[ENG-5966] 2.0.1 BE: Update permission to support edit as a WRITE con…

…tributor (#10741) * reorganize tests to ensure contributor permissions visible * allow read permissions for non-public contributors * fix testing issues and clean-up permissions changes * fix up author assertion permissions to be admin only * change test file name * improve tests institution relationship add affiliation addition/removal * Sync diff between #10739 and #10687 * Fix flake8 * Fix WriteOrPublicForRelationshipInstitutions for nodes * Fix incorrect `.can_edit()` call for preprints --------- Co-authored-by: John Tordoff <[email protected]>
CenterForOpenScience · Sep 6, 2024 · 2e0531f · 2e0531f
1 parent 6e8bdff
commit 2e0531f
Show file tree

Hide file tree

Showing 5 changed files with 568 additions and 608 deletions.
diff --git a/api/base/permissions.py b/api/base/permissions.py
@@ -8,7 +8,7 @@
 from framework.auth import oauth_scopes
 from framework.auth.cas import CasResponse
 
-from osf.models import ApiOAuth2Application, ApiOAuth2PersonalToken
+from osf.models import ApiOAuth2Application, ApiOAuth2PersonalToken, Preprint
 from osf.utils import permissions as osf_permissions
 from website.util.sanitize import is_iterable_but_not_string
 from api.base.utils import get_user_auth
@@ -173,4 +173,6 @@ def has_object_permission(self, request, view, obj):
         if request.method in permissions.SAFE_METHODS:
             return resource.is_public or resource.can_view(auth)
         else:
+            if isinstance(resource, Preprint):
+                return resource.can_edit(auth=auth)
             return resource.has_permission(auth.user, osf_permissions.WRITE)
diff --git a/api/preprints/serializers.py b/api/preprints/serializers.py
@@ -369,59 +369,7 @@ def update(self, preprint, validated_data):
             preprint.custom_publication_citation = validated_data['custom_publication_citation'] or None
             save_preprint = True
 
-        if 'has_coi' in validated_data:
-            try:
-                preprint.update_has_coi(auth, validated_data['has_coi'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'conflict_of_interest_statement' in validated_data:
-            try:
-                preprint.update_conflict_of_interest_statement(auth, validated_data['conflict_of_interest_statement'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'has_data_links' in validated_data:
-            try:
-                preprint.update_has_data_links(auth, validated_data['has_data_links'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'why_no_data' in validated_data:
-            try:
-                preprint.update_why_no_data(auth, validated_data['why_no_data'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'data_links' in validated_data:
-            try:
-                preprint.update_data_links(auth, validated_data['data_links'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'has_prereg_links' in validated_data:
-            try:
-                preprint.update_has_prereg_links(auth, validated_data['has_prereg_links'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'why_no_prereg' in validated_data:
-            try:
-                preprint.update_why_no_prereg(auth, validated_data['why_no_prereg'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'prereg_links' in validated_data:
-            try:
-                preprint.update_prereg_links(auth, validated_data['prereg_links'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-
-        if 'prereg_link_info' in validated_data:
-            try:
-                preprint.update_prereg_link_info(auth, validated_data['prereg_link_info'])
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
+        self.handle_author_assertions(preprint, validated_data, auth)
 
         if published is not None:
             if not preprint.primary_file:
@@ -448,6 +396,76 @@ def update(self, preprint, validated_data):
 
         return preprint
 
+    def handle_author_assertions(self, preprint, validated_data, auth):
+        author_assertions = {
+            'has_coi',
+            'conflict_of_interest_statement',
+            'has_data_links',
+            'why_no_data',
+            'data_links',
+            'why_no_prereg',
+            'prereg_links',
+            'has_prereg_links',
+            'prereg_link_info',
+        }
+        if author_assertions & validated_data.keys():
+            if not preprint.is_admin_contributor(auth.user):
+                raise exceptions.PermissionDenied('User must be admin to add author assertions')
+
+            if 'has_coi' in validated_data:
+                try:
+                    preprint.update_has_coi(auth, validated_data['has_coi'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'conflict_of_interest_statement' in validated_data:
+                try:
+                    preprint.update_conflict_of_interest_statement(auth, validated_data['conflict_of_interest_statement'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'has_data_links' in validated_data:
+                try:
+                    preprint.update_has_data_links(auth, validated_data['has_data_links'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'why_no_data' in validated_data:
+                try:
+                    preprint.update_why_no_data(auth, validated_data['why_no_data'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'data_links' in validated_data:
+                try:
+                    preprint.update_data_links(auth, validated_data['data_links'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'has_prereg_links' in validated_data:
+                try:
+                    preprint.update_has_prereg_links(auth, validated_data['has_prereg_links'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'why_no_prereg' in validated_data:
+                try:
+                    preprint.update_why_no_prereg(auth, validated_data['why_no_prereg'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'prereg_links' in validated_data:
+                try:
+                    preprint.update_prereg_links(auth, validated_data['prereg_links'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
+            if 'prereg_link_info' in validated_data:
+                try:
+                    preprint.update_prereg_link_info(auth, validated_data['prereg_link_info'])
+                except PreprintStateError as e:
+                    raise exceptions.ValidationError(detail=str(e))
+
     def set_field(self, func, val, auth, save=False):
         try:
             func(val, auth)