Skip to content

Commit

Permalink
global: Remove access grant references
Browse files Browse the repository at this point in the history
  • Loading branch information
rekt-hard committed Sep 25, 2024
1 parent 29d6883 commit 5def4a1
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 56 deletions.
5 changes: 0 additions & 5 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -187,16 +187,11 @@ Permit the moderators to view the draft under review
----------------------------------------------------

For curation reviews to make sense, it is of course vital for the moderators to be able to view the drafts in question.
Per default, `Invenio-Curations` will create access grants for users with the moderation role as part of the curation requests.
This should work out of the box without any further configuration needed.
However, it has the downside of creating additional artifacts in the system, and users could accidentally revoke access for moderators by revoking this access grant.

If this is a deal-breaker for you, there is still the alternative of configuring the records permission policy, similar to the requests permission policy above.
`Invenio-Curations` offers two permission generators that can come in handy for this purpose: ``CurationModerators`` and ``IfCurationRequestExists``.
The former creates ``RoleNeed`` for the configured ``CURATIONS_MODERATION_ROLE``.
It is intended to be used together with the latter, which checks if an ``rdm-curation`` request exists for the given record/draft.

Because the second approach makes access grants unnecessary, their creation can be disabled by setting ``CURATIONS_PERMISSIONS_VIA_GRANTS = False``.
However, please note that overriding the permission policy for records is significantly more complex than overriding the one for requests!
In fact, it's out of scope for this README - or is it?

Expand Down
6 changes: 0 additions & 6 deletions invenio_curations/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,6 @@
}
"""Invenio requests facets."""

CURATIONS_PERMISSIONS_VIA_GRANTS = True
"""Share access to records by creating access grants for records under review.
This eliminates the requirement for overriding the record permission policy,
but introduces additional artifacts in the system for each record.
"""

CURATIONS_ALLOW_PUBLISHING_EDITS = False
"""Allow publishing of metadata edits for already published records.
Expand Down
40 changes: 0 additions & 40 deletions invenio_curations/requests/curation.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,8 @@

"""Curation request type."""

from invenio_access.permissions import system_identity
from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
from invenio_i18n import lazy_gettext as _
from invenio_notifications.services.uow import NotificationOp
from invenio_rdm_records.services.errors import GrantExistsError
from invenio_requests.customizations import RequestState, RequestType, actions

from invenio_curations.notifications.builders import (
Expand All @@ -21,49 +18,12 @@
CurationRequestSubmitNotificationBuilder,
)

from ..proxies import current_curations_service


class CurationCreateAndSubmitAction(actions.CreateAndSubmitAction):
"""Create and submit a request."""

def execute(self, identity, uow):
"""Execute the create action."""
receiver = self.request.receiver.resolve()
record = self.request.topic.resolve()

# if configured, share access to the record with moderators by creating grants
# rather than requiring an override of the record permission policy
if current_curations_service.moderator_permissions_via_grants:
data = {
"grants": [
{
"permission": "preview",
"subject": {
"type": "role",
"id": str(receiver.id),
},
"origin": f"request:{self.request.id}",
}
]
}

service = self.request.topic.get_resolver().get_service()
# NOTE: we're using the system identity here to avoid the grant creation
# potentially being blocked by the requesting user's profile visibility
try:
service.access.bulk_create_grants(
system_identity, record.pid.pid_value, data
)
except GrantExistsError:
pass

uow.register(
ParentRecordCommitOp(
record.parent, indexer_context=dict(service=service)
)
)

uow.register(
NotificationOp(
CurationRequestSubmitNotificationBuilder.build(
Expand Down
5 changes: 0 additions & 5 deletions invenio_curations/services/service.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,6 @@ def allow_publishing_edits(self):
"""Get the configured value of ``CURATIONS_ALLOW_PUBLISHING_EDITS``."""
return current_app.config.get("CURATIONS_ALLOW_PUBLISHING_EDITS", False)

@property
def moderator_permissions_via_grants(self):
"""Get the configured value of ``CURATIONS_PERMISSIONS_VIA_GRANTS``."""
return current_app.config.get("CURATIONS_PERMISSIONS_VIA_GRANTS", True)

@property
def moderation_role_name(self):
"""Get the configured name of the ``CURATIONS_MODERATION_ROLE``."""
Expand Down

0 comments on commit 5def4a1

Please sign in to comment.