generators: fix permission check using Permission

invenio_users_resources/services/generators.py

@@ -3,16 +3,16 @@
 # Copyright (C) 2022 TU Wien.
 # Copyright (C) 2022 CERN.
 # Copyright (C) 2023 Graz University of Technology.
+# Copyright (C) 2025 Ubiquity Press.
 #
 # Invenio-Users-Resources is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
 # details.
 
 """Permission generators for users and groups."""
 
-
 from flask import current_app
-from invenio_access.permissions import any_user
+from invenio_access import Permission, any_user
 from invenio_records.dictutils import dict_lookup
 from invenio_records_permissions.generators import (
     ConditionalGenerator,
@@ -112,17 +112,14 @@ def _condition(self, record, **kwargs):
 
     def query_filter(self, **kwargs):
         """Filters for queries."""
-        q_all = dsl.Q("match_all")
         q_not_managed = dsl.Q("match", **{self._field_name: False})
         then_query = self._make_query(self.then_, **kwargs)
         else_query = self._make_query(self.else_, **kwargs)
-
         identity = kwargs.get("identity", None)
-
         if identity:
-            for need in self.needs(**kwargs):
-                if need in identity.provides:
-                    return q_all & else_query
+            permission = Permission(*self.needs(**kwargs))
+            if permission.allows(identity):
+                return else_query
 
         return q_not_managed & then_query
 

tests/conftest.py

@@ -116,8 +116,13 @@ def user_moderator(UserFixture, app, database, users):
     action_name = user_management_action.value
     moderator = users["user_moderator"]
 
-    role = Role(name=action_name)
-    database.session.add(role)
+    role = current_datastore.create_role(
+        id=action_name,
+        name=action_name,
+        description="user_management_action group",
+        is_managed=True,
+    )
+    moderator.roles = [role]
 
     action_role = ActionRoles.create(action=user_management_action, role=role)
     database.session.add(action_role)

tests/services/test_generators.py

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2025 Ubiquity Press.
+#
+# Invenio-Users-Resources is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Permission generators tests."""
+
+from invenio_access.utils import get_identity
+from invenio_records_permissions.generators import AuthenticatedUser
+
+from invenio_users_resources.permissions import user_management_action
+from invenio_users_resources.services.generators import IfGroupNotManaged
+from invenio_users_resources.services.permissions import UserManager
+
+
+def test_group_not_managed_generator(app, user_pub, user_moderator):
+    """Test IfGroupNotManaged generator."""
+
+    permission = IfGroupNotManaged([AuthenticatedUser()], [UserManager])
+
+    assert permission.needs() == {user_management_action}
+    assert permission.needs(record={"is_managed": True}) == {user_management_action}
+
+    identity = get_identity(user_pub)
+    query = permission.query_filter(identity=identity)
+    assert query.to_dict() == {"match": {"is_managed": False}}
+
+    identity = get_identity(user_moderator)
+    query = permission.query_filter(identity=identity)
+    assert query.to_dict() == {"match_all": {}}