search

inveniosoftware / invenio-rdm-records

DataCite-based data model for InvenioRDM flavour.
https://invenio-rdm-records.readthedocs.io
MIT License
15 stars 87 forks source link

AccessComponent silently assumes that the provided Identity is that of a User #415

Open max-moser opened 3 years ago

max-moser commented 3 years ago

Package version (if known): 0.27.9

Describe the bug

If no users are specified in access.owned_by, then the AccessComponent just takes the identity that's supplied to the service operations (e.g. create) and adds that as owner. https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/services/components.py#L56 This silently assumes that there exists a user with the given Identity's ID -- which may not always be true however, e.g. when the SystemIdentity is used (which has the ID "system", instead of a user's integer ID).

An example where this happens is the demo CLI command, that uses the system identity to create records: https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/cli.py#L229

github-actions[bot] commented 3 years ago

This issue was automatically marked as stale.