fix: creator only allowed to interact with owned

* not see restricted files * not see records not owned by them
tu-graz-library · Oct 26, 2024 · 0f45117 · 0f45117
1 parent 0583461
commit 0f45117
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 5 deletions.
diff --git a/invenio_records_marc21/services/generators.py b/invenio_records_marc21/services/generators.py
@@ -10,17 +10,53 @@
 
 """Permissions generators for Invenio Marc21 Records."""
 
-from flask import current_app
+from flask import current_app, g
 from invenio_records_permissions.generators import Generator
+from invenio_search.engine import dsl
 
 
 class Marc21RecordCreators(Generator):
     """Allows record owners."""
 
-    def needs(self, **kwargs):
-        """Enabling Needs."""
+    def needs(self, identity=None, record=None, **kwargs):
+        """Enabling Needs.
+
+        The creator is only allowed to interact with the record which is created
+        by the creator.
+        """
+        if record is None or identity is None:
+            return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", [])
+
+        if identity.id == record.parent.access.owner.owner_id:
+            return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", [])
+
+        return []
+
+    def excludes(self, identity=None, record=None, **kwargs):
+        """Preventing Needs.
+
+        The creator is only allowed to interact with the record created by the
+        creator. By returning the role if the record is not created by the
+        creator is prevents the user of interacting with the record.
+        """
+        if record is None:
+            return []
+
+        # TODO: because of strange tests behavior
+        if "identity" not in g:
+            return []
+
+        if g.identity.id == record.parent.access.owner.owner_id:
+            return []
+
         return current_app.config.get("MARC21_RECORD_CREATOR_NEEDS", [])
 
+    def query_filter(self, identity=None, **kwargs):
+        """Allow only to see records which the creator has created."""
+        users = [n.value for n in identity.provides if n.method == "id"]
+        if users:
+            return dsl.Q("terms", **{"parent.access.owned_by.user": users})
+
 
 class Marc21RecordManagers(Generator):
     """Allows record owners."""

diff --git a/invenio_records_marc21/services/permissions.py b/invenio_records_marc21/services/permissions.py
@@ -63,7 +63,7 @@ class Marc21RecordPermissionPolicy(RecordPermissionPolicy):
 
     # Allow reading metadata of a record
     can_read = [
-        IfRestricted("record", then_=can_view, else_=can_all),
+        IfRestricted("record", then_=can_curate, else_=can_all),
     ]
     # Used for search filtering of deleted records
     # cannot be implemented inside can_read - otherwise permission will
@@ -77,7 +77,7 @@ class Marc21RecordPermissionPolicy(RecordPermissionPolicy):
     can_manage_files = can_curate
 
     can_read_files = [
-        IfRestricted("files", then_=can_view, else_=can_all),
+        IfRestricted("files", then_=can_curate, else_=can_all),
     ]
     can_get_content_files = [
         IfFileIsLocal(then_=can_read_files, else_=[SystemProcess()])