Properties can be removed although only `UPDATE:PROPERTY:ADD` permissions are granted
Consider the following:
import caosdb as db
from caosdb import administration as admin
core_model_deny_permissions = [
"DELETE",
"UPDATE:*",
"EDIT:ACL"
]
core_model_grant_permissions = [
"RETRIEVE:*",
"USE:*",
"UPDATE:PROPERTY:ADD"
]
prop = db.Property(name="TestProp", datatype=db.TEXT).insert()
rt = db.RecordType(name="TestRT").add_property(prop).insert()
for d in core_model_deny_permissions:
# First deny s.th. later the "UPDATE:PROPERTY:ADD" permission can be granted explicitely
rt.deny(role="curator", priority=True, permission=d)
rt.update_acl()
# retrieve again to be sure
rt.retrieve(flags={"ACL": None})
for g in core_model_grant_permissions:
rt.grant(role="curator", priority=True, permission=g)
rt.update_acl()
Afterwards, a user with the curator role can remove TestProp
from TestRT
even though this should still be forbidden.