arxiv.users.auth.scopes module¶
Authorization scopes for arXiv users and clients.
The concept of authorization scope comes from OAuth 2.0 (RFC 6749 §3.3). For a nice primer, see this blog post. The basic idea is that the authorization associated with an access token can be limited, e.g. to limit what actions an API client can take on behalf of a user.
In this package, the scope concept is applied to both API client and end-user sessions. When the session is created, we consult the relevant bits of data in our system (e.g. what roles the user has, what privileges are associated with those roles) to determine what the user is authorized to do. Those privileges are attached to the user’s session as authorization scopes.
This module simply defines a set of constants (str) that can be used to refer
to specific authorization scopes. Rather than refer to scopes by writing new
str objects, these constants should be imported and used. This improves the
semantics of code, and reduces the risk of programming errors. For an example,
see arxiv.users.auth.decorators.
-
arxiv.users.auth.scopes.CREATE_SUBMISSION= submission:created¶ Authorizes creating a new submission.
-
arxiv.users.auth.scopes.EDIT_PROFILE= profile:update¶ Authorizes editing user profile.
This includes things like affiliation, full name, etc..
-
arxiv.users.auth.scopes.EDIT_SUBMISSION= submission:update¶ Authorizes updating a submission that has not yet been announced.
-
arxiv.users.auth.scopes.PROXY_SUBMISSION= submission:proxy¶ Authorizes creating a submission on behalf of another user.
This authorization is specifically for human users submitting on behalf of other human users. For client authorization to submit on behalf of a user, <code>submission:create</code> should be used instead.
-
arxiv.users.auth.scopes.READ_PUBLIC= public:read¶ Authorizes access to public endpoints.
This is implicitly granted to all anonymous users. For endpoints requiring authentication (e.g. APIs) this scope can be used to denote baseline read access for clients.
-
arxiv.users.auth.scopes.READ_UPLOAD= upload:read¶ Authorizes viewing the content of an upload workspace.
-
arxiv.users.auth.scopes.RELEASE_UPLOAD= upload:release¶ Authorizes releasing an upload workspace.
-
arxiv.users.auth.scopes.VIEW_PROFILE= profile:read¶ Authorizes viewing the content of a user profile.
This includes things like affiliation, full name, and e-mail address.
-
arxiv.users.auth.scopes.VIEW_SUBMISSION= submission:read¶ Authorizes viewing a submission.
-
arxiv.users.auth.scopes.WRITE_UPLOAD= upload:update¶ Authorizes uploading files to to a workspace.