Invenio-Records-Permissions

2.0.1 · active · verified Wed Apr 15

Invenio-Records-Permissions is a Python library that provides a flexible access control system for Invenio records, allowing developers to define and enforce permission policies for various record-related actions. It is a core module within the InvenioRDM ecosystem. The library is actively maintained, with recent updates in early 2026, often released in conjunction with other Invenio modules and InvenioRDM releases.

Warnings

gotcha Understanding the difference between a 'permission factory' and a 'search filter' is crucial. A permission factory processes a single record to determine access, while a search filter operates on the current user to filter search results efficiently across multiple records.
Fix: Consult the Invenio documentation on 'Managing access to records' to understand their distinct roles and implementation patterns.
gotcha Invenio-Records-Permissions, by design, does not automatically set permissions for files attached to records. It is the developer's responsibility to implement specific permission logic for file access based on the associated record's permissions.
Fix: Implement a dedicated permission factory or policy method for file access that references the record's permission model.
breaking Major versions of the overarching InvenioRDM platform (e.g., v1.x to v2.x) can introduce significant changes to record serialization (e.g., for versioning) or core components, which might indirectly impact how permission policies are structured or how record data is accessed for permission checks.
Fix: Review the release notes for InvenioRDM and relevant Invenio modules when upgrading, especially for changes in record data models or core APIs that permission logic might rely on. Ensure permission factories correctly handle updated record structures.
gotcha The concepts of 'Needs' and 'Permissions' from `invenio-access` can initially be abstract. A 'Need' represents a specific requirement (e.g., 'user ID 1', 'admin role'), while a 'Permission' is a collection of Needs.
Fix: Familiarize yourself with the `invenio-access` documentation. Start with simple Needs and Permissions and gradually build complexity.

Install

pip install invenio-records-permissions Install latest version

Imports

Generator

from invenio_records_permissions.generators import Generator

SystemProcess

from invenio_records_permissions.generators import SystemProcess

Permission
```
from invenio_access import Permission
```
The core `Permission` object itself comes from `invenio-access`, not `invenio-records-permissions`. The latter provides `PermissionPolicy` classes and `Generators`.

Quickstart

This quickstart demonstrates how to define a custom permission factory using `invenio-access`'s `Permission` and `flask-principal`'s `UserNeed`, and how to structure a basic permission policy. The `invenio-records-permissions` library primarily provides `Generators` and `PermissionPolicy` classes to organize and apply these permission checks within an Invenio application.

from invenio_access import Permission
from flask_principal import UserNeed
from invenio_records_permissions.generators import AnyUser

# Example of a simple permission factory
def owner_permission_factory(record=None):
    """Grants permission if the current user is the record owner."""
    if record and "owner" in record:
        # In a real application, 'record["owner"]' would be the user ID
        # and UserNeed would compare against the authenticated user's ID.
        return Permission(UserNeed(record["owner"]))
    return Permission()

# Example of a basic permission policy
class MyRecordPermissionPolicy:
    can_read = [AnyUser()]
    can_create = [AnyUser()] # For simplicity, usually restricted
    can_update = [owner_permission_factory]
    can_delete = [owner_permission_factory]

# How you might use a generator directly (e.g., in a Policy's can_read list)
# This is typically integrated into an Invenio application context.
print(f"Can any user read? {AnyUser().needs(record=None)}")

view raw JSON →