inveniosoftware · kpsherva · Oct 16, 2024 · Sep 16, 2024 · Sep 20, 2024 · Sep 23, 2024
diff --git a/invenio_rdm_records/config.py b/invenio_rdm_records/config.py
@@ -131,6 +131,12 @@ def always_valid(identifier):
 RDM_ALLOW_RESTRICTED_RECORDS = True
 """Allow users to set restricted/private records."""
 
+#
+# Record communities
+#
+RDM_RECORD_ALWAYS_IN_COMMUNITY = False
+"""Enforces at least one community per record."""
+
 #
 # Search configuration
 #

diff --git a/invenio_rdm_records/resources/config.py b/invenio_rdm_records/resources/config.py
@@ -36,6 +36,7 @@
 
 from ..services.errors import (
     AccessRequestExistsError,
+    CommunityNotSelectedError,
     GrantExistsError,
     InvalidAccessRestrictions,
     RecordDeletedException,
@@ -187,6 +188,7 @@ class RDMRecordResourceConfig(RecordResourceConfig, ConfiguratorMixin):
     )
 
     error_handlers = {
+        **ErrorHandlersMixin.error_handlers,
         DeserializerError: create_error_handler(
             lambda exc: HTTPJSONException(
                 code=400,
@@ -255,6 +257,12 @@ class RDMRecordResourceConfig(RecordResourceConfig, ConfiguratorMixin):
                 description=e.description,
             )
         ),
+        CommunityNotSelectedError: create_error_handler(
+            HTTPJSONException(
+                code=400,
+                description="Cannot publish without selecting a community.",
+            )
+        ),
     }
 
 

diff --git a/invenio_rdm_records/services/communities/service.py b/invenio_rdm_records/services/communities/service.py
@@ -11,10 +11,7 @@
 from flask import current_app
 from invenio_access.permissions import system_identity
 from invenio_communities.proxies import current_communities
-from invenio_drafts_resources.services.records.uow import (
-    ParentRecordCommitOp,
-    RecordCommitOp,
-)
+from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
 from invenio_i18n import lazy_gettext as _
 from invenio_notifications.services.uow import NotificationOp
 from invenio_pidstore.errors import PIDDoesNotExistError
@@ -38,6 +35,7 @@
 from ...proxies import current_rdm_records, current_rdm_records_service
 from ...requests import CommunityInclusion
 from ..errors import (
+    CannotRemoveCommunityError,
     CommunityAlreadyExists,
     InvalidAccessRestrictions,
     OpenRequestAlreadyExists,
@@ -205,10 +203,22 @@ def _remove(self, identity, community_id, record):
         if community_id not in record.parent.communities.ids:
             raise RecordCommunityMissing(record.id, community_id)
 
-        # check permission here, per community: curator cannot remove another community
-        self.require_permission(
+        # If config is true and there is only 1 communities left to remove
+        is_community_required = current_app.config["RDM_RECORD_ALWAYS_IN_COMMUNITY"]
+        is_last_community = len(record.parent.communities.ids) == 1
+        # Then, check for permissions to remove last community
+        can_remove_last_community = self.check_permission(
             identity, "remove_community", record=record, community_id=community_id
         )
+        if (
+            is_community_required
+            and is_last_community
+            and not can_remove_last_community
+        ):
+            raise CannotRemoveCommunityError()
+        # check permission here, per community: curator cannot remove another community
+        elif not can_remove_last_community:
+            raise PermissionDeniedError("remove_community")
 
         # Default community is deleted when the exact same community is removed from the record
         record.parent.communities.remove(community_id)
@@ -233,7 +243,11 @@ def remove(self, identity, id_, data, uow):
             try:
                 self._remove(identity, community_id, record)
                 processed.append({"community": community_id})
-            except (RecordCommunityMissing, PermissionDeniedError) as ex:
+            except (
+                RecordCommunityMissing,
+                PermissionDeniedError,
+                CannotRemoveCommunityError,
+            ) as ex:
                 errors.append(
                     {
                         "community": community_id,

diff --git a/invenio_rdm_records/services/errors.py b/invenio_rdm_records/services/errors.py
@@ -206,3 +206,15 @@ class RecordSubmissionClosedCommunityError(PermissionDenied):
     """Record submission policy forbids non-members from submitting records to community."""
 
     description = "Submission to this community is only allowed to community members."
+
+
+class CommunityNotSelectedError(Exception):
+    """Error thrown when a record is being created/updated with less than 1 community."""
+
+    description = "Cannot publish without selecting a community."
+
+
+class CannotRemoveCommunityError(Exception):
+    """Error thrown when the last community is being removed from the record."""
+
+    description = "Cannot remove. A record should be part of atleast 1 community."
diff --git a/invenio_rdm_records/services/generators.py b/invenio_rdm_records/services/generators.py
@@ -414,3 +414,25 @@ def needs(self, request=None, **kwargs):
             return [AccessRequestTokenNeed(request["payload"]["token"])]
 
         return []
+
+
+class IfOneCommunity(ConditionalGenerator):
+    """Conditional generator for records always in communities case."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record is associated with zero or one community."""
+        if record is None:
+            return True
+        rec_communities = record.parent.communities.ids
+        return len(rec_communities) == 1
+
+
+class IfAtleastOneCommunity(ConditionalGenerator):
+    """Conditional generator for records always in communities case."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record is associated with zero or one community."""
+        if record is None:
+            return True
+        rec_communities = record.parent.communities.ids
+        return len(rec_communities) > 0
diff --git a/invenio_rdm_records/services/permissions.py b/invenio_rdm_records/services/permissions.py
@@ -30,11 +30,13 @@
     AccessGrant,
     CommunityInclusionReviewers,
     GuestAccessRequestToken,
+    IfAtleastOneCommunity,
     IfCreate,
     IfDeleted,
     IfExternalDOIRecord,
     IfFileIsLocal,
     IfNewRecord,
+    IfOneCommunity,
     IfRecordDeleted,
     IfRequestType,
     IfRestricted,
@@ -199,7 +201,17 @@ class RDMRecordPermissionPolicy(RecordPermissionPolicy):
         ),
     ]
     # Allow publishing a new record or changes to an existing record.
-    can_publish = can_review
+    can_publish = [
+        IfConfig(
+            "RDM_RECORD_ALWAYS_IN_COMMUNITY",
+            then_=[
+                IfAtleastOneCommunity(
+                    then_=can_review, else_=[Administration(), SystemProcess()]
+                )
+            ],
+            else_=can_review,
+        )
+    ]
     # Allow lifting a record or draft.
     can_lift_embargo = can_manage
 
@@ -209,11 +221,23 @@ class RDMRecordPermissionPolicy(RecordPermissionPolicy):
     # Who can add record to a community
     can_add_community = can_manage
     # Who can remove a community from a record
-    can_remove_community = [
+    can_remove_community_ = [
         RecordOwners(),
         CommunityCurators(),
         SystemProcess(),
     ]
+    can_remove_community = [
+        IfConfig(
+            "RDM_RECORD_ALWAYS_IN_COMMUNITY",
+            then_=[
+                IfOneCommunity(
+                    then_=[Administration(), SystemProcess()],
+                    else_=can_remove_community_,
+                )
+            ],
+            else_=can_remove_community_,
+        )
+    ]
     # Who can remove records from a community
     can_remove_record = [CommunityCurators()]
     # Who can add records to a community in bulk

diff --git a/invenio_rdm_records/services/services.py b/invenio_rdm_records/services/services.py
@@ -20,6 +20,7 @@
 from invenio_drafts_resources.services.records import RecordService
 from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
 from invenio_records_resources.services import LinksTemplate, ServiceSchemaWrapper
+from invenio_records_resources.services.errors import PermissionDeniedError
 from invenio_records_resources.services.uow import (
     RecordCommitOp,
     RecordIndexDeleteOp,
@@ -37,6 +38,7 @@
 
 from ..records.systemfields.deletion_status import RecordDeletionStatusEnum
 from .errors import (
+    CommunityNotSelectedError,
     DeletionStatusException,
     EmbargoNotLiftedError,
     RecordDeletedException,
@@ -404,6 +406,28 @@ def purge_record(self, identity, id_, uow=None):
 
         raise NotImplementedError()
 
+    @unit_of_work()
+    def publish(self, identity, id_, uow=None, expand=False):
+        """Publish a draft.
+
+        Check for permissions to publish a draft and then call invenio_drafts_resourcs.services.records.services.publish()
+        """
+        # Get the draft
+        draft = self.draft_cls.pid.resolve(id_, registered_only=False)
+
+        # If config is true and there are no communities selected
+        is_community_required = current_app.config["RDM_RECORD_ALWAYS_IN_COMMUNITY"]
+        is_community_missing = len(draft.parent.communities.ids) == 0
+        # Then, check for permissions to upload without community
+        if (
+            is_community_required
+            and is_community_missing
+            and not self.check_permission(identity, "publish", record=draft)
+        ):
+            raise CommunityNotSelectedError()
+
+        return super().publish(identity, id_, uow=uow, expand=expand)
+
     #
     # Search functions
     #

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -67,6 +67,7 @@
 from invenio_records_resources.proxies import current_service_registry
 from invenio_records_resources.references.entity_resolvers import ServiceResultResolver
 from invenio_records_resources.services.custom_fields import TextCF
+from invenio_records_resources.services.uow import UnitOfWork
 from invenio_requests.notifications.builders import (
     CommentRequestEventCreateNotificationBuilder,
 )
@@ -2080,6 +2081,41 @@ def create_record(
     return RecordFactory()
 
 
+@pytest.fixture()
+def record_required_community(db, uploader, minimal_record, community):
+    """Creates a record that belongs to a community before publishing."""
+
+    class Record:
+        """Test record class."""
+
+        def create_record(
+            self,
+            record_dict=minimal_record,
+            uploader=uploader,
+            community=community,
+        ):
+            """Creates new record that belongs to the same community."""
+            # create draft
+            draft = current_rdm_records_service.create(uploader.identity, record_dict)
+            record = draft._record
+            # add the record to the community
+            community_record = community._record
+            record.parent.communities.add(community_record, default=False)
+            record.parent.commit()
+            db.session.commit()
+            current_rdm_records_service.indexer.index(
+                record, arguments={"refresh": True}
+            )
+
+            # publish and get record
+            community_record = current_rdm_records_service.publish(
+                uploader.identity, draft.id
+            )
+            return community_record
+
+    return Record()
+
+
 @pytest.fixture(scope="session")
 def headers():
     """Default headers for making requests."""