Added new storage_* permissions

mcanu · mcanu · commit e0b4f5dacaa6 · 2025-10-17T16:30:22.000-03:00
diff --git a/label_studio/core/permissions.py b/label_studio/core/permissions.py
@@ -49,6 +49,10 @@ class AllPermissions(BaseModel):
     webhooks_change: str = 'webhooks.change'
     users_token_any: str = 'users.token.any'
 
+    storages_view: str = 'storages.view'
+    storages_change: str = 'storages.change'
+    storages_sync: str = 'storages.sync'
+
 
 all_permissions = AllPermissions()
 
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -630,7 +630,6 @@
 TASK_SERIALIZER_BULK = 'tasks.serializers.BaseTaskSerializerBulk'
 PREPROCESS_FIELD_NAME = 'data_manager.functions.preprocess_field_name'
 INTERACTIVE_DATA_SERIALIZER = 'data_export.serializers.BaseExportDataSerializerForInteractive'
-STORAGE_PERMISSION = 'io_storages.permissions.StoragePermission'
 PROJECT_IMPORT_PERMISSION = 'projects.permissions.ProjectImportPermission'
 DELETE_TASKS_ANNOTATIONS_POSTPROCESS = None
 FEATURE_FLAGS_GET_USER_REPR = 'core.feature_flags.utils.get_user_repr'
diff --git a/label_studio/io_storages/all_api.py b/label_studio/io_storages/all_api.py
@@ -69,7 +69,7 @@ def _get_common_storage_list():
     ),
 )
 class AllImportStorageTypesAPI(APIView):
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_view
 
     def get(self, request, **kwargs):
         return Response([{'name': s['name'], 'title': s['title']} for s in _common_storage_list])
@@ -104,7 +104,7 @@ def get(self, request, **kwargs):
     ),
 )
 class AllExportStorageTypesAPI(APIView):
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_view
 
     def get(self, request, **kwargs):
         return Response([{'name': s['name'], 'title': s['title']} for s in _common_storage_list])
@@ -126,7 +126,7 @@ def get(self, request, **kwargs):
 )
 class AllImportStorageListAPI(generics.ListAPIView):
     parser_classes = (JSONParser, FormParser, MultiPartParser)
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_view
 
     def _get_response(self, api, request, *args, **kwargs):
         try:
@@ -164,7 +164,7 @@ def list(self, request, *args, **kwargs):
 class AllExportStorageListAPI(generics.ListAPIView):
 
     parser_classes = (JSONParser, FormParser, MultiPartParser)
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_view
 
     def _get_response(self, api, request, *args, **kwargs):
         try:
diff --git a/label_studio/io_storages/api.py b/label_studio/io_storages/api.py
@@ -5,7 +5,7 @@
 import os
 import time
 
-from core.permissions import all_permissions
+from core.permissions import ViewClassPermission, all_permissions
 from core.utils.io import read_yaml
 from django.conf import settings
 from drf_spectacular.utils import extend_schema
@@ -15,18 +15,15 @@
 from rest_framework.exceptions import NotFound, ValidationError
 from rest_framework.parsers import FormParser, JSONParser, MultiPartParser
 from rest_framework.response import Response
-from rest_framework.settings import api_settings
-
-from label_studio.core.utils.common import load_func
 
 logger = logging.getLogger(__name__)
 
-StoragePermission = load_func(settings.STORAGE_PERMISSION)
-
 
 class ImportStorageListAPI(generics.ListCreateAPIView):
-    permission_required = all_permissions.projects_change
-    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES + [StoragePermission]
+    permission_required = ViewClassPermission(
+        GET=all_permissions.storages_view,
+        POST=all_permissions.storages_change,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
 
     serializer_class = ImportStorageSerializer
@@ -46,8 +43,12 @@ def get_queryset(self):
 class ImportStorageDetailAPI(generics.RetrieveUpdateDestroyAPIView):
     """RUD storage by pk specified in URL"""
 
-    permission_required = all_permissions.projects_change
-    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES + [StoragePermission]
+    permission_required = ViewClassPermission(
+        GET=all_permissions.storages_view,
+        PATCH=all_permissions.storages_change,
+        PUT=all_permissions.storages_change,
+        DELETE=all_permissions.storages_change,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = ImportStorageSerializer
 
@@ -58,8 +59,10 @@ def put(self, request, *args, **kwargs):
 
 class ExportStorageListAPI(generics.ListCreateAPIView):
 
-    permission_required = all_permissions.projects_change
-    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES + [StoragePermission]
+    permission_required = ViewClassPermission(
+        GET=all_permissions.storages_view,
+        POST=all_permissions.storages_change,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = ExportStorageSerializer
 
@@ -91,8 +94,12 @@ def perform_create(self, serializer):
 class ExportStorageDetailAPI(generics.RetrieveUpdateDestroyAPIView):
     """RUD storage by pk specified in URL"""
 
-    permission_required = all_permissions.projects_change
-    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES + [StoragePermission]
+    permission_required = ViewClassPermission(
+        GET=all_permissions.storages_view,
+        PATCH=all_permissions.storages_change,
+        PUT=all_permissions.storages_change,
+        DELETE=all_permissions.storages_change,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = ExportStorageSerializer
 
@@ -103,7 +110,9 @@ def put(self, request, *args, **kwargs):
 
 class ImportStorageSyncAPI(generics.GenericAPIView):
 
-    permission_required = all_permissions.projects_change
+    permission_required = ViewClassPermission(
+        POST=all_permissions.storages_sync,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = ImportStorageSerializer
 
@@ -125,7 +134,9 @@ def post(self, request, *args, **kwargs):
 
 class ExportStorageSyncAPI(generics.GenericAPIView):
 
-    permission_required = all_permissions.projects_change
+    permission_required = ViewClassPermission(
+        POST=all_permissions.storages_sync,
+    )
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = ExportStorageSerializer
 
@@ -147,7 +158,7 @@ def post(self, request, *args, **kwargs):
 
 class StorageValidateAPI(generics.CreateAPIView):
 
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_change
     parser_classes = (JSONParser, FormParser, MultiPartParser)
 
     def create(self, request, *args, **kwargs):
@@ -160,8 +171,7 @@ def create(self, request, *args, **kwargs):
 @extend_schema(exclude=True)
 class ImportStorageListFilesAPI(generics.CreateAPIView):
 
-    permission_required = all_permissions.projects_change
-    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES + [StoragePermission]
+    permission_required = all_permissions.storages_change
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     serializer_class = None  # Default serializer
 
@@ -203,7 +213,7 @@ def create(self, request, *args, **kwargs):
 @extend_schema(exclude=True)
 class StorageFormLayoutAPI(generics.RetrieveAPIView):
 
-    permission_required = all_permissions.projects_change
+    permission_required = all_permissions.storages_change
     parser_classes = (JSONParser, FormParser, MultiPartParser)
     storage_type = None
 
diff --git a/label_studio/io_storages/permissions.py b/label_studio/io_storages/permissions.py
