feature(permission): split the base from rdm permissions

* updated rdm permission policy * ci: updating test commands to new 1.4.41
2025-12-22 13:11:56 +00:00 · 2020-12-21 14:54:05 +01:00
parent cb7f00d76c
commit e2b1c59c5d
5 changed files with 118 additions and 10 deletions
--- a/invenio_config_tugraz/base_permissions.py
+++ b/invenio_config_tugraz/base_permissions.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -46,7 +46,7 @@ Using Custom Generator for a policy:
    RECORDS_PERMISSIONS_RECORD_POLICY = TUGRAZPermissionPolicy


-Permissions for Invenio (RDM) Records.
+Permissions for Invenio records.
 """

 from invenio_records_permissions.generators import (
--- a/invenio_config_tugraz/config.py
+++ b/invenio_config_tugraz/config.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2020 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -193,8 +193,13 @@ RECAPTCHA_PRIVATE_KEY = None
 # See:
 # https://invenio-records-permissions.readthedocs.io/en/latest/configuration.html
 #
-# Uncomment these to enable overriden
+# Uncomment these to enable overriding Base permissions - (NOT RECOMMANDED)
 # RECORDS_PERMISSIONS_RECORD_POLICY = (
-#    'invenio_config_tugraz.permissions.TUGRAZPermissionPolicy'
+#    'invenio_config_tugraz.base_permissions.TUGRAZPermissionPolicy'
+# )
+#
+# Uncomment these to enable overriding RDM permissions
+# RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = (
+#     'invenio_config_tugraz.rdm_permissions.TUGRAZBibliographicRecordServiceConfig'
 # )
 """Access control configuration for records."""
--- a/invenio_config_tugraz/rdm_permissions.py
+++ b/invenio_config_tugraz/rdm_permissions.py
@@ -0,0 +1,86 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2020 Graz University of Technology.
+#
+# invenio-config-tugraz is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""
+Records permission policies.
+
+Default policies for records:
+
+.. code-block:: python
+
+    # Read access given to everyone.
+    can_search = [AnyUser()]
+    # Create action given to no one (Not even superusers) bc Deposits should
+    # be used.
+    can_create = [Disable()]
+    # Read access given to everyone if public record/files and owners always.
+    can_read = [AnyUserIfPublic(), RecordOwners()]
+    # Update access given to record owners.
+    can_update = [RecordOwners()]
+    # Delete access given to admins only.
+    can_delete = [Admin()]
+    # Associated files permissions (which are really bucket permissions)
+    can_read_files = [AnyUserIfPublic(), RecordOwners()]
+    can_update_files = [RecordOwners()]
+
+How to override default policies for rdm-records.
+
+Using Custom Generator for a policy:
+
+.. code-block:: python
+
+    from invenio_rdm_records.services import (
+    BibliographicRecordServiceConfig,
+    RDMRecordPermissionPolicy,
+    )
+
+    from invenio_config_tugraz.generators import RecordIp
+
+    class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
+
+    # Create access given to SuperUser only.
+
+    can_create = [SuperUser()]
+
+    RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG  = TUGRAZBibliographicRecordServiceConfig
+
+
+Permissions for Invenio (RDM) Records.
+"""
+
+from invenio_rdm_records.services import (
+    BibliographicRecordServiceConfig,
+    RDMRecordPermissionPolicy,
+)
+from invenio_records_permissions.generators import (
+    Admin,
+    AnyUser,
+    AnyUserIfPublic,
+    RecordOwners,
+    SuperUser,
+)
+
+from .generators import RecordIp
+
+
+class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
+    """Access control configuration for records.
+
+    This overrides the /api/records endpoint.
+
+    """
+
+    # Create action given to no one (Not even superusers) bc Deposits should
+    # be used.
+    can_create = [SuperUser()]
+
+
+class TUGRAZBibliographicRecordServiceConfig(BibliographicRecordServiceConfig):
+    """Overriding BibliographicRecordServiceConfig."""
+
+    permission_policy_cls = TUGRAZPermissionPolicy
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -1,16 +1,33 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2020 Mojib Wali.
+# Copyright (C) 2019-2020 CERN.
+# Copyright (C) 2019-2020 Northwestern University.
+# Copyright (C) 2020 Graz University of Technology.
 #
 # invenio-config-tugraz is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
 # details.

+
+# Quit on errors
+set -o errexit
+
+# Quit on unbound symbols
+set -o nounset
+
+# Always bring down docker services
+
+function cleanup() {
+    eval "$(docker-services-cli down --env)"
+}
+trap cleanup EXIT
+
+
 python -m check_manifest --ignore ".*-requirements.txt"
 python -m sphinx.cmd.build -qnNW docs docs/_build/html
-docker-services-cli --verbose up es postgresql redis
+eval "$(docker-services-cli up --db ${DB:-postgresql} --search ${SEARCH:-elasticsearch} --cache ${CACHE:-redis} --env)"
 python -m pytest
 tests_exit_code=$?
-docker-services-cli down
+python -m sphinx.cmd.build -qnNW -b doctest docs docs/_build/doctest
 exit "$tests_exit_code"
--- a/setup.py
+++ b/setup.py
@@ -24,7 +24,7 @@ tests_require = [

 extras_require = {
    "docs": [
-        "Sphinx>=1.5.1",
+        "Sphinx>=3",
    ],
    "tests": tests_require,
 }