Skip to content

Add tool: set ORIGINAL bundle resource policies by handle#266

Open
milanmajchrak wants to merge 2 commits into
mainfrom
set-original-bundle-policies-tool
Open

Add tool: set ORIGINAL bundle resource policies by handle#266
milanmajchrak wants to merge 2 commits into
mainfrom
set-original-bundle-policies-tool

Conversation

@milanmajchrak

@milanmajchrak milanmajchrak commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Problem description

We need to (re)set resource policies on the ORIGINAL bundle of specific items, addressed by handle — e.g. to embargo original files (admin-only) or to make them anonymously readable with no start date. The existing tools/policy_and_auth/policy.py works per community (by UUID), not per handle.

What this adds

A new self-contained tool tools/set_original_policies/:

  • Resolves each handle to an item UUID via /api/pid/find, falling back to the discovery search API.
  • Finds the item's ORIGINAL bundle and (optionally) its bitstreams.
  • For a chosen action (default READ): deletes the existing policies for that action and creates a single policy granting it to a configurable group (name or UUID, default Administrator).

Configurable (vs. Administrator/READ-only)

  • --group — group name or UUID (default Administrator).
  • --actionREAD (default) / WRITE / ADD / REMOVE / DELETE / ADMIN.
  • --apply-tobundle, bitstreams, or both (default bundle).

Authentication (DSpace 7/8 Bearer-JWT)

Same flow as PR #264GET /api/security/csrfPOST /api/authn/loginAuthorization: Bearer <jwt> + X-XSRF-TOKEN on every request. Two modes:

  • credential login (--email, password via --password / DSPACE_PASSWORD / prompt), or
  • a pre-obtained --bearer-token (or DSPACE_BEARER_TOKEN) — login is skipped and logout is not called so the supplied token stays valid.

Other

  • Handle input via --handles (CSV), repeated --handle, or --handles-file (one per line, # comments); de-duplicated.
  • --dry-run, explicit --timeout-sec, --retry-count, --retry-backoff-sec with exponential backoff, --continue-on-bitstream-error, --log-file.
  • Non-zero exit code if any handle/bitstream update fails.

Relationship to #264

This generalises the replace_resource_policies tool from #264 (which is Administrator/READ-only): configurable group + action, bundle-only option, file handle input, and direct Bearer-token auth. It is fully standalone (depends only on requests, imports nothing from src/).

Testing

  • python -m py_compile clean; --help renders.
  • Unit-level checks of handle parsing (CSV/file/# comments), de-duplication, and group UUID-vs-name detection.
  • Auth-arg validation and the --bearer-token branch verified locally (skips login, goes straight to CSRF).
  • ⚠️ Not yet exercised end-to-end against a live DSpace instance — please run with --dry-run first.

🤖 Generated with Claude Code

milanmajchrak and others added 2 commits June 15, 2026 15:12
tools/set_original_policies: standalone script that resolves item handles
to UUIDs and replaces resource policies on each item's ORIGINAL bundle
(and optionally its bitstreams) with a single policy for a configurable
group and action.

Generalises the replace_resource_policies tool (PR #264): configurable
--group (name or UUID) and --action instead of Administrator/READ only,
--apply-to bundle|bitstreams|both, Bearer-JWT auth via login OR a
pre-obtained --bearer-token, CSV/repeated/file handle input, dry-run,
and bounded retry/backoff. No dependency on src/settings.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The common case is to update the ORIGINAL bundle policy without touching
every bitstream, so make 'bundle' the default; pass --apply-to both (or
bitstreams) to include them. Docs updated to match.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant