permissions: add archiver role

CERNDocumentServer · Jul 10, 2024 · 7fcb9a5 · 7fcb9a5
1 parent 142aa1b
commit 7fcb9a5
Show file tree

Hide file tree

Showing 4 changed files with 797 additions and 12 deletions.
diff --git a/site/cds_rdm/generators.py b/site/cds_rdm/generators.py
@@ -10,7 +10,7 @@
 
 from flask import current_app
 from flask_principal import RoleNeed, UserNeed
-from invenio_records_permissions.generators import Generator
+from invenio_records_permissions.generators import AuthenticatedUser, Generator
 from invenio_search.engine import dsl
 
 oais_archiver_role = RoleNeed("oais-archiver")
@@ -51,6 +51,15 @@ def query_filter(self, **kwargs):
         raise NotImplementedError
 
 
+class AuthenticatedRegularUser(AuthenticatedUser):
+    """Generator for regular users. Excludes robot accounts."""
+
+    def excludes(self, **kwargs):
+        """Exclude service/robot accounts."""
+        excludes = super().excludes(**kwargs)
+        return excludes + [oais_archiver_role]
+
+
 class Archiver(Generator):
     """Allows system_process role."""
 

diff --git a/site/cds_rdm/permissions.py b/site/cds_rdm/permissions.py
@@ -9,14 +9,12 @@
 """Permission policy."""
 
 from invenio_communities.permissions import CommunityPermissionPolicy
+from invenio_rdm_records.services.generators import IfRecordDeleted
 from invenio_rdm_records.services.permissions import RDMRecordPermissionPolicy
-from .generators import CERNEmailsGroups, Archiver
-from invenio_records_permissions.generators import (
-    SystemProcess,
-)
+from invenio_records_permissions.generators import SystemProcess
 from invenio_users_resources.services.permissions import UserManager
 
-from invenio_rdm_records.services.generators import IfRecordDeleted
+from .generators import Archiver, AuthenticatedRegularUser, CERNEmailsGroups
 
 
 class CDSCommunitiesPermissionPolicy(CommunityPermissionPolicy):
@@ -33,7 +31,9 @@ class CDSCommunitiesPermissionPolicy(CommunityPermissionPolicy):
 
 
 class CDSRDMRecordPermissionPolicy(RDMRecordPermissionPolicy):
-    can_view = RDMRecordPermissionPolicy.can_view
+    """Record permission policy."""
+
+    can_create = [AuthenticatedRegularUser(), SystemProcess()]
     can_read = RDMRecordPermissionPolicy.can_read + [Archiver()]
     can_search = RDMRecordPermissionPolicy.can_search + [Archiver()]
     can_read_files = RDMRecordPermissionPolicy.can_read_files + [Archiver()]