service: filtering of record metadata according to permissions

[lnielsen]

Following user-stories are basically about filtering record metadata according to what a given identity can access.

User stories

As an uploader/admin, I want to see the full metadata including files of a closed access record
As a visitor, I want to see the full metadata excluding files of a closed access record

Example

When getting a record:

GET /record/12345-12345 HTTP/1.1

The service layer will do the following actions:

1. Resolve ID to a record
2. Check permission to record
3. Create a record state object

The presentation layer will then afterwards:

1. Serialize the record state out to the user.

Considerations

• The presentation layer (i.e. the serializer in this case), should not know anything about permissions. The sole job should be to seralize a record.
• The service layer (either in the a) service or b) record state / resource unit) needs to filter the metadata.
• This also has to be implemented for the search engine.
• Until we have a proper query parser, the indexed records need to have all restricted fields removed.

Examples of filtering metadata

• Remove _files from the metadata (closed access record - meaning a record that's publicly visible, but where the files are restricted).
• Remove internal notes.

[lnielsen]

Missing part is the query parser to filter out searches on restricted fields.