Skip to content

Commit a9ff5e7

Browse files
max-mosermax-moser
committed
permissions: disable write operations when read-only mode is on
1 parent 1cac72b commit a9ff5e7

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

invenio_users_resources/services/permissions.py

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
from invenio_records_permissions.generators import (
1313
AnyUser,
1414
AuthenticatedUser,
15+
DisableIfReadOnly,
1516
SystemProcess,
1617
)
1718

@@ -21,11 +22,11 @@
2122
class UsersPermissionPolicy(BasePermissionPolicy):
2223
"""Permission policy for users and user groups."""
2324

24-
can_create = [SystemProcess()]
25+
can_create = [SystemProcess(), DisableIfReadOnly()]
2526
can_read = [IfPublicUser([AnyUser()], [Self()]), SystemProcess()]
2627
can_search = [AuthenticatedUser(), SystemProcess()]
27-
can_update = [SystemProcess()]
28-
can_delete = [SystemProcess()]
28+
can_update = [SystemProcess(), DisableIfReadOnly()]
29+
can_delete = [SystemProcess(), DisableIfReadOnly()]
2930

3031
can_read_email = [IfPublicEmail([AnyUser()], [Self()]), SystemProcess()]
3132
can_read_details = [Self(), SystemProcess()]
@@ -34,8 +35,8 @@ class UsersPermissionPolicy(BasePermissionPolicy):
3435
class GroupsPermissionPolicy(BasePermissionPolicy):
3536
"""Permission policy for users and user groups."""
3637

37-
can_create = [SystemProcess()]
38+
can_create = [SystemProcess(), DisableIfReadOnly()]
3839
can_read = [AuthenticatedUser(), SystemProcess()]
3940
can_search = [AuthenticatedUser(), SystemProcess()]
40-
can_update = [SystemProcess()]
41-
can_delete = [SystemProcess()]
41+
can_update = [SystemProcess(), DisableIfReadOnly()]
42+
can_delete = [SystemProcess(), DisableIfReadOnly()]

0 commit comments

Comments
 (0)