Allow edits to published records to record owners

* as long as they have the "trusted-user" role, which is required to create the record in the first place * however, publishing new records still requires the "trusted-publisher" role

Allow edits to published records to record owners
* as long as they have the "trusted-user" role, which is required to create the record in the first place * however, publishing new records still requires the "trusted-publisher" role
974c2053 · Moser, Maximilian · ee09b78f · 974c2053 · 974c2053
Commit 974c2053 authored 1 year ago by Moser, Maximilian
--- a/invenio_config_tuw/permissions/generators.py
+++ b/invenio_config_tuw/permissions/generators.py
@@ -9,10 +9,18 @@ from flask import current_app
 from flask_login import current_user
 from flask_principal import RoleNeed, UserNeed
 from invenio_access.permissions import any_user
-from invenio_rdm_records.services.generators import SecretLinks
+from invenio_rdm_records.services.generators import ConditionalGenerator, SecretLinks
 from invenio_records_permissions.generators import Generator


+class IfPublished(ConditionalGenerator):
+    """Allows record owners with the "trusted-publisher" role."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record has been published."""
+        return record is not None and record.is_published
+
+
 class DisableIf(Generator):
    """Denies ALL users including super users, if a condition is met."""

@@ -94,6 +102,14 @@ def TrustedPublisherRecordOwners(exclude=False):
    return RecordOwnersWithRole("trusted-publisher", exclude=exclude)


+def TrustedPublisherForNewButTrustedUserForEdits(exclude=False):
+    """Require "trusted-user" for edits, but "trusted-publisher" for new records."""
+    return IfPublished(
+        then_=[TrustedRecordOwners(exclude=False)],
+        else_=[TrustedPublisherRecordOwners(exclude=False)],
+    )
+
+
 secret_links = {
    "edit": [SecretLinks("edit")],
    "view": [SecretLinks("edit"), SecretLinks("view")],

--- a/invenio_config_tuw/permissions/policies.py
+++ b/invenio_config_tuw/permissions/policies.py
@@ -26,7 +26,7 @@ from invenio_requests.services.permissions import (

 from .generators import (
    DisableIfReadOnly,
-    TrustedPublisherRecordOwners,
+    TrustedPublisherForNewButTrustedUserForEdits,
    TrustedRecordOwners,
    TrustedUsers,
    secret_links,
@@ -101,7 +101,7 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
    can_delete_draft       = can_curate + [DisableIfReadOnly()]                                                         # noqa
    can_new_version        = can_curate + [DisableIfReadOnly()]                                                         # noqa
    can_lift_embargo       = can_manage + [DisableIfReadOnly()]                                                         # noqa
-    can_publish            = can_basics + [TrustedPublisherRecordOwners(), DisableIfReadOnly()]                         # noqa
+    can_publish            = can_basics + [TrustedPublisherForNewButTrustedUserForEdits(), DisableIfReadOnly()]         # noqa

    # disabled (record management in InvenioRDM goes through drafts)
    can_update             = [Disable()]                                                                                # noqa