[ENG-8290] Allow collection search POST with token scope (#11201)

antkryt · web-flow · commit 42b382901f78 · 2025-06-30T10:15:42.000-04:00
Purpose

Add scope for POST collection search
diff --git a/api/search/views.py b/api/search/views.py
@@ -656,6 +656,7 @@ class SearchCollections(BaseSearchView):
     doc_type = 'collectionSubmission'
     view_category = 'search'
     view_name = 'search-collected-metadata'
+    required_write_scopes = [CoreScopes.ADVANCED_SEARCH]
 
     @property
     def search_fields(self):
diff --git a/api_tests/search/views/test_views.py b/api_tests/search/views/test_views.py
@@ -1,8 +1,10 @@
 import pytest
 import uuid
+from unittest import mock
 
 from api.base.settings.defaults import API_BASE
 from api_tests import utils
+from framework.auth.cas import CasResponse
 from framework.auth.core import Auth
 from osf.models import RegistrationSchema
 from osf_tests.factories import (
@@ -1025,3 +1027,24 @@ def test_POST_search_collections_disease_data_type(
         assert res.status_code == 200
         assert res.json['links']['meta']['total'] == 2
         assert len(res.json['data']) == 2
+
+    def test_POST_search_collections_scope(self, app, url_collection_search, user):
+        payload = self.post_payload(q='Collection')
+
+        token_invalid = CasResponse(
+            authenticated=True,
+            user=user._id,
+            attributes={'accessTokenScope': ['osf.full_read']}
+        )
+        with mock.patch('framework.auth.cas.CasClient.profile', return_value=token_invalid):
+            res = app.post_json_api(url_collection_search, payload, auth='some-invalid-token', expect_errors=True, auth_type='jwt')
+            assert res.status_code == 403
+
+        token_valid = CasResponse(
+            authenticated=True,
+            user=user._id,
+            attributes={'accessTokenScope': ['osf.full_read', 'osf.full_write']}
+        )
+        with mock.patch('framework.auth.cas.CasClient.profile', return_value=token_valid):
+            res = app.post_json_api(url_collection_search, payload, auth='some-valid-token', auth_type='jwt')
+            assert res.status_code == 200
diff --git a/framework/auth/oauth_scopes.py b/framework/auth/oauth_scopes.py
@@ -210,6 +210,8 @@ class CoreScopes:
     READ_COLLECTION_SUBMISSION = 'read_collection_submission'
     WRITE_COLLECTION_SUBMISSION = 'write_collection_submission'
 
+    ADVANCED_SEARCH = 'advanced_search'
+
 
 class ComposedScopes:
     """
@@ -370,7 +372,8 @@ class ComposedScopes:
                      CoreScopes.CEDAR_METADATA_RECORD_WRITE,
                      CoreScopes.WRITE_COLLECTION_SUBMISSION_ACTION,
                      CoreScopes.WRITE_COLLECTION_SUBMISSION,
-                     CoreScopes.USERS_MESSAGE_WRITE_EMAIL
+                     CoreScopes.USERS_MESSAGE_WRITE_EMAIL,
+                     CoreScopes.ADVANCED_SEARCH
                  )
 
     # Admin permissions- includes functionality not intended for third-party use
