Rework the record permission policy with Mirek's new SameAs generator
We have tweaked some very core permissions (e.g. requiring a trusted-user role to create datasets) that impact most of the other action permissions in InvenioRDM.
Due to the quite static way that the permission policies were defined previously, that unfortunately required almost all action permissions to be (re-)defined on our permission policy explicitly.
Reevaluating the permission policy on each new InvenioRDM release was a major headache.
The new SameAs permission generator proposed by Mirek Šimek [1,2] makes our life a lot easier on that front, allowing us to remove most of the explicit definitions and thus massively reducing mental overhead.
The mental capacity being freed up can then be used for more productive tasks, such as reasoning about the actual set of permissions given out and their impact (rather than wtf can_access_draft is because that looks awfully similar to what's upstream, but doesn't exist upstream?).
This MR performs a few actions:
- Remove the
shared_accesshelper hierarchy, along with thed()function that mostly just fixed the duplication introduced with that hierarchy - Rework and simplify action permissions with the
SameAsgenerator instead of explicitly referring to action permissions via their class variables - Remove the
IfLocalOrMultipartgenerator, because we can simply reuse the upstream definitions - Remove the
DisableIfReadOnlygenerator, because we've only used that once and could handle it differently now (and it blocked some simplifications) - Generally align a bit more with the upstream permission policy, to minimize drift (and maximize maintainability)
[1] https://github.com/inveniosoftware/invenio-records-permissions/pull/119
[2] https://github.com/inveniosoftware/invenio-rdm-records/pull/2267