Policies: prevent changing or removing replication or revision metadata

UtrechtUniversity · Nov 29, 2023 · 0af1b3b · 0af1b3b
1 parent 193fa6a
commit 0af1b3b
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/policies.py b/policies.py
@@ -365,6 +365,18 @@ def py_acPreProcForModifyAVUMetadata(ctx, option, obj_type, obj_name, attr, valu
 
         return policies_folder_status.pre_status_transition(ctx, obj_name, x[0], x[1])
 
+    elif (space in [pathutil.Space.RESEARCH, pathutil.Space.DEPOSIT]
+          and attr in [constants.UUORGMETADATAPREFIX + "revision_scheduled",
+                       constants.UUORGMETADATAPREFIX + "replication_scheduled"]):
+        # Research or deposit organizational metadata.
+        if user.is_admin(ctx, actor):
+            return policy.succeed()
+
+        if option in ['add']:
+            return policy.succeed()
+        else:
+            return policy.fail('Only "add" operations allowed on attribute')
+
     elif space is pathutil.Space.VAULT and attr == constants.IIVAULTSTATUSATTRNAME:
         if not user.is_admin(ctx, actor):
             return policy.fail('No permission to change vault status')