API Docs¶
Extension¶
Permission policies for Invenio records.
Generators¶
Invenio Records Permissions Generators.
- class invenio_records_permissions.generators.AdminAction(action)[source]¶
Generator for admin needs.
This generator’s purpose is to be used in cases where administration needs are required. The query filter of this generator is quite broad (match_all). Therefore, it must be used with care.
Constructor.
- class invenio_records_permissions.generators.AllowedByAccessLevel(action='read')[source]¶
Allows users/roles/groups that have an appropriate access level.
Constructor.
- class invenio_records_permissions.generators.AnyUserIfPublic[source]¶
Allows any user if record is public.
TODO: Revisit when dealing with files.
- class invenio_records_permissions.generators.ConditionalGenerator(then_, else_)[source]¶
Generator that depends on whether a condition is true or not.
Constructor.
- class invenio_records_permissions.generators.Disable[source]¶
Denies ALL users including users and roles allowed to superuser-access action.
- class invenio_records_permissions.generators.Generator[source]¶
Parent class mapping the context when an action is allowed or denied.
It does so by generating “needed” and “excluded” Needs. At the search level it implements the query filters to restrict the search.
Any context inherits from this class.
- class invenio_records_permissions.generators.IfConfig(config_key, accept_values=None, **kwargs)[source]¶
Config-based conditional generator.
Initialize generator.
Policies¶
- class invenio_records_permissions.policies.base.BasePermissionPolicy(action, **over)[source]¶
BasePermissionPolicy to inherit from.
The class defines the overall policy and the instance encapsulates the permissions for an action over a set of objects.
- If can_<self.action>
is not defined, no one is allowed (Disable()). is an empty list, only Super Users are allowed (via NOTE above).
Constructor.
- property excludes¶
Set of Needs denying permission.
If ANY of the Needs are matched, permission is revoked.
Note
_load_permissions()
method from Permission adds by default thesuperuser_access
Need (if tied to a User or Role) for us. It also expands ActionNeeds into the Users/Roles that provide them.If the same Need is returned by needs and excludes, then that Need provider is disallowed.
- property generators¶
List of Needs generators for self.action.
Defaults to Disable() if no can_<self.action> defined.
- property needs¶
Set of Needs granting permission.
If ANY of the Needs are matched, permission is granted.
Note
_load_permissions()
method from Permission adds by default thesuperuser_access
Need (if tied to a User or Role) for us. It also expands ActionNeeds into the Users/Roles that provide them.
- property query_filters¶
List of search engine query filters.
These filters consist of additive queries mapping to what the current user should be able to retrieve via search.