Commit 3c9abe87 authored by Pablo Panero's avatar Pablo Panero
Browse files

Refactor: Permissions from nested to object type

parent f224f770
{
"title": "Custom record schema v0.0.1",
"id": "http://localhost:5000/schemas/cernsearch-test/test-doc_v0.0.1.json",
"$schema": "http://localhost:5000/schemas/cernsearch-test/test-doc_v0.0.1.json",
"type": "object",
"properties": {
"_access": {
"type": "object",
"properties": {
"owner":{
"type": "array",
"items": {
"type": "string"
}
},
"read":{
"type": "array",
"items": {
"type": "string"
}
},
"update":{
"type": "array",
"items": {
"type": "string"
}
},
"delete":{
"type": "array",
"items": {
"type": "string"
}
}
}
},
"content": {
"type": "string"
},
"custom_pid": {
"type": "string"
},
"$schema": {
"type": "string"
}
}
}
\ No newline at end of file
{
"settings": {
"index.percolator.map_unmapped_fields_as_string": true,
"index.mapping.total_fields.limit": 3000
},
"mappings": {
"permission_v0.0.1": {
"numeric_detection": true,
"_meta": {
"_owner": "CernSearch-Administrators@cern.ch"
},
"_all": {
"analyzer": "english"
},
"properties": {
"_access": {
"type": "object",
"properties": {
"owner":{
"type": "keyword"
},
"read": {
"type": "keyword"
},
"update": {
"type": "keyword"
},
"delete": {
"type": "keyword"
}
}
},
"type": {
"type": "text"
},
"custom_pid": {
"type": "string",
"index": "not_analyzed"
},
"$schema": {
"type": "string",
"index": "not_analyzed"
}
}
}
}
}
\ No newline at end of file
......@@ -16,22 +16,13 @@ curl -X GET "localhost:9200/_search" -H 'Content-Type: application/json' -d'
"filter": {
"bool": {
"should": [
{"nested": {
"path": "_access",
"query": {
"bool": {
"should": [
{"terms": {"_access.read": ["egroup-read-one","egroup-read-two"]}},
{"terms": {"_access.update": "egroup-write-one"}},
{"bool": { # Public document
"must_not": {
"exists": {"field": "_access.read"}
} # End must_not
}} # End bool
] # End should
} # End bool
} # End query
}} # End nested
{"terms": {"_access.read": ["egroup-read-one","egroup-read-two"]}},
{"terms": {"_access.update": "egroup-write-one"}},
{"bool": { # Public document
"must_not": {
"exists": {"field": "_access.read"}
} # End must_not
}} # End bool
] # End should
} # End bool
} # End filter
......@@ -47,18 +38,19 @@ def cern_search_filter():
provides = get_egroups()
# Filter for public records
public = ~Q('exists', field='_access.read')
nested_query = public
cern_filter = public
if provides is not None:
# Filter for restricted records, that the user has access to
read_restricted = Q('terms', **{'_access.read': provides})
write_restricted = Q('terms', **{'_access.update': provides})
delete_restricted = Q('terms', **{'_access.delete': provides})
# Filter records where the user is owner
owner = Q('terms', **{'_access.owner': provides})
# OR all the filters
nested_query = public | read_restricted | write_restricted | owner
cern_filter = public | read_restricted | write_restricted | delete_restricted | owner
return Q('bool', should=[Q('nested', path='_access', query=nested_query)])
return Q('bool', filter=cern_filter)
def get_egroups():
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment