resource: add permission check to names search

* closes CERNDocumentServer/cds-rdm#135
jrcastro2 · Sep 2, 2024 · eb0e339 · eb0e339
1 parent cf8243c
commit eb0e339
Showing 1 changed file with 48 additions and 2 deletions.
diff --git a/invenio_vocabularies/contrib/names/resources.py b/invenio_vocabularies/contrib/names/resources.py
@@ -9,9 +9,17 @@
 
 """Names vocabulary resources."""
 
-from flask import g
+from flask import current_app, g
+from flask_login import login_required
 from flask_resources import resource_requestctx, response_handler, route
-from invenio_records_resources.resources.records.resource import request_view_args
+from invenio_records_resources.resources.records.resource import (
+    request_extra_args,
+    request_read_args,
+    request_search_args,
+    request_view_args,
+)
+from invenio_records_resources.resources.records.utils import search_preference
+from invenio_stats.proxies import current_stats
 from marshmallow import fields
 
 from .names import record_type
@@ -43,6 +51,7 @@ def create_url_rules(self):
 
     @request_view_args
     @response_handler()
+    @login_required
     def name_resolve_by_id(self):
         """Resolve an identifier."""
         item = self.service.resolve(
@@ -52,3 +61,40 @@ def name_resolve_by_id(self):
         )
 
         return item.to_dict(), 200
+
+    @request_extra_args
+    @request_search_args
+    @response_handler(many=True)
+    @login_required
+    def search(self):
+        """Perform a search over the items."""
+        identity = g.identity
+        hits = self.service.search(
+            identity=identity,
+            params=resource_requestctx.args,
+            search_preference=search_preference(),
+            expand=resource_requestctx.args.get("expand", False),
+        )
+        return hits.to_dict(), 200
+
+    @request_extra_args
+    @request_read_args
+    @request_view_args
+    @response_handler()
+    @login_required
+    def read(self):
+        """Read an item."""
+        item = self.service.read(
+            g.identity,
+            resource_requestctx.view_args["pid_value"],
+            expand=resource_requestctx.args.get("expand", False),
+        )
+
+        # we emit the record view stats event here rather than in the service because
+        # the service might be called from other places as well that we don't want
+        # to count, e.g. from some CLI commands
+        emitter = current_stats.get_event_emitter("record-view")
+        if item is not None and emitter is not None:
+            emitter(current_app, record=item._record, via_api=True)
+
+        return item.to_dict(), 200