Adding a user to the superuser-access role locks out from viewing all unregistered users about invenio-access HOT 6 CLOSED

cc: @inveniosoftware/triagers

from invenio-access.

This is sort of feature, since it's documented:
https://pythonhosted.org/invenio-access/usage.html#action-needs
[...]
If no role or user is attached anybody can perform the action. You can verify this behavior using following commands.
[...]

Implying that consequently, if a user or role is attached then nobody but the user or role can perform the action.

However as @jacquerie notes, in the normal context of a webserver, and digital library, it's a standard to have an admin user, which should not imply that any other user is then forbidden to perform the given action.

That said: what about changing the default behavior for certain actions? (This was actually the case on Invenio1, where out-of-the-box we were shipping default sensible authorizations with either allow any or deny all modes). Alternatively what is the easy recipe to authorize by default all guests users to perform a certain action?

from invenio-access.

Hmm, maybe there should be a default 'public' action/role registered for some of the actions (like viewing a record).

from invenio-access.

You can allow certain action to all users (sadly not available via CLI yet).

from invenio-access.

FYI I am about to start working on improving the cli. Please see comments in #73.

from invenio-access.

Since #73 has been merged one can explicitly grant access for anybody:

$ flask access allow <ACTION> any

from invenio-access.