Update permission policies to InvenioRDM v11

f153f12f · Moser, Maximilian · 3eb58f63 · f153f12f
Commit f153f12f authored 2 years ago by Moser, Maximilian
--- a/invenio_config_tuw/permissions/policies.py
+++ b/invenio_config_tuw/permissions/policies.py
@@ -9,6 +9,7 @@ from invenio_communities.permissions import CommunityPermissionPolicy
 from invenio_rdm_records.services import RDMRecordPermissionPolicy
 from invenio_rdm_records.services.generators import (
    CommunityAction,
+    IfFileIsLocal,
    IfRestricted,
    RecordOwners,
    SubmissionReviewer,
@@ -37,7 +38,7 @@ from .generators import (
 class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
    """Record permission policy of TU Wien."""

-    # current state: invenio-rdm-records v0.39.1
+    # current state: invenio-rdm-records v1.3.5
    #
    # note: edit := create a draft from a record (i.e. putting it in edit mode),
    #               which does not imply the permission to save the edits
@@ -70,16 +71,20 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
    can_search             = can_all                                                                                    # noqa
    can_read               = [IfRestricted("record", then_=can_view, else_=can_all)] + secret_links["view_record"]      # noqa
    can_read_files         = [IfRestricted("files", then_=can_view, else_=can_all) ] + secret_links["view_files"]       # noqa
+    can_get_content_files  = [IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()]) ]                            # noqa
    can_create             = can_basics + [TrustedUsers(), DisableIfReadOnly()]                                         # noqa

    # drafts
-    can_search_drafts      = can_authenticated                                                                          # noqa
-    can_read_draft         = can_preview                                                                                # noqa
-    can_draft_read_files   = can_preview                                                                                # noqa
-    can_update_draft       = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_create_files = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_update_files = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_delete_files = can_review + [DisableIfReadOnly()]                                                         # noqa
+    can_search_drafts           = can_authenticated                                                                     # noqa
+    can_read_draft              = can_preview                                                                           # noqa
+    can_draft_read_files        = can_preview                                                                           # noqa
+    can_update_draft            = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_create_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_set_content_files = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_get_content_files = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_commit_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_update_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_delete_files      = can_review + [DisableIfReadOnly()]                                                    # noqa

    # PIDs
    can_pid_create         = can_review + [DisableIfReadOnly()]                                                         # noqa
@@ -102,6 +107,8 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
    can_update             = [Disable()]                                                                                # noqa
    can_delete             = [Disable()]                                                                                # noqa
    can_create_files       = [Disable()]                                                                                # noqa
+    can_set_content_files  = [Disable()]                                                                                # noqa
+    can_commit_files       = [Disable()]                                                                                # noqa
    can_update_files       = [Disable()]                                                                                # noqa
    can_delete_files       = [Disable()]                                                                                # noqa
    # fmt: on
@@ -112,7 +119,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):

    # disable write operations if the system is in read-only mode
    #
-    # current state: invenio-requests v0.5.5
+    # current state: invenio-requests v1.0.5

    # fmt: off
    can_create         = RequestsPermissionPolicy.can_create         + [DisableIfReadOnly()]  # noqa
@@ -123,7 +130,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):
    can_action_expire  = RequestsPermissionPolicy.can_action_expire  + [DisableIfReadOnly()]  # noqa
    can_action_accept  = RequestsPermissionPolicy.can_action_accept  + [DisableIfReadOnly()]  # noqa
    can_action_decline = RequestsPermissionPolicy.can_action_decline + [DisableIfReadOnly()]  # noqa
-    can_create_comment = RequestsPermissionPolicy.can_read           + [DisableIfReadOnly()]  # noqa  # TODO s/can_read/can_create_comment for invenio-requests > 0.5.5
+    can_create_comment = RequestsPermissionPolicy.can_create_comment + [DisableIfReadOnly()]  # noqa
    can_update_comment = RequestsPermissionPolicy.can_update_comment + [DisableIfReadOnly()]  # noqa
    can_delete_comment = RequestsPermissionPolicy.can_delete_comment + [DisableIfReadOnly()]  # noqa
    # fmt: on
@@ -135,7 +142,7 @@ class TUWCommunitiesPermissionPolicy(CommunityPermissionPolicy):
    # for now, we want to restrict the creation of communities to admins
    # and disable write operations if the system is in read-only mode
    #
-    # current state: invenio-communities v3.1.0
+    # current state: invenio-communities v4.1.2
    #
    # TODO: discuss who should have permissions to create communities
    #       -> new role?