diff --git a/invenio_config_tuw/permissions/policies.py b/invenio_config_tuw/permissions/policies.py
index 254f598ed1b5bfc70e555f4ece93dd97acc8b263..429f8236edf2dbafc501b6ad34e875ad182cc868 100644
--- a/invenio_config_tuw/permissions/policies.py
+++ b/invenio_config_tuw/permissions/policies.py
@@ -9,6 +9,7 @@ from invenio_communities.permissions import CommunityPermissionPolicy
from invenio_rdm_records.services import RDMRecordPermissionPolicy
from invenio_rdm_records.services.generators import (
CommunityAction,
+ IfFileIsLocal,
IfRestricted,
RecordOwners,
SubmissionReviewer,
@@ -37,7 +38,7 @@ from .generators import (
class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
"""Record permission policy of TU Wien."""
- # current state: invenio-rdm-records v0.39.1
+ # current state: invenio-rdm-records v1.3.5
#
# note: edit := create a draft from a record (i.e. putting it in edit mode),
# which does not imply the permission to save the edits
@@ -70,16 +71,20 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
can_search = can_all # noqa
can_read = [IfRestricted("record", then_=can_view, else_=can_all)] + secret_links["view_record"] # noqa
can_read_files = [IfRestricted("files", then_=can_view, else_=can_all) ] + secret_links["view_files"] # noqa
+ can_get_content_files = [IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()]) ] # noqa
can_create = can_basics + [TrustedUsers(), DisableIfReadOnly()] # noqa
# drafts
- can_search_drafts = can_authenticated # noqa
- can_read_draft = can_preview # noqa
- can_draft_read_files = can_preview # noqa
- can_update_draft = can_review + [DisableIfReadOnly()] # noqa
- can_draft_create_files = can_review + [DisableIfReadOnly()] # noqa
- can_draft_update_files = can_review + [DisableIfReadOnly()] # noqa
- can_draft_delete_files = can_review + [DisableIfReadOnly()] # noqa
+ can_search_drafts = can_authenticated # noqa
+ can_read_draft = can_preview # noqa
+ can_draft_read_files = can_preview # noqa
+ can_update_draft = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_create_files = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_set_content_files = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_get_content_files = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_commit_files = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_update_files = can_review + [DisableIfReadOnly()] # noqa
+ can_draft_delete_files = can_review + [DisableIfReadOnly()] # noqa
# PIDs
can_pid_create = can_review + [DisableIfReadOnly()] # noqa
@@ -102,6 +107,8 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
can_update = [Disable()] # noqa
can_delete = [Disable()] # noqa
can_create_files = [Disable()] # noqa
+ can_set_content_files = [Disable()] # noqa
+ can_commit_files = [Disable()] # noqa
can_update_files = [Disable()] # noqa
can_delete_files = [Disable()] # noqa
# fmt: on
@@ -112,7 +119,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):
# disable write operations if the system is in read-only mode
#
- # current state: invenio-requests v0.5.5
+ # current state: invenio-requests v1.0.5
# fmt: off
can_create = RequestsPermissionPolicy.can_create + [DisableIfReadOnly()] # noqa
@@ -123,7 +130,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):
can_action_expire = RequestsPermissionPolicy.can_action_expire + [DisableIfReadOnly()] # noqa
can_action_accept = RequestsPermissionPolicy.can_action_accept + [DisableIfReadOnly()] # noqa
can_action_decline = RequestsPermissionPolicy.can_action_decline + [DisableIfReadOnly()] # noqa
- can_create_comment = RequestsPermissionPolicy.can_read + [DisableIfReadOnly()] # noqa # TODO s/can_read/can_create_comment for invenio-requests > 0.5.5
+ can_create_comment = RequestsPermissionPolicy.can_create_comment + [DisableIfReadOnly()] # noqa
can_update_comment = RequestsPermissionPolicy.can_update_comment + [DisableIfReadOnly()] # noqa
can_delete_comment = RequestsPermissionPolicy.can_delete_comment + [DisableIfReadOnly()] # noqa
# fmt: on
@@ -135,7 +142,7 @@ class TUWCommunitiesPermissionPolicy(CommunityPermissionPolicy):
# for now, we want to restrict the creation of communities to admins
# and disable write operations if the system is in read-only mode
#
- # current state: invenio-communities v3.1.0
+ # current state: invenio-communities v4.1.2
#
# TODO: discuss who should have permissions to create communities
# -> new role?