permissions: Add rdm curation permission policy example

invenio_curations/services/config.py

@@ -15,7 +15,7 @@
 
 from invenio_curations.services import facets
 
-from .permissions import CurationPermissionPolicy
+from .permissions import CurationRDMRequestPermissionPolicy
 
 
 class CurationsSearchOptions(RequestSearchOptions):
@@ -43,7 +43,7 @@ class CurationsServiceConfig(RecordServiceConfig, ConfiguratorMixin):
 
     # common configuration
     permission_policy_cls = FromConfig(
-        "REQUESTS_PERMISSION_POLICY", default=CurationPermissionPolicy
+        "REQUESTS_PERMISSION_POLICY", default=CurationRDMRequestPermissionPolicy
     )
     # TODO: update search options?
     search = CurationsSearchOptions

invenio_curations/services/permissions.py

@@ -8,14 +8,71 @@
 
 """Curations permissions."""
 
+from invenio_rdm_records.services.generators import IfFileIsLocal
+from invenio_rdm_records.services.permissions import RDMRecordPermissionPolicy
+from invenio_records_permissions.generators import SystemProcess
 from invenio_requests.services.generators import Creator, Receiver, Status
 from invenio_requests.services.permissions import (
     PermissionPolicy as RequestPermissionPolicy,
 )
 
+from invenio_curations.services.generators import (
+    CurationModerators,
+    IfCurationRequestExists,
+)
+
+
+class CurationRDMRecordPermissionPolicy(RDMRecordPermissionPolicy):
+    """RDM record policy for curations."""
+
+    can_preview = RDMRecordPermissionPolicy.can_preview + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+    can_view = RDMRecordPermissionPolicy.can_view + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+    can_read = RDMRecordPermissionPolicy.can_read + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+    can_read_files = RDMRecordPermissionPolicy.can_read_files + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+
+    # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
+    can_get_content_files = RDMRecordPermissionPolicy.can_get_content_files + [
+        IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()])
+    ]
+
+    can_read_draft = RDMRecordPermissionPolicy.can_read_draft + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+    can_draft_read_files = RDMRecordPermissionPolicy.can_draft_read_files + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+
+    # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
+    can_draft_get_content_files = (
+        RDMRecordPermissionPolicy.can_draft_get_content_files
+        + [IfFileIsLocal(then_=can_draft_read_files, else_=[SystemProcess()])]
+    )
+
+    # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
+    can_draft_media_get_content_files = (
+        RDMRecordPermissionPolicy.can_draft_media_get_content_files
+        + [IfFileIsLocal(then_=can_preview, else_=[SystemProcess()])]
+    )
+
+    can_media_read_files = RDMRecordPermissionPolicy.can_media_read_files + [
+        IfCurationRequestExists(then_=[CurationModerators()], else_=[])
+    ]
+    can_media_get_content_files = (
+        RDMRecordPermissionPolicy.can_media_get_content_files
+        + [IfFileIsLocal(then_=can_read, else_=[SystemProcess()])]
+    )
+
 
-class CurationPermissionPolicy(RequestPermissionPolicy):
-    """Permission policy for curations."""
+class CurationRDMRequestPermissionPolicy(RequestPermissionPolicy):
+    """Request permission policy for curations."""
 
     can_read = RequestPermissionPolicy.can_read + [
         Status(