Policies: prevent changing or removing replication or revision metadata

UtrechtUniversity · Oct 26, 2023 · c9faab9 · c9faab9
1 parent 307e9ee
commit c9faab9
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/policies.py b/policies.py
@@ -365,6 +365,16 @@ def py_acPreProcForModifyAVUMetadata(ctx, option, obj_type, obj_name, attr, valu
 
         return policies_folder_status.pre_status_transition(ctx, obj_name, x[0], x[1])
 
+    elif (space in [pathutil.Space.RESEARCH, pathutil.Space.DEPOSIT]
+          and attr in [constants.UUORGMETADATAPREFIX + "revision_scheduled",
+                       constants.UUORGMETADATAPREFIX + "replication_scheduled"]):
+        # Research or deposit orginizational metadata.
+        if user.is_admin(ctx, actor):
+            return policy.succeed()
+
+        if option not in ['add']:
+            return policy.fail('Only "add" operations allowed on attribute')
+
     elif space is pathutil.Space.VAULT and attr == constants.IIVAULTSTATUSATTRNAME:
         if not user.is_admin(ctx, actor):
             return policy.fail('No permission to change vault status')