From 2d5c10648e4309f8eb7f89beb2851d5e75586fd5 Mon Sep 17 00:00:00 2001 From: David Eckhard Date: Wed, 25 Sep 2024 11:24:49 +0200 Subject: [PATCH] global: Remove access grant references --- README.rst | 5 ---- invenio_curations/config.py | 6 ---- invenio_curations/requests/curation.py | 40 -------------------------- invenio_curations/services/service.py | 5 ---- 4 files changed, 56 deletions(-) diff --git a/README.rst b/README.rst index ee4d4a5..be1cc46 100644 --- a/README.rst +++ b/README.rst @@ -187,16 +187,11 @@ Permit the moderators to view the draft under review ---------------------------------------------------- For curation reviews to make sense, it is of course vital for the moderators to be able to view the drafts in question. -Per default, `Invenio-Curations` will create access grants for users with the moderation role as part of the curation requests. -This should work out of the box without any further configuration needed. -However, it has the downside of creating additional artifacts in the system, and users could accidentally revoke access for moderators by revoking this access grant. -If this is a deal-breaker for you, there is still the alternative of configuring the records permission policy, similar to the requests permission policy above. `Invenio-Curations` offers two permission generators that can come in handy for this purpose: ``CurationModerators`` and ``IfCurationRequestExists``. The former creates ``RoleNeed`` for the configured ``CURATIONS_MODERATION_ROLE``. It is intended to be used together with the latter, which checks if an ``rdm-curation`` request exists for the given record/draft. -Because the second approach makes access grants unnecessary, their creation can be disabled by setting ``CURATIONS_PERMISSIONS_VIA_GRANTS = False``. However, please note that overriding the permission policy for records is significantly more complex than overriding the one for requests! In fact, it's out of scope for this README - or is it? diff --git a/invenio_curations/config.py b/invenio_curations/config.py index 52a55b3..beaccdd 100644 --- a/invenio_curations/config.py +++ b/invenio_curations/config.py @@ -32,12 +32,6 @@ } """Invenio requests facets.""" -CURATIONS_PERMISSIONS_VIA_GRANTS = True -"""Share access to records by creating access grants for records under review. - -This eliminates the requirement for overriding the record permission policy, -but introduces additional artifacts in the system for each record. -""" CURATIONS_ALLOW_PUBLISHING_EDITS = False """Allow publishing of metadata edits for already published records. diff --git a/invenio_curations/requests/curation.py b/invenio_curations/requests/curation.py index fcc35dd..d303d26 100644 --- a/invenio_curations/requests/curation.py +++ b/invenio_curations/requests/curation.py @@ -7,11 +7,8 @@ """Curation request type.""" -from invenio_access.permissions import system_identity -from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp from invenio_i18n import lazy_gettext as _ from invenio_notifications.services.uow import NotificationOp -from invenio_rdm_records.services.errors import GrantExistsError from invenio_requests.customizations import RequestState, RequestType, actions from invenio_curations.notifications.builders import ( @@ -22,49 +19,12 @@ CurationRequestSubmitNotificationBuilder, ) -from ..proxies import current_curations_service - class CurationCreateAndSubmitAction(actions.CreateAndSubmitAction): """Create and submit a request.""" def execute(self, identity, uow): """Execute the create & submit action.""" - receiver = self.request.receiver.resolve() - record = self.request.topic.resolve() - - # if configured, share access to the record with moderators by creating grants - # rather than requiring an override of the record permission policy - if current_curations_service.moderator_permissions_via_grants: - data = { - "grants": [ - { - "permission": "preview", - "subject": { - "type": "role", - "id": str(receiver.id), - }, - "origin": f"request:{self.request.id}", - } - ] - } - - service = self.request.topic.get_resolver().get_service() - # NOTE: we're using the system identity here to avoid the grant creation - # potentially being blocked by the requesting user's profile visibility - try: - service.access.bulk_create_grants( - system_identity, record.pid.pid_value, data - ) - except GrantExistsError: - pass - - uow.register( - ParentRecordCommitOp( - record.parent, indexer_context=dict(service=service) - ) - ) - uow.register( NotificationOp( CurationRequestSubmitNotificationBuilder.build( diff --git a/invenio_curations/services/service.py b/invenio_curations/services/service.py index d38fa19..9180b46 100644 --- a/invenio_curations/services/service.py +++ b/invenio_curations/services/service.py @@ -32,11 +32,6 @@ def allow_publishing_edits(self): """Get the configured value of ``CURATIONS_ALLOW_PUBLISHING_EDITS``.""" return current_app.config.get("CURATIONS_ALLOW_PUBLISHING_EDITS", False) - @property - def moderator_permissions_via_grants(self): - """Get the configured value of ``CURATIONS_PERMISSIONS_VIA_GRANTS``.""" - return current_app.config.get("CURATIONS_PERMISSIONS_VIA_GRANTS", True) - @property def moderation_role_name(self): """Get the configured name of the ``CURATIONS_MODERATION_ROLE``."""