diff --git a/nr_datasets/permissions.py b/nr_datasets/permissions.py index c4f9525..a9dd010 100644 --- a/nr_datasets/permissions.py +++ b/nr_datasets/permissions.py @@ -8,10 +8,13 @@ """Dataset permisssion factories.""" -from oarepo_fsm.permissions import require_all, require_any -from oarepo_communities.permissions import read_object_permission_impl +from invenio_access import Permission, ParameterizedActionNeed +from oarepo_communities.constants import COMMUNITY_READ, STATE_APPROVED +from oarepo_communities.permissions import read_object_permission_impl, require_action_allowed, owner_permission_impl, \ + community_member_permission_impl, community_publisher_permission_impl, community_curator_permission_impl +from oarepo_fsm.permissions import require_all, require_any, state_required -from nr_datasets.constants import open_access_slug, restricted_slug +from nr_datasets.constants import open_access_slug, restricted_slug, embargoed_slug from nr_datasets.utils import access_rights_factory @@ -24,7 +27,7 @@ def can(): if current_rights and len(current_rights) == 1: current_rights = current_rights[0] else: - current_rights = [] + return False return current_rights['links']['self'] in rights @@ -33,11 +36,43 @@ def can(): return factory +def community_read_permission_impl(record, *args, **kwargs): + communities = [record.primary_community, *record.secondary_communities] + return require_all( + require_action_allowed(COMMUNITY_READ), + require_any( + #: Record AUTHOR can READ his own records + owner_permission_impl, + require_all( + #: User's role has granted READ permissions in record's communities + Permission(*[ParameterizedActionNeed(COMMUNITY_READ, x) for x in communities]), + require_any( + #: Community MEMBERS can READ APPROVED community records + require_all( + state_required(STATE_APPROVED), + require_any( + community_member_permission_impl, + community_publisher_permission_impl + ) + ), + #: Community CURATORS can READ ALL community records + community_curator_permission_impl + ) + ) + ) + ) + + def files_read_permission_factory(record, *args, **kwargs): return require_any( require_all( - read_object_permission_impl, - access_rights_required([access_rights_factory(restricted_slug)]) + community_read_permission_impl, + access_rights_required([ + access_rights_factory(embargoed_slug), + access_rights_factory(restricted_slug)]), ), - access_rights_required([access_rights_factory(open_access_slug)]) + require_all( + read_object_permission_impl, + access_rights_required([access_rights_factory(open_access_slug)]) + ) )(record, *args, **kwargs) diff --git a/pyproject.toml b/pyproject.toml index 10416ed..c7da1d4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [tool] [tool.poetry] name = "techlib-nr-datasets" -version = "1.1.15" +version = "1.1.16" description = "Czech National Repository datasets data model." license = "MIT" keywords = ["Czech", "Nation", "Repository", "Invenio", "datasets"]