diff --git a/invenio_config_tugraz/config.py b/invenio_config_tugraz/config.py index a21978b..7311801 100644 --- a/invenio_config_tugraz/config.py +++ b/invenio_config_tugraz/config.py @@ -9,6 +9,11 @@ """invenio module that adds tugraz configs.""" from flask_babelex import gettext as _ +from invenio_records_permissions.generators import Admin, AnyUser, \ + AnyUserIfPublic, Disable, RecordOwners +from invenio_records_permissions.policies.base import BasePermissionPolicy + +from .permissions import RecordIp INVENIO_CONFIG_TUGRAZ_SHIBBOLETH = True """Set True if SAML is configured""" @@ -215,7 +220,7 @@ Using Custom Generator for a policy: .. code-block:: python from invenio_rdm_records.permissions import RDMRecordPermissionPolicy - from invenio_config_tugraz import RecordIp + from invenio_config_tugraz.permissions import RecordIp class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): @@ -224,3 +229,30 @@ Using Custom Generator for a policy: RECORDS_PERMISSIONS_RECORD_POLICY = TUGRAZPermissionPolicy """ + + +class TUGRAZPermissionPolicy(BasePermissionPolicy): + """Access control configuration for records.""" + + # Read access to API given to everyone. + can_search = [AnyUser()] + + # Read access given to everyone if public record/files and owners always. + can_read = [AnyUserIfPublic(), RecordOwners()] + + # Create action given to no one (Not even superusers) bc Deposits should + # be used. + can_create = [Disable()] + + # Update access given to record owners. + can_update = [RecordOwners()] + + # Delete access given to admins only. + can_delete = [Admin()] + + # Associated files permissions (which are really bucket permissions) + can_read_files = [AnyUserIfPublic(), RecordOwners()] + can_update_files = [RecordOwners()] + +RECORDS_PERMISSIONS_RECORD_POLICY = TUGRAZPermissionPolicy +"""Access control configuration for records.""" diff --git a/invenio_config_tugraz/permissions.py b/invenio_config_tugraz/permissions.py index a46b1d4..f1da123 100644 --- a/invenio_config_tugraz/permissions.py +++ b/invenio_config_tugraz/permissions.py @@ -6,19 +6,14 @@ # modify it under the terms of the MIT License; see LICENSE file for more # details. -r"""Permission generators, policies and factories for Invenio records. +r"""Permission generators and policies for Invenio records. Invenio-records-permissions provides a means to fully customize access control for Invenio records. It does so by defining and providing three layers of permission constructs that build on each other: -Generators, Policies and Factories. You can extend or override them for maximum +Generators and Policies. You can extend or override them for maximum control. Thankfully we provide default ones that cover most cases. -Factories make invenio-records-permissions immediately compatible -with any Invenio module requiring permission factories (e.g., -`invenio-records-rest `_ and -`invenio-files-rest `_ ). - Invenio-records-permissions conveniently structures (and relies on) functionalities from `invenio-access `_ and @@ -154,69 +149,8 @@ The succinct encoding of the permissions for your instance gives you - one central location where your permissions are defined - exact control - great flexibility by defining your own actions, generators and policies - -In turn, to fully understand how Policies fit in an Invenio project, we have to -show where *they* are used. And *that* is in the Factories. - - -Factories ---------- - -Most authorization is enforced through permission factories in Invenio: -simple functions that return a `Permission -`_ object. Thankfully, Policies are -just that kind of object. - -Invenio-records-permissions provides you with pre-made configurable record -permission factories here: -:py:mod:`invenio_records_permissions.factories.records` . You can follow the -pattern there to create other factories you may need. - -Pre-made factories -~~~~~~~~~~~~~~~~~~ - -By setting the following configuration in your instance: - -.. code-block:: python - - RECORDS_PERMISSIONS_RECORD_POLICY = ( - 'module.to.ExampleRecordPermissionPolicy' - ) - RECORDS_REST_ENDPOINTS = { - "recid": { - # ... - # We only display key-value pairs relevant to this explanation - 'read_permission_factory_imp': 'invenio_records_permissions.factories.record_read_permission_factory', # noqa - 'list_permission_factory_imp': 'invenio_records_permissions.factories.record_search_permission_factory', # noqa - 'create_permission_factory_imp': 'invenio_records_permissions.factories.record_create_permission_factory', # noqa - 'update_permission_factory_imp': 'invenio_records_permissions.factories.record_update_permission_factory', # noqa - 'delete_permission_factory_imp': 'invenio_records_permissions.factories.record_delete_permission_factory' # noqa - } - } - -you will be using the pre-made factories that know to look for their associated -action in ``module.to.ExampleRecordPermissionPolicy``. - -Custom factories -~~~~~~~~~~~~~~~~ - -To implement your own factories, create a factory with the required signature -and return an instance of your custom PermissionPolicy object with the -appropriate action. For example: - -.. code-block:: python - - def license_delete_permission_factory(license=None): - '''Delete permission factory for license records.''' - return LicensePermissionPolicy(action='delete', license=license) - - -With that, we covered all you need to know to fully specify access control in -your instance: combine and use permission Generators, Policies and Factories. - -Custom Generators. """ + from elasticsearch_dsl.query import Q from invenio_records_permissions.generators import Generator diff --git a/setup.py b/setup.py index d6ddf4c..a3c6207 100644 --- a/setup.py +++ b/setup.py @@ -37,8 +37,9 @@ setup_requires = [ install_requires = [ 'Flask-BabelEx>=0.9.4', - 'invenio-records-permissions~=0.9.0', 'elasticsearch_dsl>=7.2.1', + 'invenio-rdm-records~=0.18.3', + 'invenio_search>=1.3.1', ]