender': institutional_admin, + 'recipient': user_with_affiliation, + 'comment': create_payload['data']['attributes']['comment'], + 'institution': institution, + 'osf_url': mock.ANY, + 'node': project, + } + ) diff --git a/api_tests/requests/views/test_preprint_request_list.py b/api_tests/requests/views/test_preprint_request_list.py new file mode 100644 index 00000000000..d23736aa312 --- /dev/null +++ b/api_tests/requests/views/test_preprint_request_list.py @@ -0,0 +1,72 @@ +from unittest import mock +import pytest + +from api.base.settings.defaults import API_BASE +from api_tests.requests.mixins import PreprintRequestTestMixin + + +@pytest.mark.django_db +class TestPreprintRequestListCreate(PreprintRequestTestMixin): + def url(self, preprint): + return f'/{API_BASE}preprints/{preprint._id}/requests/' + + @pytest.fixture() + def create_payload(self): + return { + 'data': { + 'attributes': { + 'comment': 'ASDFG', + 'request_type': 'withdrawal' + }, + 'type': 'preprint-requests' + } + } + + def test_noncontrib_cannot_submit(self, app, noncontrib, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): + for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: + res = app.post_json_api(self.url(preprint), create_payload, auth=noncontrib.auth, expect_errors=True) + assert res.status_code == 403 + + def test_unauth_cannot_submit(self, app, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): + for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: + res = app.post_json_api(self.url(preprint), create_payload, expect_errors=True) + assert res.status_code == 401 + + def test_write_contributor_cannot_submit(self, app, write_contrib, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): + for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: + res = app.post_json_api(self.url(preprint), create_payload, auth=write_contrib.auth, expect_errors=True) + assert res.status_code == 403 + + def test_admin_can_submit(self, app, admin, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): + for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: + res = app.post_json_api(self.url(preprint), create_payload, auth=admin.auth) + assert res.status_code == 201 + + def test_admin_can_view_requests(self, app, admin, pre_request, post_request, none_request): + for request in [pre_request, post_request, none_request]: + res = app.get(self.url(request.target), auth=admin.auth) + assert res.status_code == 200 + assert res.json['data'][0]['id'] == request._id + + def test_noncontrib_and_write_contrib_cannot_view_requests(self, app, noncontrib, write_contrib, pre_request, post_request, none_request): + for request in [pre_request, post_request, none_request]: + for user in [noncontrib, write_contrib]: + res = app.get(self.url(request.target), auth=user.auth, expect_errors=True) + assert res.status_code == 403 + + def test_unauth_cannot_view_requests(self, app, noncontrib, write_contrib, pre_request, post_request, none_request): + for request in [pre_request, post_request, none_request]: + res = app.get(self.url(request.target), expect_errors=True) + assert res.status_code == 401 + + def test_requester_cannot_submit_again(self, app, admin, create_payload, pre_mod_preprint, pre_request): + res = app.post_json_api(self.url(pre_mod_preprint), create_payload, auth=admin.auth, expect_errors=True) + assert res.status_code == 409 + assert res.json['errors'][0]['detail'] == 'Users may not have more than one withdrawal request per preprint.' + + @pytest.mark.skip('TODO: IN-284 -- add emails') + @mock.patch('website.reviews.listeners.mails.send_mail') + def test_email_sent_to_moderators_on_submit(self, mock_mail, app, admin, create_payload, moderator, post_mod_preprint): + res = app.post_json_api(self.url(post_mod_preprint), create_payload, auth=admin.auth) + assert res.status_code == 201 + assert mock_mail.call_count == 1 diff --git a/api_tests/requests/views/test_request_list_create.py b/api_tests/requests/views/test_request_list_create.py deleted file mode 100644 index fdd96b2cd02..00000000000 --- a/api_tests/requests/views/test_request_list_create.py +++ /dev/null @@ -1,189 +0,0 @@ -from unittest import mock -import pytest - -from osf.utils import workflows -from api.base.settings.defaults import API_BASE -from api_tests.requests.mixins import NodeRequestTestMixin, PreprintRequestTestMixin -from osf_tests.factories import NodeFactory, NodeRequestFactory - -@pytest.mark.django_db -class TestNodeRequestListCreate(NodeRequestTestMixin): - @pytest.fixture() - def url(self, project): - return f'/{API_BASE}nodes/{project._id}/requests/' - - @pytest.fixture() - def create_payload(self): - return { - 'data': { - 'attributes': { - 'comment': 'ASDFG', - 'request_type': 'access' - }, - 'type': 'node-requests' - } - } - - def test_noncontrib_can_submit_to_public_node(self, app, project, noncontrib, url, create_payload): - project.is_public = True - project.save() - res = app.post_json_api(url, create_payload, auth=noncontrib.auth) - assert res.status_code == 201 - - def test_noncontrib_can_submit_to_private_node(self, app, project, noncontrib, url, create_payload): - assert not project.is_public - res = app.post_json_api(url, create_payload, auth=noncontrib.auth) - assert res.status_code == 201 - - def test_must_be_logged_in_to_create(self, app, url, create_payload): - res = app.post_json_api(url, create_payload, expect_errors=True) - assert res.status_code == 401 - - def test_contributor_cannot_submit_to_contributed_node(self, app, url, write_contrib, create_payload): - res = app.post_json_api(url, create_payload, auth=write_contrib.auth, expect_errors=True) - assert res.status_code == 403 - assert res.json['errors'][0]['detail'] == 'You cannot request access to a node you contribute to.' - - def test_admin_can_view_requests(self, app, url, admin, node_request): - res = app.get(url, auth=admin.auth) - assert res.status_code == 200 - assert res.json['data'][0]['id'] == node_request._id - - def test_write_contrib_cannot_view_requests(self, app, url, write_contrib, node_request): - res = app.get(url, auth=write_contrib.auth, expect_errors=True) - assert res.status_code == 403 - - def test_requester_cannot_view_requests(self, app, url, requester, node_request): - res = app.get(url, auth=requester.auth, expect_errors=True) - assert res.status_code == 403 - - def test_noncontrib_cannot_view_requests(self, app, url, noncontrib, node_request): - res = app.get(url, auth=noncontrib.auth, expect_errors=True) - assert res.status_code == 403 - - def test_requester_cannot_submit_again(self, app, url, requester, node_request, create_payload): - res = app.post_json_api(url, create_payload, auth=requester.auth, expect_errors=True) - assert res.status_code == 409 - assert res.json['errors'][0]['detail'] == 'Users may not have more than one access request per node.' - - def test_requests_disabled_create(self, app, url, create_payload, project, noncontrib): - project.access_requests_enabled = False - project.save() - res = app.post_json_api(url, create_payload, auth=noncontrib.auth, expect_errors=True) - assert res.status_code == 403 - - def test_requests_disabled_list(self, app, url, create_payload, project, admin): - project.access_requests_enabled = False - project.save() - res = app.get(url, create_payload, auth=admin.auth, expect_errors=True) - assert res.status_code == 403 - - @mock.patch('website.mails.mails.send_mail') - def test_email_sent_to_all_admins_on_submit(self, mock_mail, app, project, noncontrib, url, create_payload, second_admin): - project.is_public = True - project.save() - res = app.post_json_api(url, create_payload, auth=noncontrib.auth) - assert res.status_code == 201 - assert mock_mail.call_count == 2 - - @mock.patch('website.mails.mails.send_mail') - def test_email_not_sent_to_parent_admins_on_submit(self, mock_mail, app, project, noncontrib, url, create_payload, second_admin): - component = NodeFactory(parent=project, creator=second_admin) - component.is_public = True - project.save() - url = f'/{API_BASE}nodes/{component._id}/requests/' - res = app.post_json_api(url, create_payload, auth=noncontrib.auth) - assert res.status_code == 201 - assert component.parent_admin_contributors.count() == 1 - assert component.contributors.count() == 1 - assert mock_mail.call_count == 1 - - def test_request_followed_by_added_as_contrib(elf, app, project, noncontrib, admin, url, create_payload): - res = app.post_json_api(url, create_payload, auth=noncontrib.auth) - assert res.status_code == 201 - assert project.requests.filter(creator=noncontrib, machine_state='pending').exists() - - project.add_contributor(noncontrib, save=True) - assert project.is_contributor(noncontrib) - assert not project.requests.filter(creator=noncontrib, machine_state='pending').exists() - assert project.requests.filter(creator=noncontrib, machine_state='accepted').exists() - - def test_filter_by_machine_state(self, app, project, noncontrib, url, admin, node_request): - initial_node_request = NodeRequestFactory( - creator=noncontrib, - target=project, - request_type=workflows.RequestTypes.ACCESS.value, - machine_state=workflows.DefaultStates.INITIAL.value - ) - filtered_url = f'{url}?filter[machine_state]=pending' - res = app.get(filtered_url, auth=admin.auth) - assert res.status_code == 200 - ids = [result['id'] for result in res.json['data']] - assert initial_node_request._id not in ids - assert node_request.machine_state == 'pending' and node_request._id in ids - -@pytest.mark.django_db -class TestPreprintRequestListCreate(PreprintRequestTestMixin): - def url(self, preprint): - return f'/{API_BASE}preprints/{preprint._id}/requests/' - - @pytest.fixture() - def create_payload(self): - return { - 'data': { - 'attributes': { - 'comment': 'ASDFG', - 'request_type': 'withdrawal' - }, - 'type': 'preprint-requests' - } - } - - def test_noncontrib_cannot_submit(self, app, noncontrib, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): - for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: - res = app.post_json_api(self.url(preprint), create_payload, auth=noncontrib.auth, expect_errors=True) - assert res.status_code == 403 - - def test_unauth_cannot_submit(self, app, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): - for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: - res = app.post_json_api(self.url(preprint), create_payload, expect_errors=True) - assert res.status_code == 401 - - def test_write_contributor_cannot_submit(self, app, write_contrib, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): - for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: - res = app.post_json_api(self.url(preprint), create_payload, auth=write_contrib.auth, expect_errors=True) - assert res.status_code == 403 - - def test_admin_can_submit(self, app, admin, create_payload, pre_mod_preprint, post_mod_preprint, none_mod_preprint): - for preprint in [pre_mod_preprint, post_mod_preprint, none_mod_preprint]: - res = app.post_json_api(self.url(preprint), create_payload, auth=admin.auth) - assert res.status_code == 201 - - def test_admin_can_view_requests(self, app, admin, pre_request, post_request, none_request): - for request in [pre_request, post_request, none_request]: - res = app.get(self.url(request.target), auth=admin.auth) - assert res.status_code == 200 - assert res.json['data'][0]['id'] == request._id - - def test_noncontrib_and_write_contrib_cannot_view_requests(self, app, noncontrib, write_contrib, pre_request, post_request, none_request): - for request in [pre_request, post_request, none_request]: - for user in [noncontrib, write_contrib]: - res = app.get(self.url(request.target), auth=user.auth, expect_errors=True) - assert res.status_code == 403 - - def test_unauth_cannot_view_requests(self, app, noncontrib, write_contrib, pre_request, post_request, none_request): - for request in [pre_request, post_request, none_request]: - res = app.get(self.url(request.target), expect_errors=True) - assert res.status_code == 401 - - def test_requester_cannot_submit_again(self, app, admin, create_payload, pre_mod_preprint, pre_request): - res = app.post_json_api(self.url(pre_mod_preprint), create_payload, auth=admin.auth, expect_errors=True) - assert res.status_code == 409 - assert res.json['errors'][0]['detail'] == 'Users may not have more than one withdrawal request per preprint.' - - @pytest.mark.skip('TODO: IN-284 -- add emails') - @mock.patch('website.reviews.listeners.mails.send_mail') - def test_email_sent_to_moderators_on_submit(self, mock_mail, app, admin, create_payload, moderator, post_mod_preprint): - res = app.post_json_api(self.url(post_mod_preprint), create_payload, auth=admin.auth) - assert res.status_code == 201 - assert mock_mail.call_count == 1 diff --git a/osf/migrations/0025_usermessage.py b/osf/migrations/0025_noderequest_requested_permissions_and_more.py similarity index 72% rename from osf/migrations/0025_usermessage.py rename to osf/migrations/0025_noderequest_requested_permissions_and_more.py index 4d92830df2d..140b6077294 100644 --- a/osf/migrations/0025_usermessage.py +++ b/osf/migrations/0025_noderequest_requested_permissions_and_more.py @@ -1,4 +1,4 @@ -# Generated by Django 4.2.13 on 2024-12-06 21:31 +# Generated by Django 4.2.13 on 2024-12-12 19:37 from django.conf import settings from django.db import migrations, models @@ -14,6 +14,16 @@ class Migration(migrations.Migration): ] operations = [ + migrations.AddField( + model_name='noderequest', + name='requested_permissions', + field=models.CharField(blank=True, choices=[('read', 'read'), ('write', 'write'), ('admin', 'admin')], help_text='The permissions being requested for the node (e.g., read, write, admin).', max_length=31, null=True), + ), + migrations.AlterField( + model_name='noderequest', + name='request_type', + field=models.CharField(choices=[('access', 'Access'), ('withdrawal', 'Withdrawal'), ('institutional_request', 'Institutional_Request')], help_text='The specific type of node request (e.g., access request).', max_length=31), + ), migrations.CreateModel( name='UserMessage', fields=[ diff --git a/osf/models/request.py b/osf/models/request.py index d91837cbc7c..ed50c29f226 100644 --- a/osf/models/request.py +++ b/osf/models/request.py @@ -1,8 +1,8 @@ from django.db import models - from .base import BaseModel, ObjectIDMixin -from osf.utils.workflows import RequestTypes +from osf.utils.workflows import RequestTypes, NodeRequestTypes from .mixins import NodeRequestableMixin, PreprintRequestableMixin +from osf.utils.permissions import API_CONTRIBUTOR_PERMISSIONS class AbstractRequest(BaseModel, ObjectIDMixin): @@ -22,6 +22,18 @@ class NodeRequest(AbstractRequest, NodeRequestableMixin): """ Request for Node Access """ target = models.ForeignKey('AbstractNode', related_name='requests', on_delete=models.CASCADE) + request_type = models.CharField( + max_length=31, + choices=NodeRequestTypes.choices(), + help_text='The specific type of node request (e.g., access request).' + ) + requested_permissions = models.CharField( + max_length=31, + choices=((perm.lower(), perm) for perm in API_CONTRIBUTOR_PERMISSIONS), + null=True, + blank=True, + help_text='The permissions being requested for the node (e.g., read, write, admin).' + ) class PreprintRequest(AbstractRequest, PreprintRequestableMixin): diff --git a/osf/utils/workflows.py b/osf/utils/workflows.py index 43d21659bde..b054de25452 100644 --- a/osf/utils/workflows.py +++ b/osf/utils/workflows.py @@ -515,3 +515,9 @@ def db_name(self): class RequestTypes(ChoiceEnum): ACCESS = 'access' WITHDRAWAL = 'withdrawal' + +@unique +class NodeRequestTypes(ChoiceEnum): + ACCESS = 'access' + WITHDRAWAL = 'withdrawal' + INSTITUTIONAL_REQUEST = 'institutional_request' diff --git a/website/mails/mails.py b/website/mails/mails.py index 2e468acbf81..fbe8522d372 100644 --- a/website/mails/mails.py +++ b/website/mails/mails.py @@ -596,6 +596,11 @@ def get_english_article(word): subject='Your Boa job has failed' ) +NODE_REQUEST_INSTITUTIONAL_ACCESS_REQUEST = Mail( + 'node_request_institutional_access_request', + subject='Institutional Access Project Request' +) + USER_MESSAGE_INSTITUTIONAL_ACCESS_REQUEST = Mail( 'user_message_institutional_access_request', subject='Message from Institutional Admin' diff --git a/website/templates/emails/node_request_institutional_access_request.html.mako b/website/templates/emails/node_request_institutional_access_request.html.mako new file mode 100644 index 00000000000..e69de29bb2d