Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to permissions only #22

Merged
merged 3 commits into from
Oct 1, 2024
Merged

Switch to permissions only #22

merged 3 commits into from
Oct 1, 2024

Conversation

rekt-hard
Copy link
Contributor

Remove access grants, as they can be deleted by users. This could lead to curators losing the possibility to review a record.

Instead, an example permission policy has been added to show an example of which permissions should be changed for this package to work as expected.

@rekt-hard rekt-hard force-pushed the switch-to-permissions-only branch from 2b57d75 to 5def4a1 Compare September 25, 2024 10:22
Copy link
Collaborator

@max-moser max-moser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

brent-rambo-thumbsup

However, please note that overriding the permission policy for records is significantly more complex than overriding the one for requests!
In fact, it's out of scope for this README.
In fact, it's out of scope for this README - or is it?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

Comment on lines +25 to +71
class CurationRDMRecordPermissionPolicy(RDMRecordPermissionPolicy):
"""RDM record policy for curations."""

can_preview = RDMRecordPermissionPolicy.can_preview + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]
can_view = RDMRecordPermissionPolicy.can_view + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]
can_read = RDMRecordPermissionPolicy.can_read + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]
can_read_files = RDMRecordPermissionPolicy.can_read_files + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]

# in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
can_get_content_files = RDMRecordPermissionPolicy.can_get_content_files + [
IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()])
]

can_read_draft = RDMRecordPermissionPolicy.can_read_draft + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]
can_draft_read_files = RDMRecordPermissionPolicy.can_draft_read_files + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]

# in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
can_draft_get_content_files = (
RDMRecordPermissionPolicy.can_draft_get_content_files
+ [IfFileIsLocal(then_=can_draft_read_files, else_=[SystemProcess()])]
)

# in order to get all base permissions in, we just add ours instead of adapting the then_ clause of the base permission
can_draft_media_get_content_files = (
RDMRecordPermissionPolicy.can_draft_media_get_content_files
+ [IfFileIsLocal(then_=can_preview, else_=[SystemProcess()])]
)

can_media_read_files = RDMRecordPermissionPolicy.can_media_read_files + [
IfCurationRequestExists(then_=[CurationModerators()], else_=[])
]
can_media_get_content_files = (
RDMRecordPermissionPolicy.can_media_get_content_files
+ [IfFileIsLocal(then_=can_read, else_=[SystemProcess()])]
)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

@rekt-hard rekt-hard force-pushed the switch-to-permissions-only branch from 5def4a1 to e7d0416 Compare October 1, 2024 07:17
@rekt-hard rekt-hard merged commit 2d5c106 into main Oct 1, 2024
2 checks passed
@rekt-hard rekt-hard deleted the switch-to-permissions-only branch October 1, 2024 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants