search

inveniosoftware / invenio-records-permissions

Permissions for Invenio's records REST API.
https://invenio-records-permissions.readthedocs.io
MIT License
0 stars 25 forks source link

`Disable` generator forbids superusers #88

Closed ppanero closed 1 year ago

ppanero commented 1 year ago 
from invenio_access.permissions import superuser_access , system_identity
from invenio_rdm_records.proxies import current_rdm_records_service

system_identity.provides.add(superuser_access)  # should not be needed
current_rdm_records_service.delete(system_identity, "1131649")

     50 if not self.check_permission(identity, action_name, **kwargs):
---> 51     raise PermissionDeniedError(action_name)

PermissionDeniedError: delete

system_identity.provides

{Need(method='action', value='superuser-access'),
 Need(method='system_role', value='system_process')}
zzacharo commented 1 year ago

Decided to implement a cli command per instance for now, as the proper deletion or records is more complex and it will be part of a future milestone (from the moment this comment is written).

Action

ppanero commented 1 year ago

Clarification needed @zzacharo a) it will be fixed when that cli is implemented? b) it will not be an issue because we will use a cli? if this is the case, the issue will still exist since I assume the cli will call the service, where permissions are checked (and Disable will block the deletion)

zzacharo commented 1 year ago

By CLI, I was meaning a script utilizing the data models instead of services i.e use it only in our instances until we properly attack the issue of deletions via services. So, the issue with the permission will be fixed when the underlying service layer implements the deletion properly.