API Docs

Extension

Permission policies for Invenio records.

class invenio_records_permissions.ext.InvenioRecordsPermissions(app=None)[source]

Invenio-Records-Permissions extension.

Extension initialization.

init_app(app)[source]

Flask application initialization.

init_config(app)[source]

Initialize configuration.

Generators

Invenio Records Permissions Generators.

class invenio_records_permissions.generators.AdminAction(action)[source]

Generator for admin needs.

This generator’s purpose is to be used in cases where administration needs are required. The query filter of this generator is quite broad (match_all). Therefore, it must be used with care.

Constructor.

needs(**kwargs)[source]

Enabling Needs.

query_filter(identity, **kwargs)[source]

Not implemented at this level.

class invenio_records_permissions.generators.AllowedByAccessLevel(action='read')[source]

Allows users/roles/groups that have an appropriate access level.

Constructor.

needs(record=None, **kwargs)[source]

Enabling UserNeeds for each person.

query_filter(identity=None, **kwargs)[source]

Search filter for the current user with this generator.

class invenio_records_permissions.generators.AnyUser[source]

Allows any user.

needs(**kwargs)[source]

Enabling Needs.

query_filter(**kwargs)[source]

Match all in search.

class invenio_records_permissions.generators.AnyUserIfPublic[source]

Allows any user if record is public.

TODO: Revisit when dealing with files.

excludes(record=None, **kwargs)[source]

Preventing Needs.

needs(record=None, **kwargs)[source]

Enabling Needs.

query_filter(**kwargs)[source]

Filters for non-restricted records.

class invenio_records_permissions.generators.AuthenticatedUser[source]

Allows authenticated users.

needs(**kwargs)[source]

Enabling Needs.

query_filter(**kwargs)[source]

Filters for current identity as super user.

class invenio_records_permissions.generators.ConditionalGenerator(then_, else_)[source]

Generator that depends on whether a condition is true or not.

Constructor.

excludes(record=None, **kwargs)[source]

Set of Needs denying permission.

needs(record=None, **kwargs)[source]

Set of Needs granting permission.

class invenio_records_permissions.generators.Disable[source]

Denies ALL users including users and roles allowed to superuser-access action.

excludes(**kwargs)[source]

Preventing Needs.

query_filter(**kwargs)[source]

Match None in search.

class invenio_records_permissions.generators.Generator[source]

Parent class mapping the context when an action is allowed or denied.

It does so by generating “needed” and “excluded” Needs. At the search level it implements the query filters to restrict the search.

Any context inherits from this class.

excludes(**kwargs)[source]

Preventing Needs.

needs(**kwargs)[source]

Enabling Needs.

query_filter(**kwargs)[source]

Search filters.

class invenio_records_permissions.generators.IfConfig(config_key, accept_values=None, **kwargs)[source]

Config-based conditional generator.

Initialize generator.

class invenio_records_permissions.generators.RecordOwners[source]

Allows record owners.

needs(record=None, **kwargs)[source]

Enabling Needs.

query_filter(identity=None, **kwargs)[source]

Filters for current identity as owner.

class invenio_records_permissions.generators.SystemProcess[source]

Allows system_process role.

needs(**kwargs)[source]

Enabling Needs.

query_filter(identity=None, **kwargs)[source]

Filters for current identity as system process.

class invenio_records_permissions.generators.SystemProcessWithoutSuperUser[source]

Allows system_process role, excluding superuser-access needs.

excludes(**kwargs)[source]

Preventing Needs.

Policies

class invenio_records_permissions.policies.base.BasePermissionPolicy(action, **over)[source]

BasePermissionPolicy to inherit from.

The class defines the overall policy and the instance encapsulates the permissions for an action over a set of objects.

If can_<self.action>

is not defined, no one is allowed (Disable()). is an empty list, only Super Users are allowed (via NOTE above).

Constructor.

property excludes

Set of Needs denying permission.

If ANY of the Needs are matched, permission is revoked.

Note

_load_permissions() method from Permission adds by default the superuser_access Need (if tied to a User or Role) for us. It also expands ActionNeeds into the Users/Roles that provide them.

If the same Need is returned by needs and excludes, then that Need provider is disallowed.

property generators

List of Needs generators for self.action.

Defaults to Disable() if no can_<self.action> defined.

property needs

Set of Needs granting permission.

If ANY of the Needs are matched, permission is granted.

Note

_load_permissions() method from Permission adds by default the superuser_access Need (if tied to a User or Role) for us. It also expands ActionNeeds into the Users/Roles that provide them.

property query_filters

List of search engine query filters.

These filters consist of additive queries mapping to what the current user should be able to retrieve via search.

class invenio_records_permissions.policies.records.RecordPermissionPolicy(action, **over)[source]

Access control configuration for records.

Constructor.