Introduce conditional DisableIf generator & read-only mode

invenio_records_permissions/config.py

@@ -2,6 +2,7 @@
 #
 # Copyright (C) 2019-2020 CERN.
 # Copyright (C) 2019-2020 Northwestern University.
+# Copyright (C) 2022-2024 TU Wien.
 #
 # Invenio-Records-Permissions is free software; you can redistribute it
 # and/or modify it under the terms of the MIT License; see LICENSE file for
@@ -13,3 +14,6 @@
     "invenio_records_permissions.policies.RecordPermissionPolicy"
 )
 """PermissionPolicy for records."""
+
+RECORDS_PERMISSIONS_READ_ONLY = False
+"""Condition to trigger the ``DisableIfReadOnly`` permission generator."""

invenio_records_permissions/generators.py

@@ -2,6 +2,7 @@
 #
 # Copyright (C) 2019-2023 CERN.
 # Copyright (C) 2019-2020 Northwestern University.
+# Copyright (C) 2022-2024 TU Wien.
 #
 # Invenio-Records-Permissions is free software; you can redistribute it
 # and/or modify it under the terms of the MIT License; see LICENSE file for
@@ -23,6 +24,7 @@
     superuser_access,
     system_process,
 )
+from invenio_base.utils import obj_or_import_string
 from invenio_search.engine import dsl
 
 
@@ -221,7 +223,7 @@ def query_filter(self, identity=None, **kwargs):
                 **{
                     "internal.access_levels.{}".format(access_level): {
                         "scheme": "person",
-                        "id": id_need.value
+                        "id": id_need.value,
                         # TODO: Implement other schemes
                     }
                 }
@@ -296,6 +298,11 @@ def excludes(self, record=None, **kwargs):
         ]
         return set(chain.from_iterable(excludes))
 
+    def query_filter(self, **kwargs):
+        """Create query filter based on the condition."""
+        record = kwargs.pop("record", None)
+        return self._make_query(self._generators(record, **kwargs)) or []
+
     @staticmethod
     def _make_query(generators, **kwargs):
         """Make a query for one set of generators."""
@@ -318,6 +325,22 @@ def _condition(self, **_):
         return current_app.config.get(self.config_key) in self.accept_values
 
 
+class DisableIfReadOnly(IfConfig):
+    """Disable action for ALL users if the system is in read-only mode.
+
+    This generator uses the ``RECORDS_PERMISSIONS_READ_ONLY`` configuration item
+    to determine if the read-only mode is set.
+    """
+
+    def __init__(self):
+        """Initialize generator."""
+        super().__init__(
+            config_key="RECORDS_PERMISSIONS_READ_ONLY",
+            then_=[Disable()],
+            else_=[],
+        )
+
+
 #
 # | Meta Restricted | Files Restricted | Access Right | Result |
 # |-----------------|------------------|--------------|--------|

invenio_records_permissions/policies/records.py

@@ -14,7 +14,13 @@
 from werkzeug.utils import import_string
 
 from ..errors import UnknownGeneratorError
-from ..generators import AnyUser, AnyUserIfPublic, Disable, RecordOwners
+from ..generators import (
+    AnyUser,
+    AnyUserIfPublic,
+    Disable,
+    DisableIfReadOnly,
+    RecordOwners,
+)
 from .base import BasePermissionPolicy
 
 
@@ -59,13 +65,13 @@ class RecordPermissionPolicy(BasePermissionPolicy):
     # Read access given to everyone if public record/files and owners always.
     can_read = [AnyUserIfPublic(), RecordOwners()]
     # Update access given to record owners.
-    can_update = [RecordOwners()]
+    can_update = [RecordOwners(), DisableIfReadOnly()]
     # Delete access given to superuser-access action only
     # (superuser-access is added by default by base policy)
     can_delete = []
     # Associated files permissions (which are really bucket permissions)
     can_read_files = [AnyUserIfPublic(), RecordOwners()]
-    can_update_files = [RecordOwners()]
+    can_update_files = [RecordOwners(), DisableIfReadOnly()]
     can_read_deleted_files = []
 
     def __init__(self, action, **over):

tests/test_generators.py

@@ -2,7 +2,8 @@
 #
 # Copyright (C) 2019 CERN.
 # Copyright (C) 2019 Northwestern University.
-# Copyright (C) 2023 Graz University of Technology
+# Copyright (C) 2023 Graz University of Technology.
+# Copyright (C) 2024 TU Wien.
 #
 # Invenio-Records-Permissions is free software; you can redistribute it
 # and/or modify it under the terms of the MIT License; see LICENSE file for
@@ -22,6 +23,7 @@
     AuthenticatedUser,
     ConditionalGenerator,
     Disable,
+    DisableIfReadOnly,
     Generator,
     IfConfig,
     RecordOwners,
@@ -266,3 +268,18 @@ def test_ifconfig(app, create_record):
         UserNeed(2),
         UserNeed(3),
     }
+
+
+def test_disable_if_read_only(app):
+    generator = DisableIfReadOnly()
+
+    # Normal operation
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = False
+    assert generator.excludes(record=None) == set()
+    assert generator.query_filter(record=None) == []
+
+    # System is in read-only mode
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    assert generator.excludes(record=None) == {any_user}
+    query_filter = generator.query_filter(record=None)
+    assert query_filter.to_dict() == {"match_none": {}}