Update permission policies to InvenioRDM v11

invenio_config_tuw/permissions/policies.py

@@ -9,6 +9,7 @@ from invenio_communities.permissions import CommunityPermissionPolicy
 from invenio_rdm_records.services import RDMRecordPermissionPolicy
 from invenio_rdm_records.services.generators import (
     CommunityAction,
+    IfFileIsLocal,
     IfRestricted,
     RecordOwners,
     SubmissionReviewer,
@@ -37,7 +38,7 @@ from .generators import (
 class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
     """Record permission policy of TU Wien."""
 
-    # current state: invenio-rdm-records v0.39.1
+    # current state: invenio-rdm-records v1.3.5
     #
     # note: edit := create a draft from a record (i.e. putting it in edit mode),
     #               which does not imply the permission to save the edits
@@ -70,16 +71,20 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
     can_search             = can_all                                                                                    # noqa
     can_read               = [IfRestricted("record", then_=can_view, else_=can_all)] + secret_links["view_record"]      # noqa
     can_read_files         = [IfRestricted("files", then_=can_view, else_=can_all) ] + secret_links["view_files"]       # noqa
+    can_get_content_files  = [IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()]) ]                            # noqa
     can_create             = can_basics + [TrustedUsers(), DisableIfReadOnly()]                                         # noqa
 
     # drafts
-    can_search_drafts      = can_authenticated                                                                          # noqa
-    can_read_draft         = can_preview                                                                                # noqa
-    can_draft_read_files   = can_preview                                                                                # noqa
-    can_update_draft       = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_create_files = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_update_files = can_review + [DisableIfReadOnly()]                                                         # noqa
-    can_draft_delete_files = can_review + [DisableIfReadOnly()]                                                         # noqa
+    can_search_drafts           = can_authenticated                                                                     # noqa
+    can_read_draft              = can_preview                                                                           # noqa
+    can_draft_read_files        = can_preview                                                                           # noqa
+    can_update_draft            = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_create_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_set_content_files = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_get_content_files = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_commit_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_update_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
+    can_draft_delete_files      = can_review + [DisableIfReadOnly()]                                                    # noqa
 
     # PIDs
     can_pid_create         = can_review + [DisableIfReadOnly()]                                                         # noqa
@@ -102,6 +107,8 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
     can_update             = [Disable()]                                                                                # noqa
     can_delete             = [Disable()]                                                                                # noqa
     can_create_files       = [Disable()]                                                                                # noqa
+    can_set_content_files  = [Disable()]                                                                                # noqa
+    can_commit_files       = [Disable()]                                                                                # noqa
     can_update_files       = [Disable()]                                                                                # noqa
     can_delete_files       = [Disable()]                                                                                # noqa
     # fmt: on
@@ -112,7 +119,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):
 
     # disable write operations if the system is in read-only mode
     #
-    # current state: invenio-requests v0.5.5
+    # current state: invenio-requests v1.0.5
 
     # fmt: off
     can_create         = RequestsPermissionPolicy.can_create         + [DisableIfReadOnly()]  # noqa
@@ -123,7 +130,7 @@ class TUWRequestsPermissionPolicy(RequestsPermissionPolicy):
     can_action_expire  = RequestsPermissionPolicy.can_action_expire  + [DisableIfReadOnly()]  # noqa
     can_action_accept  = RequestsPermissionPolicy.can_action_accept  + [DisableIfReadOnly()]  # noqa
     can_action_decline = RequestsPermissionPolicy.can_action_decline + [DisableIfReadOnly()]  # noqa
-    can_create_comment = RequestsPermissionPolicy.can_read           + [DisableIfReadOnly()]  # noqa  # TODO s/can_read/can_create_comment for invenio-requests > 0.5.5
+    can_create_comment = RequestsPermissionPolicy.can_create_comment + [DisableIfReadOnly()]  # noqa
     can_update_comment = RequestsPermissionPolicy.can_update_comment + [DisableIfReadOnly()]  # noqa
     can_delete_comment = RequestsPermissionPolicy.can_delete_comment + [DisableIfReadOnly()]  # noqa
     # fmt: on
@@ -135,7 +142,7 @@ class TUWCommunitiesPermissionPolicy(CommunityPermissionPolicy):
     # for now, we want to restrict the creation of communities to admins
     # and disable write operations if the system is in read-only mode
     #
-    # current state: invenio-communities v3.1.0
+    # current state: invenio-communities v4.1.2
     #
     # TODO: discuss who should have permissions to create communities
     #       -> new role?