arxiv.users.auth.scopes module

Authorization scopes for arXiv users and clients.

The concept of authorization scope comes from OAuth 2.0 (RFC 6749 §3.3). For a nice primer, see this blog post. The basic idea is that the authorization associated with an access token can be limited, e.g. to limit what actions an API client can take on behalf of a user.

In this package, the scope concept is applied to both API client and end-user sessions. When the session is created, we consult the relevant bits of data in our system (e.g. what roles the user has, what privileges are associated with those roles) to determine what the user is authorized to do. Those privileges are attached to the user’s session as authorization scopes.

This module simply defines a set of constants (str) that can be used to refer to specific authorization scopes. Rather than refer to scopes by writing new str objects, these constants should be imported and used. This improves the semantics of code, and reduces the risk of programming errors. For an example, see arxiv.users.auth.decorators.

arxiv.users.auth.scopes.CREATE_SUBMISSION = submission:created

Authorizes creating a new submission.

arxiv.users.auth.scopes.EDIT_PROFILE = profile:update

Authorizes editing user profile.

This includes things like affiliation, full name, etc..

arxiv.users.auth.scopes.EDIT_SUBMISSION = submission:update

Authorizes updating a submission that has not yet been announced.

arxiv.users.auth.scopes.PROXY_SUBMISSION = submission:proxy

Authorizes creating a submission on behalf of another user.

This authorization is specifically for human users submitting on behalf of other human users. For client authorization to submit on behalf of a user, <code>submission:create</code> should be used instead.

arxiv.users.auth.scopes.READ_PUBLIC = public:read

Authorizes access to public endpoints.

This is implicitly granted to all anonymous users. For endpoints requiring authentication (e.g. APIs) this scope can be used to denote baseline read access for clients.

arxiv.users.auth.scopes.READ_UPLOAD = upload:read

Authorizes viewing the content of an upload workspace.

arxiv.users.auth.scopes.RELEASE_UPLOAD = upload:release

Authorizes releasing an upload workspace.

arxiv.users.auth.scopes.VIEW_PROFILE = profile:read

Authorizes viewing the content of a user profile.

This includes things like affiliation, full name, and e-mail address.

arxiv.users.auth.scopes.VIEW_SUBMISSION = submission:read

Authorizes viewing a submission.

arxiv.users.auth.scopes.WRITE_UPLOAD = upload:update

Authorizes uploading files to to a workspace.

arxiv.users.auth.scopes.get_human_label(scope)[source]

The the human-readable label for a scope, for display to end users.

Return type:Optional[str]