adsabs · femalves · Dec 21, 2023 · Dec 5, 2023 · Dec 5, 2023 · Dec 5, 2023
diff --git a/biblib/views/base_view.py b/biblib/views/base_view.py
@@ -28,6 +28,9 @@ class BaseView(Resource):
     #default permissions for write_access()
     write_allowed = ['write', 'admin', 'owner']
 
+    # default permissions for read_access()
+    read_allowed = ['read', 'write', 'admin', 'owner']
+
     @staticmethod
     def helper_uuid_to_slug(library_uuid):
         """
@@ -222,8 +225,27 @@ def delete_access(cls, service_uid, library_id):
         delete_allowed = cls.helper_access_allowed(service_uid=service_uid,
                                                    library_id=library_id,
                                                    access_type='owner')
-        return delete_allowed 
-
+        return delete_allowed
+
+    @classmethod
+    def read_access(cls, service_uid, library_id):
+        """
+        Defines which type of user has read permissions to a library.
+
+        :param service_uid: the user ID within this microservice
+        :param library_id: the unique ID of the library
+
+        :return: boolean, access (True), no access (False)
+        """
+
+        for access_type in cls.read_allowed:
+            if cls.helper_access_allowed(service_uid=service_uid,
+                                         library_id=library_id,
+                                         access_type=access_type):
+                return True
+
+        return False
+
     @classmethod
     def write_access(cls, service_uid, library_id):
         """

diff --git a/biblib/views/operations_view.py b/biblib/views/operations_view.py
@@ -207,6 +207,10 @@ def post(self, library):
         if data['action'] in ['union', 'intersection', 'difference']:
             if 'libraries' not in data:
                 return err(NO_LIBRARY_SPECIFIED_ERROR)
+            for lib in data['libraries']:
+                if not self.read_access(service_uid=user_editing_uid,
+                                         library_id=lib):
+                    return err(NO_PERMISSION_ERROR)
             if 'name' not in data:
                 data['name'] = 'Untitled {0}.'.format(get_date().isoformat())
             if 'public' not in data:
@@ -217,6 +221,10 @@ def post(self, library):
                 return err(NO_LIBRARY_SPECIFIED_ERROR)
             if len(data['libraries']) > 1:
                 return err(TOO_MANY_LIBRARIES_SPECIFIED_ERROR)
+            # Check the permissions of the user
+            if not self.write_access(service_uid=user_editing_uid,
+                                     library_id=data['libraries'][0]):
+                return err(NO_PERMISSION_ERROR)
 
         lib_names = []
         with current_app.session_scope() as session: