Extra context for permission checks

invenio_requests/services/events/service.py

@@ -47,6 +47,7 @@ def create(
         uow=None,
         expand=False,
         notify=True,
+        **kwargs
     ):
         """Create a request event.
 
@@ -55,7 +56,15 @@ def create(
         :param dict data: Input data according to the data schema.
         """
         request = self._get_request(request_id)
-        self.require_permission(identity, "create_comment", request=request)
+        self.require_permission(
+            identity,
+            "create_comment",
+            request=request,
+            data=data,
+            event_type=event_type,
+            notify=notify,
+            **kwargs,
+        )
 
         # Validate data (if there are errors, .load() raises)
         schema = self._wrap_schema(event_type.marshmallow_schema())
@@ -93,12 +102,12 @@ def create(
             expand=expand,
         )
 
-    def read(self, identity, id_, expand=False):
+    def read(self, identity, id_, expand=False, **kwargs):
         """Retrieve a record."""
         event = self._get_event(id_)
         request = self._get_request(event.request_id)
 
-        self.require_permission(identity, "read", request=request)
+        self.require_permission(identity, "read", request=request, **kwargs)
 
         return self.result_item(
             self,
@@ -111,12 +120,19 @@ def read(self, identity, id_, expand=False):
         )
 
     @unit_of_work()
-    def update(self, identity, id_, data, revision_id=None, uow=None, expand=False):
+    def update(
+        self, identity, id_, data, revision_id=None, uow=None, expand=False, **kwargs
+    ):
         """Update a comment (only comments can be updated)."""
         event = self._get_event(id_)
         request = self._get_request(event.request.id)
         self.require_permission(
-            identity, "update_comment", request=request, event=event
+            identity,
+            "update_comment",
+            request=request,
+            event=event,
+            data=data,
+            **kwargs,
         )
         self.check_revision_id(event, revision_id)
 
@@ -143,15 +159,15 @@ def update(self, identity, id_, data, revision_id=None, uow=None, expand=False):
         )
 
     @unit_of_work()
-    def delete(self, identity, id_, revision_id=None, uow=None):
+    def delete(self, identity, id_, revision_id=None, uow=None, **kwargs):
         """Delete a comment (only comments can be deleted)."""
         event = self._get_event(id_)
         request_id = event.request_id
         request = self._get_request(request_id)
 
         # Permissions
         self.require_permission(
-            identity, "delete_comment", request=request, event=event
+            identity, "delete_comment", request=request, event=event, **kwargs
         )
         self.check_revision_id(event, revision_id)
 
@@ -188,7 +204,9 @@ def search(
 
         # Permissions - guarded by the request's can_read.
         request = self._get_request(request_id)
-        self.require_permission(identity, "read", request=request)
+        self.require_permission(
+            identity, "read", request=request, params=params, **kwargs
+        )
 
         # Prepare and execute the search
         search = self._search(

invenio_requests/services/requests/service.py

@@ -74,9 +74,19 @@ def create(
         expires_at=None,
         uow=None,
         expand=False,
+        **kwargs,
     ):
         """Create a record."""
-        self.require_permission(identity, "create")
+        self.require_permission(
+            identity,
+            "create",
+            request_type=request_type,
+            receiver=receiver,
+            creator=creator,
+            record=topic,
+            expires_at=expires_at,
+            **kwargs,
+        )
 
         # we're not using "self.schema" b/c the schema may differ per
         # request type!
@@ -134,11 +144,11 @@ def create(
             expand=expand,
         )
 
-    def read(self, identity, id_, expand=False):
+    def read(self, identity, id_, expand=False, **kwargs):
         """Retrieve a request."""
         # resolve and require permission
         request = self.record_cls.get_record(id_)
-        self.require_permission(identity, f"read", request=request)
+        self.require_permission(identity, f"read", request=request, **kwargs)
 
         # run components
         for component in self.components:
@@ -156,13 +166,17 @@ def read(self, identity, id_, expand=False):
         )
 
     @unit_of_work()
-    def update(self, identity, id_, data, revision_id=None, uow=None, expand=False):
+    def update(
+        self, identity, id_, data, revision_id=None, uow=None, expand=False, **kwargs
+    ):
         """Update a request."""
         request = self.record_cls.get_record(id_)
 
         self.check_revision_id(request, revision_id)
 
-        self.require_permission(identity, f"update", record=request, request=request)
+        self.require_permission(
+            identity, f"update", record=request, request=request, data=data, **kwargs
+        )
 
         # we're not using "self.schema" b/c the schema may differ per
         # request type!
@@ -194,15 +208,15 @@ def update(self, identity, id_, data, revision_id=None, uow=None, expand=False):
         )
 
     @unit_of_work()
-    def delete(self, identity, id_, uow=None):
+    def delete(self, identity, id_, uow=None, **kwargs):
         """Delete a request from database and search indexes."""
         request = self.record_cls.get_record(id_)
 
         # TODO do we need revisions for requests?
         # self.check_revision_id(request, revision_id)
 
         # check permissions
-        self.require_permission(identity, f"action_delete", request=request)
+        self.require_permission(identity, f"action_delete", request=request, **kwargs)
 
         # run components
         self.run_components("delete", identity, record=request, uow=uow)
@@ -238,7 +252,14 @@ def execute_action(
 
         # Check permissions - example of permission: can_cancel_submitted
         permission_name = f"action_{action}"
-        self.require_permission(identity, permission_name, request=request)
+        self.require_permission(
+            identity,
+            permission_name,
+            request=request,
+            action_obj=action,
+            data=data,
+            **kwargs,
+        )
 
         # Check if the action *can* be executed (i.e. a given state transition
         # is allowed).
@@ -279,7 +300,9 @@ def search_user_requests(
         The user is able to search the requests that were created by them
         they are the receiver or they got access via the requests topic e.g record sharing.
         """
-        self.require_permission(identity, "search_user_requests")
+        self.require_permission(
+            identity, "search_user_requests", params=params, **kwargs
+        )
 
         # Prepare and execute the search
         params = params or {}