inveniosoftware · max-moser · Nov 2, 2022 · Nov 15, 2022
diff --git a/invenio_requests/services/permissions.py b/invenio_requests/services/permissions.py
@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2021 CERN.
-# Copyright (C) 2021 Northwestern University.
-# Copyright (C) 2021 TU Wien.
+# Copyright (C) 2021      CERN.
+# Copyright (C) 2021      Northwestern University.
+# Copyright (C) 2021-2024 TU Wien.
 #
 # Invenio-Requests is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -15,6 +15,7 @@
     AnyUser,
     AuthenticatedUser,
     Disable,
+    DisableIfReadOnly,
     SystemProcess,
     SystemProcessWithoutSuperUser,
 )
@@ -26,7 +27,8 @@ class PermissionPolicy(RecordPermissionPolicy):
     """Permission policy."""
 
     # Ability in general to create requests (not which request you can create)
-    can_create = [AuthenticatedUser(), SystemProcess()]
+    can_create = [AuthenticatedUser(), SystemProcess(), DisableIfReadOnly()]
+
     # Just about ability to perform a search (not what requests you can access)
     can_search = [AuthenticatedUser(), SystemProcess()]
 
@@ -47,6 +49,7 @@ class PermissionPolicy(RecordPermissionPolicy):
         SystemProcess(),
         Status(["created"], [Creator()]),
         Status(["submitted"], [Creator(), Receiver()]),
+        DisableIfReadOnly(),
     ]
 
     can_manage_access_options = [Disable()]
@@ -58,32 +61,35 @@ class PermissionPolicy(RecordPermissionPolicy):
             [Disable()],
         ),
         SystemProcess(),
+        DisableIfReadOnly(),
     ]
 
     # Submit, cancel, expire, accept and decline actions only deals
     # with requests in a **single state** and thus doesn't need to take the
     # request status into account.
-    can_action_submit = [Creator(), SystemProcess()]
-    can_action_cancel = [Creator(), SystemProcess()]
+    can_action_submit = [Creator(), SystemProcess(), DisableIfReadOnly()]
+    can_action_cancel = [Creator(), SystemProcess(), DisableIfReadOnly()]
     # `SystemProcessWithoutSuperUser`: expire is an automatic action done only by
     # the system, therefore the `superuser-action` must be explicitly excluded
     # as it's added by default to any permission.
-    can_action_expire = [SystemProcessWithoutSuperUser()]
-    can_action_accept = [Receiver(), SystemProcess()]
-    can_action_decline = [Receiver(), SystemProcess()]
+    can_action_expire = [SystemProcessWithoutSuperUser(), DisableIfReadOnly()]
+    can_action_accept = [Receiver(), SystemProcess(), DisableIfReadOnly()]
+    can_action_decline = [Receiver(), SystemProcess(), DisableIfReadOnly()]
 
     # Request events/comments
     # Events are in most cases protected by the associated request.
     can_update_comment = [
         Commenter(),
         SystemProcess(),
+        DisableIfReadOnly(),
     ]
     can_delete_comment = [
         Commenter(),
         SystemProcess(),
+        DisableIfReadOnly(),
     ]
     # If you can read the request you can create events for the request.
-    can_create_comment = can_read
+    can_create_comment = can_read + [DisableIfReadOnly()]
 
     # Needed by the search events permission because a permission_action must
     # be provided to create_search(), but the event search is already protected

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -2,7 +2,7 @@
 #
 # Copyright (C) 2021-2024 CERN.
 # Copyright (C) 2021 Northwestern University.
-# Copyright (C) 2021 TU Wien.
+# Copyright (C) 2021-2024 TU Wien.
 # Copyright (C) 2023 Graz University of Technology.
 #
 # Invenio-Requests is free software; you can redistribute it and/or modify it

diff --git a/tests/resources/conftest.py b/tests/resources/conftest.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2022 TU Wien.
+#
+# Invenio-Requests is free software; you can redistribute it and/or modify it
+# under the terms of the MIT License; see LICENSE file for more details.
+
+"""Pytest configuration.
+
+See https://pytest-invenio.readthedocs.io/ for documentation on which test fixtures
+are available.
+"""
+
+import pytest
+
+
+@pytest.fixture()
+def rw_app(app):
+    """Fixture that resets the read-only mode before and after tests.
+
+    This is done in order to prevent permission issues with other fixtures when the
+    app isn't freshly initialized for each test.
+    """
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = False
+    yield app
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = False
diff --git a/tests/resources/events/test_request_events_resources.py b/tests/resources/events/test_request_events_resources.py
@@ -2,6 +2,7 @@
 #
 # Copyright (C) 2021 CERN.
 # Copyright (C) 2021 Northwestern University.
+# Copyright (C) 2022-2024 TU Wien.
 #
 # Invenio-Requests is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -215,3 +216,67 @@ def test_empty_comment(
     )
     assert 400 == response.status_code
     assert expected_json == response.json
+
+
+#
+# Read-only mode
+#
+
+
+def test_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+
+    # Commenting on a request in read-only mode should fail
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    assert response.status_code == 403
+
+
+def test_update_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    comment_id = response.json["id"]
+    assert response.status_code == 201
+
+    # Updating the comment in read-only mode should fail
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    data = copy.deepcopy(events_resource_data)
+    data["payload"]["content"] = "I've revised my comment."
+    response = client.put(
+        f"/requests/{request_id}/comments/{comment_id}",
+        headers=headers,
+        json=data,
+    )
+    assert response.status_code == 403
+
+
+def test_delete_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    comment_id = response.json["id"]
+    assert response.status_code == 201
+
+    # Updating the comment in read-only mode should fail
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    response = client.delete(
+        f"/requests/{request_id}/comments/{comment_id}",
+        headers=headers,
+    )
+    assert response.status_code == 403
diff --git a/tests/resources/requests/test_requests_resources.py b/tests/resources/requests/test_requests_resources.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2021 TU Wien.
+# Copyright (C) 2021-2024 TU Wien.
 #
 # Invenio-Requests is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -198,3 +198,48 @@ def test_simple_request_flow(app, client_logged_as, headers, example_request):
         }
     )
     assert_api_response(response, 200, expected_data)
+
+
+#
+# Read-only mode
+#
+
+
+def test_update_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+    response = client.put(
+        f"/requests/{request_id}", headers=headers, data=example_request
+    )
+    assert response.status_code == 403
+
+
+def test_delete_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+    response = client.delete(f"/requests/{request_id}", headers=headers)
+    assert response.status_code == 403
+
+
+def test_submit_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+    response = client.post(f"/requests/{request_id}/actions/submit", headers=headers)
+    assert response.status_code == 403
+
+
+def test_request_actions_ro(rw_app, client_logged_as, headers, example_request):
+    request_id = example_request.id
+    client = client_logged_as("[email protected]")
+    response = client.post(f"/requests/{request_id}/actions/submit", headers=headers)
+    assert response.status_code == 200
+
+    for action in ["accept", "decline", "cancel"]:
+        rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+        response = client.post(
+            f"/requests/{request_id}/actions/{action}", headers=headers
+        )
+        assert response.status_code == 403