mirror of
https://github.com/Cian-H/invenio-config-iform.git
synced 2025-12-23 13:31:58 +00:00
114 lines
3.2 KiB
Python
114 lines
3.2 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright (C) 2020 Graz University of Technology.
|
|
#
|
|
# invenio-config-tugraz is free software; you can redistribute it and/or
|
|
# modify it under the terms of the MIT License; see LICENSE file for more
|
|
# details.
|
|
|
|
"""
|
|
Records permission policies.
|
|
|
|
Default policies for records:
|
|
|
|
.. code-block:: python
|
|
|
|
# Read access given to everyone.
|
|
can_search = [AnyUser()]
|
|
# Create action given to no one (Not even superusers) bc Deposits should
|
|
# be used.
|
|
can_create = [Disable()]
|
|
# Read access given to everyone if public record/files and owners always.
|
|
can_read = [AnyUserIfPublic(), RecordOwners()]
|
|
# Update access given to record owners.
|
|
can_update = [RecordOwners()]
|
|
# Delete access given to admins only.
|
|
can_delete = [Admin()]
|
|
# Associated files permissions (which are really bucket permissions)
|
|
can_read_files = [AnyUserIfPublic(), RecordOwners()]
|
|
can_update_files = [RecordOwners()]
|
|
|
|
How to override default policies for rdm-records.
|
|
|
|
Using Custom Generator for a policy:
|
|
|
|
.. code-block:: python
|
|
|
|
from invenio_rdm_records.services import (
|
|
BibliographicRecordServiceConfig,
|
|
RDMRecordPermissionPolicy,
|
|
)
|
|
|
|
from invenio_config_tugraz.generators import RecordIp
|
|
|
|
class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
|
|
|
|
# Create access given to SuperUser only.
|
|
|
|
can_create = [SuperUser()]
|
|
|
|
RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = TUGRAZBibliographicRecordServiceConfig
|
|
|
|
|
|
Permissions for Invenio (RDM) Records.
|
|
"""
|
|
|
|
from invenio_rdm_records.services import (
|
|
BibliographicRecordServiceConfig,
|
|
RDMRecordPermissionPolicy,
|
|
)
|
|
from invenio_records_permissions.generators import (
|
|
Admin,
|
|
AnyUser,
|
|
RecordOwners,
|
|
SuperUser,
|
|
)
|
|
|
|
from .generators import RecordIp
|
|
|
|
|
|
class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy):
|
|
"""Access control configuration for rdm records.
|
|
|
|
This overrides the origin:
|
|
https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/services/permissions.py.
|
|
|
|
"""
|
|
|
|
# Read access given to:
|
|
# TODO:
|
|
# AnyUserIfPublic : grant access if record is public
|
|
# RecordIp: grant access for single_ip
|
|
# RecordOwners: owner of records, enable once the deposit is allowed only for loged-in users.
|
|
# CURRENT:
|
|
# AnyUser
|
|
# RecordIp: grant access for single_ip
|
|
can_read = [AnyUser(), RecordIp()] # RecordOwners()
|
|
|
|
# Search access given to:
|
|
# AnyUser : grant access anyUser
|
|
# RecordIp: grant access for single_ip
|
|
can_search = [AnyUser(), RecordIp()]
|
|
|
|
# Update access given to record owners.
|
|
can_update = [RecordOwners()]
|
|
|
|
# Delete access given to admins only.
|
|
can_delete = [Admin()]
|
|
|
|
# TODO: create (AuthenticatedUser) generator
|
|
# Create action given to AuthenticatedUser
|
|
# UI - if user is loged in
|
|
# API - if user has be Access token (Bearer API-TOKEN)
|
|
# can_create = [AuthenticatedUser()]
|
|
|
|
# Associated files permissions (which are really bucket permissions)
|
|
# can_read_files = [AnyUserIfPublic(), RecordOwners()]
|
|
# can_update_files = [RecordOwners()]
|
|
|
|
|
|
class TUGRAZBibliographicRecordServiceConfig(BibliographicRecordServiceConfig):
|
|
"""Overriding BibliographicRecordServiceConfig."""
|
|
|
|
permission_policy_cls = TUGRAZPermissionPolicy
|