{"id":6382,"library":"invenio-records-permissions","title":"Invenio-Records-Permissions","description":"Invenio-Records-Permissions is a Python library that provides a flexible access control system for Invenio records, allowing developers to define and enforce permission policies for various record-related actions. It is a core module within the InvenioRDM ecosystem. The library is actively maintained, with recent updates in early 2026, often released in conjunction with other Invenio modules and InvenioRDM releases.","status":"active","version":"2.0.1","language":"en","source_language":"en","source_url":"https://github.com/inveniosoftware/invenio-records-permissions","tags":["invenio","permissions","access-control","records","flask"],"install":[{"cmd":"pip install invenio-records-permissions","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides the core Permission object and Needs (e.g., UserNeed, RoleNeed) which are fundamental for defining permission policies.","package":"invenio-access","optional":true},{"reason":"Used in conjunction with Invenio-Access for identity management and defining 'Needs' for permission checks.","package":"flask-principal","optional":true}],"imports":[{"symbol":"Generator","correct":"from invenio_records_permissions.generators import Generator"},{"symbol":"SystemProcess","correct":"from invenio_records_permissions.generators import SystemProcess"},{"note":"The core `Permission` object itself comes from `invenio-access`, not `invenio-records-permissions`. The latter provides `PermissionPolicy` classes and `Generators`.","wrong":"from invenio_records_permissions.permissions import Permission","symbol":"Permission","correct":"from invenio_access import Permission"}],"quickstart":{"code":"from invenio_access import Permission\nfrom flask_principal import UserNeed\nfrom invenio_records_permissions.generators import AnyUser\n\n# Example of a simple permission factory\ndef owner_permission_factory(record=None):\n    \"\"\"Grants permission if the current user is the record owner.\"\"\"\n    if record and \"owner\" in record:\n        # In a real application, 'record[\"owner\"]' would be the user ID\n        # and UserNeed would compare against the authenticated user's ID.\n        return Permission(UserNeed(record[\"owner\"]))\n    return Permission()\n\n# Example of a basic permission policy\nclass MyRecordPermissionPolicy:\n    can_read = [AnyUser()]\n    can_create = [AnyUser()] # For simplicity, usually restricted\n    can_update = [owner_permission_factory]\n    can_delete = [owner_permission_factory]\n\n# How you might use a generator directly (e.g., in a Policy's can_read list)\n# This is typically integrated into an Invenio application context.\nprint(f\"Can any user read? {AnyUser().needs(record=None)}\")\n","lang":"python","description":"This quickstart demonstrates how to define a custom permission factory using `invenio-access`'s `Permission` and `flask-principal`'s `UserNeed`, and how to structure a basic permission policy. The `invenio-records-permissions` library primarily provides `Generators` and `PermissionPolicy` classes to organize and apply these permission checks within an Invenio application."},"warnings":[{"fix":"Consult the Invenio documentation on 'Managing access to records' to understand their distinct roles and implementation patterns.","message":"Understanding the difference between a 'permission factory' and a 'search filter' is crucial. A permission factory processes a single record to determine access, while a search filter operates on the current user to filter search results efficiently across multiple records.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Implement a dedicated permission factory or policy method for file access that references the record's permission model.","message":"Invenio-Records-Permissions, by design, does not automatically set permissions for files attached to records. It is the developer's responsibility to implement specific permission logic for file access based on the associated record's permissions.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Review the release notes for InvenioRDM and relevant Invenio modules when upgrading, especially for changes in record data models or core APIs that permission logic might rely on. Ensure permission factories correctly handle updated record structures.","message":"Major versions of the overarching InvenioRDM platform (e.g., v1.x to v2.x) can introduce significant changes to record serialization (e.g., for versioning) or core components, which might indirectly impact how permission policies are structured or how record data is accessed for permission checks.","severity":"breaking","affected_versions":"InvenioRDM v2.0.0 and later (relevant for underlying Invenio functionality)"},{"fix":"Familiarize yourself with the `invenio-access` documentation. Start with simple Needs and Permissions and gradually build complexity.","message":"The concepts of 'Needs' and 'Permissions' from `invenio-access` can initially be abstract. A 'Need' represents a specific requirement (e.g., 'user ID 1', 'admin role'), while a 'Permission' is a collection of Needs.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z"}