diff --git a/invenio_requests/services/events/service.py b/invenio_requests/services/events/service.py index d2da6ecf..affbd2b4 100644 --- a/invenio_requests/services/events/service.py +++ b/invenio_requests/services/events/service.py @@ -47,6 +47,7 @@ def create( uow=None, expand=False, notify=True, + **kwargs ): """Create a request event. @@ -55,7 +56,15 @@ def create( :param dict data: Input data according to the data schema. """ request = self._get_request(request_id) - self.require_permission(identity, "create_comment", request=request) + self.require_permission( + identity, + "create_comment", + request=request, + data=data, + event_type=event_type, + notify=notify, + **kwargs, + ) # Validate data (if there are errors, .load() raises) schema = self._wrap_schema(event_type.marshmallow_schema()) @@ -93,12 +102,12 @@ def create( expand=expand, ) - def read(self, identity, id_, expand=False): + def read(self, identity, id_, expand=False, **kwargs): """Retrieve a record.""" event = self._get_event(id_) request = self._get_request(event.request_id) - self.require_permission(identity, "read", request=request) + self.require_permission(identity, "read", request=request, **kwargs) return self.result_item( self, @@ -111,12 +120,19 @@ def read(self, identity, id_, expand=False): ) @unit_of_work() - def update(self, identity, id_, data, revision_id=None, uow=None, expand=False): + def update( + self, identity, id_, data, revision_id=None, uow=None, expand=False, **kwargs + ): """Update a comment (only comments can be updated).""" event = self._get_event(id_) request = self._get_request(event.request.id) self.require_permission( - identity, "update_comment", request=request, event=event + identity, + "update_comment", + request=request, + event=event, + data=data, + **kwargs, ) self.check_revision_id(event, revision_id) @@ -143,7 +159,7 @@ def update(self, identity, id_, data, revision_id=None, uow=None, expand=False): ) @unit_of_work() - def delete(self, identity, id_, revision_id=None, uow=None): + def delete(self, identity, id_, revision_id=None, uow=None, **kwargs): """Delete a comment (only comments can be deleted).""" event = self._get_event(id_) request_id = event.request_id @@ -151,7 +167,7 @@ def delete(self, identity, id_, revision_id=None, uow=None): # Permissions self.require_permission( - identity, "delete_comment", request=request, event=event + identity, "delete_comment", request=request, event=event, **kwargs ) self.check_revision_id(event, revision_id) @@ -188,7 +204,9 @@ def search( # Permissions - guarded by the request's can_read. request = self._get_request(request_id) - self.require_permission(identity, "read", request=request) + self.require_permission( + identity, "read", request=request, params=params, **kwargs + ) # Prepare and execute the search search = self._search( diff --git a/invenio_requests/services/requests/service.py b/invenio_requests/services/requests/service.py index 9dd8a0a8..904ba45e 100644 --- a/invenio_requests/services/requests/service.py +++ b/invenio_requests/services/requests/service.py @@ -74,9 +74,19 @@ def create( expires_at=None, uow=None, expand=False, + **kwargs, ): """Create a record.""" - self.require_permission(identity, "create") + self.require_permission( + identity, + "create", + request_type=request_type, + receiver=receiver, + creator=creator, + record=topic, + expires_at=expires_at, + **kwargs, + ) # we're not using "self.schema" b/c the schema may differ per # request type! @@ -134,11 +144,11 @@ def create( expand=expand, ) - def read(self, identity, id_, expand=False): + def read(self, identity, id_, expand=False, **kwargs): """Retrieve a request.""" # resolve and require permission request = self.record_cls.get_record(id_) - self.require_permission(identity, f"read", request=request) + self.require_permission(identity, f"read", request=request, **kwargs) # run components for component in self.components: @@ -156,13 +166,17 @@ def read(self, identity, id_, expand=False): ) @unit_of_work() - def update(self, identity, id_, data, revision_id=None, uow=None, expand=False): + def update( + self, identity, id_, data, revision_id=None, uow=None, expand=False, **kwargs + ): """Update a request.""" request = self.record_cls.get_record(id_) self.check_revision_id(request, revision_id) - self.require_permission(identity, f"update", record=request, request=request) + self.require_permission( + identity, f"update", record=request, request=request, data=data, **kwargs + ) # we're not using "self.schema" b/c the schema may differ per # request type! @@ -194,7 +208,7 @@ def update(self, identity, id_, data, revision_id=None, uow=None, expand=False): ) @unit_of_work() - def delete(self, identity, id_, uow=None): + def delete(self, identity, id_, uow=None, **kwargs): """Delete a request from database and search indexes.""" request = self.record_cls.get_record(id_) @@ -202,7 +216,7 @@ def delete(self, identity, id_, uow=None): # self.check_revision_id(request, revision_id) # check permissions - self.require_permission(identity, f"action_delete", request=request) + self.require_permission(identity, f"action_delete", request=request, **kwargs) # run components self.run_components("delete", identity, record=request, uow=uow) @@ -238,7 +252,14 @@ def execute_action( # Check permissions - example of permission: can_cancel_submitted permission_name = f"action_{action}" - self.require_permission(identity, permission_name, request=request) + self.require_permission( + identity, + permission_name, + request=request, + action_obj=action, + data=data, + **kwargs, + ) # Check if the action *can* be executed (i.e. a given state transition # is allowed). @@ -279,7 +300,9 @@ def search_user_requests( The user is able to search the requests that were created by them they are the receiver or they got access via the requests topic e.g record sharing. """ - self.require_permission(identity, "search_user_requests") + self.require_permission( + identity, "search_user_requests", params=params, **kwargs + ) # Prepare and execute the search params = params or {}