From ef012567118dc6e09c4dbc2709af099dc6bcfd3e Mon Sep 17 00:00:00 2001 From: David Eckhard Date: Wed, 25 Sep 2024 11:20:39 +0200 Subject: [PATCH] permissions: Add rdm curation permission policy example --- invenio_curations/services/config.py | 4 +- invenio_curations/services/permissions.py | 61 ++++++++++++++++++++++- 2 files changed, 61 insertions(+), 4 deletions(-) diff --git a/invenio_curations/services/config.py b/invenio_curations/services/config.py index 5ab9499..2a30e20 100644 --- a/invenio_curations/services/config.py +++ b/invenio_curations/services/config.py @@ -15,7 +15,7 @@ from invenio_curations.services import facets -from .permissions import CurationPermissionPolicy +from .permissions import CurationRDMRequestPermissionPolicy class CurationsSearchOptions(RequestSearchOptions): @@ -43,7 +43,7 @@ class CurationsServiceConfig(RecordServiceConfig, ConfiguratorMixin): # common configuration permission_policy_cls = FromConfig( - "REQUESTS_PERMISSION_POLICY", default=CurationPermissionPolicy + "REQUESTS_PERMISSION_POLICY", default=CurationRDMRequestPermissionPolicy ) # TODO: update search options? search = CurationsSearchOptions diff --git a/invenio_curations/services/permissions.py b/invenio_curations/services/permissions.py index d972d76..8f545c4 100644 --- a/invenio_curations/services/permissions.py +++ b/invenio_curations/services/permissions.py @@ -8,14 +8,71 @@ """Curations permissions.""" +from invenio_rdm_records.services.generators import IfFileIsLocal +from invenio_rdm_records.services.permissions import RDMRecordPermissionPolicy +from invenio_records_permissions.generators import SystemProcess from invenio_requests.services.generators import Creator, Receiver, Status from invenio_requests.services.permissions import ( PermissionPolicy as RequestPermissionPolicy, ) +from invenio_curations.services.generators import ( + CurationModerators, + IfCurationRequestExists, +) + + +class CurationRDMRecordPermissionPolicy(RDMRecordPermissionPolicy): + """RDM record policy for curations.""" + + can_preview = RDMRecordPermissionPolicy.can_preview + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + can_view = RDMRecordPermissionPolicy.can_view + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + can_read = RDMRecordPermissionPolicy.can_read + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + can_read_files = RDMRecordPermissionPolicy.can_read_files + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + + # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission + can_get_content_files = RDMRecordPermissionPolicy.can_get_content_files + [ + IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()]) + ] + + can_read_draft = RDMRecordPermissionPolicy.can_read_draft + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + can_draft_read_files = RDMRecordPermissionPolicy.can_draft_read_files + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + + # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission + can_draft_get_content_files = ( + RDMRecordPermissionPolicy.can_draft_get_content_files + + [IfFileIsLocal(then_=can_draft_read_files, else_=[SystemProcess()])] + ) + + # in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission + can_draft_media_get_content_files = ( + RDMRecordPermissionPolicy.can_draft_media_get_content_files + + [IfFileIsLocal(then_=can_preview, else_=[SystemProcess()])] + ) + + can_media_read_files = RDMRecordPermissionPolicy.can_media_read_files + [ + IfCurationRequestExists(then_=[CurationModerators()], else_=[]) + ] + can_media_get_content_files = ( + RDMRecordPermissionPolicy.can_media_get_content_files + + [IfFileIsLocal(then_=can_read, else_=[SystemProcess()])] + ) + -class CurationPermissionPolicy(RequestPermissionPolicy): - """Permission policy for curations.""" +class CurationRDMRequestPermissionPolicy(RequestPermissionPolicy): + """Request permission policy for curations.""" can_read = RequestPermissionPolicy.can_read + [ Status(