inveniosoftware · kpsherva · Oct 16, 2024 · Sep 16, 2024 · Sep 20, 2024 · Sep 23, 2024
diff --git a/invenio_rdm_records/config.py b/invenio_rdm_records/config.py
@@ -131,6 +131,12 @@ def always_valid(identifier):
 RDM_ALLOW_RESTRICTED_RECORDS = True
 """Allow users to set restricted/private records."""
 
+#
+# Record communities
+#
+RDM_COMMUNITY_REQUIRED_TO_PUBLISH = False
+"""Enforces at least one community per record."""
+
 #
 # Search configuration
 #

diff --git a/invenio_rdm_records/resources/config.py b/invenio_rdm_records/resources/config.py
@@ -36,6 +36,7 @@
 
 from ..services.errors import (
     AccessRequestExistsError,
+    CommunityRequiredError,
     GrantExistsError,
     InvalidAccessRestrictions,
     RecordDeletedException,
@@ -187,6 +188,7 @@ class RDMRecordResourceConfig(RecordResourceConfig, ConfiguratorMixin):
     )
 
     error_handlers = {
+        **ErrorHandlersMixin.error_handlers,
         DeserializerError: create_error_handler(
             lambda exc: HTTPJSONException(
                 code=400,
@@ -255,6 +257,12 @@ class RDMRecordResourceConfig(RecordResourceConfig, ConfiguratorMixin):
                 description=e.description,
             )
         ),
+        CommunityRequiredError: create_error_handler(
+            HTTPJSONException(
+                code=400,
+                description=_("Cannot publish without selecting a community."),
+            )
+        ),
     }
 
 

diff --git a/invenio_rdm_records/services/communities/service.py b/invenio_rdm_records/services/communities/service.py
@@ -11,10 +11,7 @@
 from flask import current_app
 from invenio_access.permissions import system_identity
 from invenio_communities.proxies import current_communities
-from invenio_drafts_resources.services.records.uow import (
-    ParentRecordCommitOp,
-    RecordCommitOp,
-)
+from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
 from invenio_i18n import lazy_gettext as _
 from invenio_notifications.services.uow import NotificationOp
 from invenio_pidstore.errors import PIDDoesNotExistError
@@ -38,6 +35,7 @@
 from ...proxies import current_rdm_records, current_rdm_records_service
 from ...requests import CommunityInclusion
 from ..errors import (
+    CannotRemoveCommunityError,
     CommunityAlreadyExists,
     InvalidAccessRestrictions,
     OpenRequestAlreadyExists,
@@ -205,10 +203,20 @@ def _remove(self, identity, community_id, record):
         if community_id not in record.parent.communities.ids:
             raise RecordCommunityMissing(record.id, community_id)
 
-        # check permission here, per community: curator cannot remove another community
-        self.require_permission(
-            identity, "remove_community", record=record, community_id=community_id
-        )
+        try:
+            self.require_permission(
+                identity, "remove_community", record=record, community_id=community_id
+            )
+            # By default, admin/superuser has permission to do everything, so PermissionDeniedError won't be raised for admin in any case
+        except PermissionDeniedError as exc:
+            # If permission is denied, determine which error to raise, based on config
+            community_required = current_app.config["RDM_COMMUNITY_REQUIRED_TO_PUBLISH"]
+            is_last_community = len(record.parent.communities.ids) <= 1
+            if community_required and is_last_community:
+                raise CannotRemoveCommunityError()
+            else:
+                # If the config wasn't enabled, then raise the PermissionDeniedError
+                raise exc
 
         # Default community is deleted when the exact same community is removed from the record
         record.parent.communities.remove(community_id)
@@ -233,7 +241,11 @@ def remove(self, identity, id_, data, uow):
             try:
                 self._remove(identity, community_id, record)
                 processed.append({"community": community_id})
-            except (RecordCommunityMissing, PermissionDeniedError) as ex:
+            except (
+                RecordCommunityMissing,
+                PermissionDeniedError,
+                CannotRemoveCommunityError,
+            ) as ex:
                 errors.append(
                     {
                         "community": community_id,

diff --git a/invenio_rdm_records/services/errors.py b/invenio_rdm_records/services/errors.py
@@ -205,4 +205,18 @@ def description(self):
 class RecordSubmissionClosedCommunityError(PermissionDenied):
     """Record submission policy forbids non-members from submitting records to community."""
 
-    description = "Submission to this community is only allowed to community members."
+    description = _(
+        "Submission to this community is only allowed to community members."
+    )
+
+
+class CommunityRequiredError(Exception):
+    """Error thrown when a record is being created/updated with less than 1 community."""
+
+    description = _("Cannot publish without a community.")
+
+
+class CannotRemoveCommunityError(Exception):
+    """Error thrown when the last community is being removed from the record."""
+
+    description = _("A record should be part of at least 1 community.")
diff --git a/invenio_rdm_records/services/generators.py b/invenio_rdm_records/services/generators.py
@@ -414,3 +414,19 @@ def needs(self, request=None, **kwargs):
             return [AccessRequestTokenNeed(request["payload"]["token"])]
 
         return []
+
+
+class IfOneCommunity(ConditionalGenerator):
+    """Conditional generator for records always in communities case."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record is associated with one community."""
+        return bool(record and len(record.parent.communities.ids) == 1)
+
+
+class IfAtLeastOneCommunity(ConditionalGenerator):
+    """Conditional generator for records always in communities case."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record is associated with at least one community."""
+        return bool(record and record.parent.communities.ids)
diff --git a/invenio_rdm_records/services/permissions.py b/invenio_rdm_records/services/permissions.py
@@ -30,11 +30,13 @@
     AccessGrant,
     CommunityInclusionReviewers,
     GuestAccessRequestToken,
+    IfAtLeastOneCommunity,
     IfCreate,
     IfDeleted,
     IfExternalDOIRecord,
     IfFileIsLocal,
     IfNewRecord,
+    IfOneCommunity,
     IfRecordDeleted,
     IfRequestType,
     IfRestricted,
@@ -199,7 +201,18 @@ class RDMRecordPermissionPolicy(RecordPermissionPolicy):
         ),
     ]
     # Allow publishing a new record or changes to an existing record.
-    can_publish = can_review
+    can_publish = [
+        IfConfig(
+            "RDM_COMMUNITY_REQUIRED_TO_PUBLISH",
+            then_=[
+                IfAtLeastOneCommunity(
+                    then_=can_review,
+                    else_=[Administration(), SystemProcess()],
+                ),
+            ],
+            else_=can_review,
+        )
+    ]
     # Allow lifting a record or draft.
     can_lift_embargo = can_manage
 
@@ -209,13 +222,25 @@ class RDMRecordPermissionPolicy(RecordPermissionPolicy):
     # Who can add record to a community
     can_add_community = can_manage
     # Who can remove a community from a record
-    can_remove_community = [
+    can_remove_community_ = [
         RecordOwners(),
         CommunityCurators(),
         SystemProcess(),
     ]
+    can_remove_community = [
+        IfConfig(
+            "RDM_COMMUNITY_REQUIRED_TO_PUBLISH",
+            then_=[
+                IfOneCommunity(
+                    then_=[Administration(), SystemProcess()],
+                    else_=can_remove_community_,
+                ),
+            ],
+            else_=can_remove_community_,
+        ),
+    ]
     # Who can remove records from a community
-    can_remove_record = [CommunityCurators()]
+    can_remove_record = [CommunityCurators(), Administration(), SystemProcess()]
     # Who can add records to a community in bulk
     can_bulk_add = [SystemProcess()]
 

diff --git a/invenio_rdm_records/services/services.py b/invenio_rdm_records/services/services.py
@@ -20,6 +20,7 @@
 from invenio_drafts_resources.services.records import RecordService
 from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
 from invenio_records_resources.services import LinksTemplate, ServiceSchemaWrapper
+from invenio_records_resources.services.errors import PermissionDeniedError
 from invenio_records_resources.services.uow import (
     RecordCommitOp,
     RecordIndexDeleteOp,
@@ -37,6 +38,7 @@
 
 from ..records.systemfields.deletion_status import RecordDeletionStatusEnum
 from .errors import (
+    CommunityRequiredError,
     DeletionStatusException,
     EmbargoNotLiftedError,
     RecordDeletedException,
@@ -404,6 +406,28 @@ def purge_record(self, identity, id_, uow=None):
 
         raise NotImplementedError()
 
+    @unit_of_work()
+    def publish(self, identity, id_, uow=None, expand=False):
+        """Publish a draft.
+
+        Check for permissions to publish a draft and then call invenio_drafts_resourcs.services.records.services.publish()
+        """
+        try:
+            draft = self.draft_cls.pid.resolve(id_, registered_only=False)
+            self.require_permission(identity, "publish", record=draft)
+            # By default, admin/superuser has permission to do everything, so PermissionDeniedError won't be raised for admin in any case
+        except PermissionDeniedError as exc:
+            # If user doesn't have permission to publish, determine which error to raise, based on config
+            community_required = current_app.config["RDM_COMMUNITY_REQUIRED_TO_PUBLISH"]
+            is_community_missing = len(draft.parent.communities.ids) < 1
+            if community_required and is_community_missing:
+                raise CommunityRequiredError()
+            else:
+                # If the config wasn't enabled, then raise the PermissionDeniedError
+                raise exc
+
+        return super().publish(identity, id_, uow=uow, expand=expand)
+
     #
     # Search functions
     #

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -67,6 +67,7 @@
 from invenio_records_resources.proxies import current_service_registry
 from invenio_records_resources.references.entity_resolvers import ServiceResultResolver
 from invenio_records_resources.services.custom_fields import TextCF
+from invenio_records_resources.services.uow import UnitOfWork
 from invenio_requests.notifications.builders import (
     CommentRequestEventCreateNotificationBuilder,
 )
@@ -2013,20 +2014,22 @@ def create_record(
             """Creates new record that belongs to the same community."""
             # create draft
             draft = current_rdm_records_service.create(uploader.identity, record_dict)
-            # publish and get record
-            result_item = current_rdm_records_service.publish(
-                uploader.identity, draft.id
-            )
-            record = result_item._record
+            record = draft._record
             if community:
                 # add the record to the community
                 community_record = community._record
                 record.parent.communities.add(community_record, default=False)
                 record.parent.commit()
                 db.session.commit()
-                current_rdm_records_service.indexer.index(
-                    record, arguments={"refresh": True}
-                )
+
+            # publish and get record
+            result_item = current_rdm_records_service.publish(
+                uploader.identity, draft.id
+            )
+            record = result_item._record
+            current_rdm_records_service.indexer.index(
+                record, arguments={"refresh": True}
+            )
 
             return record