*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Commit a58964db authored by Moser, Maximilian's avatar Moser, Maximilian
Browse files

Update record permission policy 

* fix preview permissions not granting access to the draft's files if
  they are restricted
* also refactor the permission levels for shared access (links & grants)
  to be easier to handle
* the latter unfortunately introduces duplicate generators in the policy
  and is thus a bit wasteful - if that turns out to be a problem, that
  should be updated in the future (e.g. via sets)
parent 8bfe3b3d
1 merge request!56Update record permission policy
Hide whitespace changes
Inline Side-by-side
invenio_config_tuw/permissions/policies.py
+ 23
8
View file @ a58964db
...@@ -54,11 +54,26 @@ def IfRestrictedAllowed(then_): ...@@ -54,11 +54,26 @@ def IfRestrictedAllowed(then_):
secret_links = { secret_links = {
"manage": [], # "manage" permissions can't be shared with links
"edit": [SecretLinks("edit")], "edit": [SecretLinks("edit")],
"view": [SecretLinks("edit"), SecretLinks("view")], "view": [SecretLinks("edit"), SecretLinks("view")],
"preview": [SecretLinks("edit"), SecretLinks("preview")], "preview": [SecretLinks("edit"), SecretLinks("preview")],
} }
access_grants = {
"manage": [AccessGrant("manage")],
"edit": [AccessGrant("manage"), AccessGrant("edit")],
"view": [AccessGrant("manage"), AccessGrant("edit"), AccessGrant("view")],
"preview": [AccessGrant("manage"), AccessGrant("edit"), AccessGrant("preview")],
}
shared_access = {
"manage": secret_links["manage"] + access_grants["manage"],
"edit": secret_links["edit"] + access_grants["edit"],
"view": secret_links["view"] + access_grants["view"],
"preview": secret_links["preview"] + access_grants["preview"],
}
class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy): class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
"""Record permission policy of TU Wien.""" """Record permission policy of TU Wien."""
...@@ -83,14 +98,14 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy): ...@@ -83,14 +98,14 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
# and get more permissive from top to bottom # and get more permissive from top to bottom
# #
# fmt: off # fmt: off
can_manage = [TrustedRecordOwners(), RecordCommunitiesAction("curate"), AccessGrant("manage"), SystemProcess() ] # noqa can_manage = [TrustedRecordOwners(), RecordCommunitiesAction("curate"), SystemProcess() ] + shared_access["manage"] # noqa
can_access_draft = can_manage + [RecordOwners(), SubmissionReviewer(), AccessGrant("edit") ] # noqa can_access_draft = can_manage + [RecordOwners(), SubmissionReviewer() ] + shared_access["preview"] # noqa
can_curate = can_manage + [AccessGrant("edit") ] + secret_links["edit"] # noqa can_curate = can_manage + [ ] + shared_access["edit"] # noqa
can_review = can_curate + [SubmissionReviewer() ] # noqa can_review = can_curate + [SubmissionReviewer() ] # noqa
can_preview = can_access_draft + [AccessGrant("preview"), UserManager ] + secret_links["preview"] # noqa can_preview = can_access_draft + [UserManager ] # noqa
can_view = can_access_draft + [AccessGrant("view"), RecordCommunitiesAction("view"), CommunityInclusionReviewers()] + secret_links["view"] # noqa can_view = can_access_draft + [RecordCommunitiesAction("view"), CommunityInclusionReviewers()] + shared_access["view"] # noqa
can_authenticated = [AuthenticatedUser(), SystemProcess() ] # noqa can_authenticated = [AuthenticatedUser(), SystemProcess() ] # noqa
can_all = [AnyUser(), SystemProcess() ] # noqa can_all = [AnyUser(), SystemProcess() ] # noqa
# records # records
can_search = can_all # noqa can_search = can_all # noqa
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

[ 15.Nov 1h : 4,475 users | 1,081 groups | 6,377 projects ]