generators: fix AdmiAction permission check

[egabancho]

• Checking permissions using action.value can lead to undesired situations, changing to use Permission.allow instead.

Example

from invenio_access.permissions import Permission
from invenio_access.utils import get_identity
from invenio_accounts.proxies import current_datastore
from invenio_users_resources.permissions import user_management_action
from invenio_records_permissions.generators import AdminAction

user = current_datastore.get_user_by_id(4)
identity = get_identity(user)
identity.provides
# {Need(method='id', value=4), Need(method='role', value='administration')}

admin_user = AdminAction(user_management_action)
admin_user.needs()
# [Need(method='action', value='administration-moderation')]

for need in identity.provides:
    if need.value == admin_user.action.value:
        print("Match!")
# Doesn't match

Permission(admin_user.action)
# <Permission needs={Need(method='role', value='administration'), Need(method='id', value=1), Need(method='role', value='admin')} excludes=set()>
Permission(admin_user.action).allows(identity)
# True

# Differnt user
user = current_datastore.get_user_by_id(2)
identity = get_identity(user)
identity.provides
# {Need(method='id', value=2)}

Permission(admin_user.action).allows(identity)
# False

Permission issue

If there is a group/role named as the action, administration-moderation, with no permissions associated with it. It will grant access.

user = current_datastore.get_user_by_id(2)
identity = get_identity(user)
identity.provides
#{Need(method='id', value=2), Need(method='role', value='administration-moderation')}

for need in identity.provides:
    if need.value == admin_user.action.value:
        print("Match!")
# Match!