Hi, yesterday I did my first test configuring a bibliographic Marc tag (using that CFG_BIBFORMAT_HIDDEN_TAGS) should be only visible to cataloguers. It did work perfectly using the web interface, thanks. Unfortunately, my batch scripts using those values failed because they do not belong to any session that has runbibedit capabilities.
I have been following the authorization logic, and it gets the permission (runbibedit) from access_control_engine.py (acc_authorize_action) and the user details from webuser.py (collect_user_info). Before I try to start hacking, I'd like to know if this approach makes sense: if there is no req object, there is no user and we can assume that it is run from a local script, and so, it may have all permissions. The code starts here: http://invenio-software.org/repo/invenio/tree/modules/websession/lib/webuser.py?h=maint-1.1#n1157 In other words, uid == -1 is like admin. Is my approach sensible, or am I missing something and running into a dangerous zone? Thanks, Ferran
