osf.io icon indicating copy to clipboard operation
osf.io copied to clipboard
verified publisher icon CenterForOpenScience

[ENG-3685] Add permissions for withdrawn registration files

Open uditijmehta opened this issue 1 year ago • 1 comments

Purpose

Implement custom permissions to handle file access for withdrawn registrations.

Changes

  • Added WithdrawnRegistrationPermission and updated FileDetailPermission to enforce access control for withdrawn registrations.
  • Restrict API response

Ticket

<(https://openscience.atlassian.net/browse/ENG-3685)>

uditijmehta avatar Jun 25 '24 20:06 uditijmehta

So, I looked into this a while ago, and I think the actual easiest thing to do is to add a check for target.is_retracted the same way we do for target.deleted here (or, technically, getattr(target, 'is_retracted', False))

I don't love mixing permissions in with the get_queryset functionality, but a) we already do it and b) it feels significantly more appropriate for something that we want to universally mark GONE than for actual permissions.

Also, want to update get_auth here to make sure that WB download links also break (since retractions are always visible)

jwalz avatar Jun 26 '24 20:06 jwalz