diff --git a/invenio_records_marc21/services/generators.py b/invenio_records_marc21/services/generators.py index d35f5bad..b7d61c99 100644 --- a/invenio_records_marc21/services/generators.py +++ b/invenio_records_marc21/services/generators.py @@ -10,17 +10,49 @@ """Permissions generators for Invenio Marc21 Records.""" -from flask import current_app +from flask import current_app, g from invenio_records_permissions.generators import Generator +from invenio_search.engine import dsl class Marc21RecordCreators(Generator): """Allows record owners.""" - def needs(self, **kwargs): - """Enabling Needs.""" + def needs(self, identity=None, record=None, **kwargs): + """Enabling Needs. + + The creator is only allowed to interact with the record which is created + by the creator. + """ + if record is None or identity is None: + return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", []) + + if identity.id == record.parent.access.owner.owner_id: + return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", []) + + return [] + + def excludes(self, identity=None, record=None, **kwargs): + """Preventing Needs. + + The creator is only allowed to interact with the record created by the + creator. By returning the role if the record is not created by the + creator is prevents the user of interacting with the record. + """ + if record is None: + return [] + + if g.identity.id == record.parent.access.owner.owner_id: + return [] + return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", []) + def query_filter(self, identity=None, **kwargs): + """Allow only to see records which the creator has created.""" + users = [n.value for n in identity.provides if n.method == "id"] + if users: + return dsl.Q("terms", **{"parent.access.owned_by.user": users}) + class Marc21RecordManagers(Generator): """Allows record owners.""" diff --git a/invenio_records_marc21/services/permissions.py b/invenio_records_marc21/services/permissions.py index d57f2053..cd628fa5 100644 --- a/invenio_records_marc21/services/permissions.py +++ b/invenio_records_marc21/services/permissions.py @@ -63,7 +63,7 @@ class Marc21RecordPermissionPolicy(RecordPermissionPolicy): # Allow reading metadata of a record can_read = [ - IfRestricted("record", then_=can_view, else_=can_all), + IfRestricted("record", then_=can_curate, else_=can_all), ] # Used for search filtering of deleted records # cannot be implemented inside can_read - otherwise permission will @@ -77,7 +77,7 @@ class Marc21RecordPermissionPolicy(RecordPermissionPolicy): can_manage_files = can_curate can_read_files = [ - IfRestricted("files", then_=can_view, else_=can_all), + IfRestricted("files", then_=can_curate, else_=can_all), ] can_get_content_files = [ IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()])