feat: published data schema update

migrations/20260605150000-add-ownership-to-published-data.js

@@ -0,0 +1,50 @@
+module.exports = {
+  async up(db, client) {
+    // Add ownerGroup and ensure status for all PublishedData records
+    // Legacy records without ownerGroup should be accessible to everyone
+    // We set ownerGroup to "public" for backward compatibility
+
+    await db
+      .collection("PublishedData")
+      .find({
+        $or: [
+          { ownerGroup: { $exists: false } },
+          { ownerGroup: null },
+        ],
+      })
+      .forEach(async (publishedData) => {
+        const pid = publishedData._id;
+
+        // Set default ownerGroup to "public" for backward compatibility
+        // Set default status to "public" if not set or is null
+        const update = {
+          $set: {
+            ownerGroup: "public",
+          },
+        };
+
+        // If status is not set or is null, set it to PUBLIC
+        if (!publishedData.status || publishedData.status === null) {
+          update.$set.status = "public";
+        }
+
+        console.log(`Updating PublishedData (Id: ${pid}) with ownerGroup and status`);
+        await db.collection("PublishedData").updateOne(
+          { _id: pid },
+          update,
+        );
+      });
+  },
+  async down(db, client) {
+    // Remove ownerGroup from records that were added by this migration
+    // We can't easily revert this, but we'll unset ownerGroup for records that had it set to "public"
+    await db
+      .collection("PublishedData")
+      .updateMany(
+        { ownerGroup: "public" },
+        { $unset: { ownerGroup: true } },
+      );
+
+    console.log("Reverted ownerGroup for public records");
+  },
+};

src/casl/casl-ability.factory.ts

@@ -23,6 +23,7 @@
 import { Policy } from "src/policies/schemas/policy.schema";
 import { ProposalClass } from "src/proposals/schemas/proposal.schema";
 import { PublishedData } from "src/published-data/schemas/published-data.schema";
+import { PublishedDataStatus } from "src/published-data/interfaces/published-data.interface";
 import { SampleClass } from "src/samples/schemas/sample.schema";
 import { UserIdentity } from "src/users/schemas/user-identity.schema";
 import { UserSettings } from "src/users/schemas/user-settings.schema";
@@ -1093,24 +1094,56 @@
   }
 
   publishedDataEndpointAccess(user: JWTUser) {
-    const { can, build } = new AbilityBuilder(
+    const { can, cannot, build } = new AbilityBuilder(
       createMongoAbility<PossibleAbilities, Conditions>,
     );
-    if (user) {
-      can(Action.Read, PublishedData);
-      can(Action.Update, PublishedData);
+
+    // Unauthenticated users can only read publicly accessible records
+    if (!user) {
+      can(Action.Read, PublishedData, {
+        $or: [
+          { ownerGroup: { $exists: false } },
+          { status: PublishedDataStatus.PUBLIC },
+          { status: PublishedDataStatus.REGISTERED },
+          { status: PublishedDataStatus.AMENDED },
+        ],
+      });
+      cannot(Action.Create, PublishedData);
+      cannot(Action.Update, PublishedData);
+      cannot(Action.Delete, PublishedData);
+    } else {
+      // Authenticated users
+      // Read access: public records (PUBLIC, REGISTERED, AMENDED) OR legacy (no ownerGroup) OR private records where user is owner
+      can(Action.Read, PublishedData, {
+        $or: [
+          { ownerGroup: { $exists: false } },
+          { status: { $in: [PublishedDataStatus.PUBLIC, PublishedDataStatus.REGISTERED, PublishedDataStatus.AMENDED] } },
+          { $and: [
+            { status: PublishedDataStatus.PRIVATE },
+            { ownerGroup: { $in: user.currentGroups } },
+          ] },
+        ],
+      });
+
+      // Create access: all authenticated users can create
       can(Action.Create, PublishedData);
-    }
 
-    if (
-      user &&
-      user.currentGroups.some((g) => this.accessGroups?.delete.includes(g))
-    ) {
-      /*
-        / user that belongs to any of the group listed in DELETE_GROUPS
-        */
-      can(Action.Delete, PublishedData);
+      // Update access: owner of the record OR legacy records (no ownerGroup)
+      can(Action.Update, PublishedData, {
+        $or: [
+          { ownerGroup: { $in: user.currentGroups } },
+          { ownerGroup: { $exists: false } },
+        ],
+      });
+
+      // Delete access: only delete group members
+      if (user.currentGroups.some((g) => this.accessGroups?.delete.includes(g))) {
+        can(Action.Delete, PublishedData);
+      } else {
+        cannot(Action.Delete, PublishedData);
+      }
     }
+
     return build({
       detectSubjectType: (item) =>
         item.constructor as ExtractSubjectType<Subjects>,

src/published-data/dto/update-published-data.v4.dto.ts

@@ -6,50 +6,97 @@ import {
   IsOptional,
   IsString,
 } from "class-validator";
-import { PartialType } from "@nestjs/swagger";
+import {
+  ApiProperty,
+  ApiPropertyOptional,
+  ApiTags,
+  PartialType,
+} from "@nestjs/swagger";
 import { PublishedDataStatus } from "../interfaces/published-data.interface";
+import { OwnableDto } from "src/common/dto/ownable.dto";
 
-export class UpdatePublishedDataV4Dto {
-  /**
-   * A name or title by which a resource is known. This field has the semantics of Dublin Core
-   * [dcmi:title](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/terms/title/)
-   * and [DataCite title](https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/title/).
-   */
+@ApiTags("publishedData")
+export class UpdatePublishedDataV4Dto extends OwnableDto {
+  @ApiProperty({
+    type: String,
+    required: true,
+    description:
+      "A name or title by which a resource is known. This field has the semantics of Dublin Core" +
+      " [dcmi:title](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/terms/title/)" +
+      " and [DataCite title](https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/title/).",
+  })
   @IsString()
   readonly title: string;
 
-  /**
-   * A brief description of the resource and the context in which the resource was created. This field has the semantics of
-   * [DataCite description](https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/description/)
-   * with [Abstract](https://datacite-metadata-schema.readthedocs.io/en/4.6/appendices/appendix-1/descriptionType/#abstract).
-   */
+  @ApiProperty({
+    type: String,
+    required: true,
+    description:
+      "A brief description of the resource and the context in which the resource was created. This field has the semantics" +
+      " of [DataCite description](https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/description/)" +
+      " with [Abstract descriptionType](https://datacite-metadata-schema.readthedocs.io/en/4.6/appendices/appendix-1/descriptionType/#abstract).",
+  })
   @IsString()
   readonly abstract: string;
 
-  /**
-   * Array of one or more Dataset persistent identifier (pid) values that make up the published data.
-   */
+  @ApiProperty({
+    type: [String],
+    required: true,
+    description:
+      "Array of one or more datasets' persistent identifier values that" +
+      " are part of this published data record.",
+  })
   @IsArray()
   @IsString({ each: true })
   readonly datasetPids: string[];
 
-  /**
-   * Time when doi is successfully registered
-   */
+  @ApiPropertyOptional({
+    type: [String],
+    description:
+      "Array of one or more proposal identifier values that " +
+      "are part of this published data record.",
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  readonly proposalIds?: string[];
+
+  @ApiPropertyOptional({
+    type: [String],
+    description:
+      "Array of one or more samples identifier values that " +
+      "are part of this published data record.",
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  readonly sampleIds?: string[];
+
+  @ApiProperty({
+    type: Date,
+    required: false,
+    description: "Time when doi is successfully registered with registrar",
+  })
   @IsDateString()
   @IsOptional()
   readonly registeredTime?: Date;
 
-  /**
-   * Indication of position in publication workflow e.g. registred, private, public
-   */
+  @ApiProperty({
+    enum: PublishedDataStatus,
+    description:
+      "Indication of position in publication workflow e.g. registred, private, public",
+  })
   @IsEnum(PublishedDataStatus)
   @IsOptional()
   readonly status?: string;
 
-  /**
-   * JSON object containing the metadata. This will cover most optional fields of the DataCite schema, and will require a mapping from metadata subfields to DataCite Schema definitions.
-   */
+  @ApiProperty({
+    type: Object,
+    required: false,
+    default: {},
+    description:
+      "JSON object containing the metadata. This will cover most optional fields of the DataCite schema, and will require a mapping from metadata subfields to DataCite Schema definitions",
+  })
   @IsObject()
   @IsOptional()
   readonly metadata?: Record<string, unknown>;

src/published-data/schemas/published-data.schema.ts

@@ -1,10 +1,10 @@
 import { Prop, Schema, SchemaFactory } from "@nestjs/mongoose";
 import { ApiProperty } from "@nestjs/swagger";
 import { Document } from "mongoose";
-import { QueryableClass } from "src/common/schemas/queryable.schema";
 import { v4 as uuidv4 } from "uuid";
 import { PublishedDataStatus } from "../interfaces/published-data.interface";
 import crypto from "crypto";
+import { OwnableClass } from "src/common/schemas/ownable.schema";
 
 export type PublishedDataDocument = PublishedData & Document;
 
@@ -15,7 +15,7 @@ export type PublishedDataDocument = PublishedData & Document;
   },
   timestamps: true,
 })
-export class PublishedData extends QueryableClass {
+export class PublishedData extends OwnableClass {
   @Prop({
     type: String,
     unique: true,
@@ -104,16 +104,36 @@ export class PublishedData extends QueryableClass {
     type: [String],
     required: true,
     description:
-      "Array of one or more Dataset persistent identifier (pid) values that" +
-      " make up the published data.",
+      "Array of one or more datasets' persistent identifier values that" +
+      " are part of the published data record.",
   })
   @Prop({ type: [String], required: true })
   datasetPids: string[];
 
+  @ApiProperty({
+    type: [String],
+    required: false,
+    description:
+      "Array of one or more proposals identifier values that" +
+      " are part of this published data record.",
+  })
+  @Prop({ type: [String], required: false })
+  proposalIds?: string[];
+
+  @ApiProperty({
+    type: [String],
+    required: false,
+    description:
+      "Array of one or more samples identifier values that" +
+      " are part of this published data record.",
+  })
+  @Prop({ type: [String], required: false })
+  sampleIds?: string[];
+
   @ApiProperty({
     type: Date,
     required: false,
-    description: "Time when doi is successfully registered",
+    description: "Time when doi is successfully registered with registrar",
   })
   @Prop({ type: Date, index: true, required: false })
   registeredTime?: Date;