allow curators to access embargoed files

Narodni-repozitar · Dec 2, 2021 · 245a869 · 245a869
1 parent a6aee09
commit 245a869
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 8 deletions.
diff --git a/nr_datasets/permissions.py b/nr_datasets/permissions.py
@@ -8,10 +8,13 @@
 
 """Dataset permisssion factories."""
 
-from oarepo_fsm.permissions import require_all, require_any
-from oarepo_communities.permissions import read_object_permission_impl
+from invenio_access import Permission, ParameterizedActionNeed
+from oarepo_communities.constants import COMMUNITY_READ, STATE_APPROVED
+from oarepo_communities.permissions import read_object_permission_impl, require_action_allowed, owner_permission_impl, \
+    community_member_permission_impl, community_publisher_permission_impl, community_curator_permission_impl
+from oarepo_fsm.permissions import require_all, require_any, state_required
 
-from nr_datasets.constants import open_access_slug, restricted_slug
+from nr_datasets.constants import open_access_slug, restricted_slug, embargoed_slug
 from nr_datasets.utils import access_rights_factory
 
 
@@ -24,7 +27,7 @@ def can():
             if current_rights and len(current_rights) == 1:
                 current_rights = current_rights[0]
             else:
-                current_rights = []
+                return False
 
             return current_rights['links']['self'] in rights
 
@@ -33,11 +36,43 @@ def can():
     return factory
 
 
+def community_read_permission_impl(record, *args, **kwargs):
+    communities = [record.primary_community, *record.secondary_communities]
+    return require_all(
+        require_action_allowed(COMMUNITY_READ),
+        require_any(
+            #: Record AUTHOR can READ his own records
+            owner_permission_impl,
+            require_all(
+                #: User's role has granted READ permissions in record's communities
+                Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]),
+                require_any(
+                    #: Community MEMBERS can READ APPROVED community records
+                    require_all(
+                        state_required(STATE_APPROVED),
+                        require_any(
+                            community_member_permission_impl,
+                            community_publisher_permission_impl
+                        )
+                    ),
+                    #: Community CURATORS can READ ALL community records
+                    community_curator_permission_impl
+                )
+            )
+        )
+    )
+
+
 def files_read_permission_factory(record, *args, **kwargs):
     return require_any(
         require_all(
-            read_object_permission_impl,
-            access_rights_required([access_rights_factory(restricted_slug)])
+            community_read_permission_impl,
+            access_rights_required([
+                access_rights_factory(embargoed_slug),
+                access_rights_factory(restricted_slug)]),
         ),
-        access_rights_required([access_rights_factory(open_access_slug)])
+        require_all(
+            read_object_permission_impl,
+            access_rights_required([access_rights_factory(open_access_slug)])
+        )
     )(record, *args, **kwargs)
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,7 +1,7 @@
 [tool]
 [tool.poetry]
 name = "techlib-nr-datasets"
-version = "1.1.15"
+version = "1.1.16"
 description = "Czech National Repository datasets data model."
 license = "MIT"
 keywords = ["Czech", "Nation", "Repository", "Invenio", "datasets"]