elody 0.0.194__tar.gz → 0.0.195__tar.gz

{elody-0.0.194 → elody-0.0.195}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elody
-Version: 0.0.194
+Version: 0.0.195
 Summary: elody SDK for Python
 Author-email: Inuits <developers@inuits.eu>
 License:                     GNU GENERAL PUBLIC LICENSE

{elody-0.0.194 → elody-0.0.195}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "elody"
-version = "0.0.194"
+version = "0.0.195"
 description = "elody SDK for Python"
 readme = "README.md"
 authors = [{ name = "Inuits", email = "developers@inuits.eu" }]

elody-0.0.195/src/elody/policies/authentication/base_user_tenant_validation_policy.py

@@ -0,0 +1,132 @@
+import re as regex
+
+from abc import ABC, abstractmethod
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from copy import deepcopy
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+from inuits_policy_based_auth.helpers.tenant import Tenant  # pyright: ignore
+from werkzeug.exceptions import Forbidden  # pyright: ignore
+
+
+class BaseUserTenantValidationPolicy(ABC):
+    @abstractmethod
+    def get_user(
+        self,
+        id: str,
+        user_context: UserContext,
+        storage,
+        *,
+        user_metadata_key_for_global_roles="roles",
+        user_tenant_relation_type="hasTenant",
+    ) -> dict:
+        config = get_object_configuration_mapper().get("user")
+        collection = config.crud()["collection"]
+        serialize = config.serialization(config.SCHEMA_TYPE, "elody")
+
+        user = storage.get_item_from_collection_by_id(collection, id) or {}
+        self.user = serialize(user)
+        user_context.bag["roles_from_idp"] = deepcopy(user_context.x_tenant.roles)
+        user_context.bag["user_metadata_key_for_global_roles"] = (
+            user_metadata_key_for_global_roles
+        )
+        user_context.bag["user_tenant_relation_type"] = user_tenant_relation_type
+
+        return self.user
+
+    @abstractmethod
+    def build_user_context_for_anonymous_user(
+        self, request, user_context: UserContext
+    ) -> UserContext:
+        user_context = self.__build_user_context(request, user_context)
+        user_context.id = "anonymous"
+        user_context.x_tenant = Tenant()
+        user_context.x_tenant.id = ""
+        user_context.x_tenant.roles = ["anonymous"]
+        return user_context
+
+    @abstractmethod
+    def build_user_context_for_authenticated_user(
+        self, request, user_context: UserContext, user: dict
+    ) -> UserContext:
+        user_context = self.__build_user_context(request, user_context)
+        user_context.x_tenant = Tenant()
+        user_context.x_tenant.id = self._determine_tenant_id(request, user_context)
+        user_context.x_tenant.roles = self.__get_tenant_roles(request, user_context)
+        return user_context
+
+    @abstractmethod
+    def _determine_tenant_id(self, request, user_context: UserContext) -> str:
+        pass
+
+    def __build_user_context(self, request, user_context: UserContext):
+        user_context.bag["http_method"] = request.method
+        user_context.bag["requested_endpoint"] = request.endpoint
+        user_context.bag["full_path"] = request.full_path
+        user_context.bag["collection_resolver"] = (
+            self._resolve_collections  # pyright: ignore
+        )
+        return user_context
+
+    def __get_tenant_roles(self, request, user_context: UserContext) -> list[str]:
+        """
+        Gathering multiple tenants are supported, but there are some important notes:
+            - all roles are stored in a combined way in user_context.x_tenant.roles
+            - those combination of different tenant roles will work, as long as:
+                - the roles are the same
+                - the object restrictions allow all tenants that are linked with the user
+                => to make it fully work, see #143185
+            - with combined roles, when combaring rol_a vs rol_b
+                - if rol_a allow and role_b does not allow access: the role allowing access will always win
+                - if both roles allow, but just have different restrictions: the first allowing role will win
+                    - this is completely random
+                    => currently no logic in policies to determine which allowing role to apply
+        """
+
+        roles = []
+        for metadata in self.user.get("metadata", []):
+            if (
+                metadata["key"]
+                == user_context.bag["user_metadata_key_for_global_roles"]
+            ):
+                roles.extend(metadata["value"])
+
+        if user_context.x_tenant.id:
+            tenant_ids = user_context.x_tenant.id.split(",")
+            for tenant_id in tenant_ids:
+                try:
+                    user_tenant_relation = self.__get_user_tenant_relation(
+                        tenant_id, user_context.bag["user_tenant_relation_type"]
+                    )
+                except Forbidden as error:
+                    user_tenant_relation = {}
+                    if len(roles) == 0:
+                        raise Forbidden(error.description)
+                roles.extend(user_tenant_relation.get("roles", []))
+
+        if len(roles) == 0 and not regex.match(
+            "(/[^/]+/v[0-9]+)?/tenants$", request.path
+        ):
+            raise Forbidden("User has no global roles, switch to a specific tenant.")
+
+        return list(set(roles))
+
+    def __get_user_tenant_relation(
+        self, tenant_id: str, user_tenant_relation_type: str
+    ) -> dict:
+        user_tenant_relation = None
+        for relation in self.user.get("relations", []):
+            if (
+                relation["key"] == tenant_id
+                and relation["type"] == user_tenant_relation_type
+            ):
+                user_tenant_relation = relation
+                break
+
+        if not user_tenant_relation:
+            if tenant_id:
+                raise Forbidden(f"User is not a member of tenant {tenant_id}.")
+            return {}
+
+        return user_tenant_relation

{elody-0.0.194 → elody-0.0.195}/src/elody/policies/authorization/filter_generic_objects_policy_v2.py

@@ -5,7 +5,7 @@ from elody.policies.permission_handler import (
     get_permissions,
     mask_protected_content_post_request_hook,
 )
-from flask import Request  # pyright: ignore
+from flask import g, Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -26,7 +26,7 @@ class FilterGenericObjectsPolicyV2(BaseAuthorizationPolicy):
         if not isinstance(user_context.access_restrictions.filters, list):
             user_context.access_restrictions.filters = []
         type_filter, filters = self.__split_type_filter(
-            user_context, deepcopy(request.json or [])
+            user_context, deepcopy(g.get("content") or request.json or [])
         )
         if not type_filter:
             policy_context.access_verdict = True

{elody-0.0.194 → elody-0.0.195}/src/elody/policies/authorization/mediafile_derivatives_policy.py

@@ -1,12 +1,12 @@
 import re as regex
 
-from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.policies.helpers import get_content, get_item
 from elody.policies.permission_handler import (
     get_permissions,
     handle_single_item_request,
 )
-from flask import Request  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
+from flask import g, Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -22,32 +22,18 @@ class MediafileDerivativesPolicy(BaseAuthorizationPolicy):
         self, policy_context: PolicyContext, user_context: UserContext, request_context
     ):
         request: Request = request_context.http_request
-        if not regex.match(r"^/mediafiles/(.+)/derivatives$", request.path):
+        if not regex.match(
+            "^(/elody/v[0-9]+)?/mediafiles/[^/]+/derivatives$", request.path
+        ):
             return policy_context
 
-        view_args = request.view_args or {}
-        collection = view_args.get("collection", request.path.split("/")[-3])
-        id = view_args.get("id")
-        item = (
-            StorageManager()
-            .get_db_engine()
-            .get_item_from_collection_by_id(collection, id)
-        )
-        if not item:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection: {collection} - Item with id {id} doesn't exist in collection {collection}",
-            )
-
+        item = get_item(StorageManager(), user_context.bag, request.view_args)
         for role in user_context.x_tenant.roles:
             permissions = get_permissions(role, user_context)
             if not permissions:
                 continue
 
-            rules = [
-                PostRequestRules,
-                GetRequestRules,
-            ]
+            rules = [PostRequestRules, GetRequestRules]
             access_verdict = None
             for rule in rules:
                 access_verdict = rule().apply(item, user_context, request, permissions)
@@ -69,7 +55,13 @@ class PostRequestRules:
         if request.method != "POST":
             return None
 
-        return handle_single_item_request(user_context, item, permissions, "create")
+        content = g.get("content") or request.json
+        content = get_content(content, request, content)
+        schema_type = get_object_configuration_mapper().get(content["type"]).SCHEMA_TYPE
+        item = {**content, "schema": {"type": schema_type}}
+        return handle_single_item_request(
+            user_context, item, permissions, "create", content
+        )
 
 
 class GetRequestRules:
@@ -80,13 +72,3 @@ class GetRequestRules:
             return None
 
         return handle_single_item_request(user_context, item, permissions, "read")
-
-
-class DeleteRequestRules:
-    def apply(
-        self, item, user_context: UserContext, request: Request, permissions
-    ) -> bool | None:
-        if request.method != "DELETE":
-            return None
-
-        return handle_single_item_request(user_context, item, permissions, "delete")

{elody-0.0.194 → elody-0.0.195}/src/elody/policies/authorization/mediafile_download_policy.py

@@ -1,12 +1,11 @@
 import re as regex
 
-from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.policies.helpers import get_item
 from elody.policies.permission_handler import (
     get_permissions,
     handle_single_item_request,
 )
 from flask import Request  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -22,31 +21,18 @@ class MediafileDownloadPolicy(BaseAuthorizationPolicy):
         self, policy_context: PolicyContext, user_context: UserContext, request_context
     ):
         request: Request = request_context.http_request
-        if not regex.match(r"^/mediafiles/(.+)/download$", request.path):
+        if not regex.match(
+            "^(/elody/v[0-9]+)?/mediafiles/[^/]+/download$", request.path
+        ):
             return policy_context
 
-        view_args = request.view_args or {}
-        collection = view_args.get("collection", request.path.split("/")[-3])
-        id = view_args.get("id")
-        item = (
-            StorageManager()
-            .get_db_engine()
-            .get_item_from_collection_by_id(collection, id)
-        )
-        if not item:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection:{collection} - Item with id {id} doesn't exist in collection {collection}",
-            )
-
+        item = get_item(StorageManager(), user_context.bag, request.view_args)
         for role in user_context.x_tenant.roles:
             permissions = get_permissions(role, user_context)
             if not permissions:
                 continue
 
-            rules = [
-                GetRequestRules,
-            ]
+            rules = [GetRequestRules]
             access_verdict = None
             for rule in rules:
                 access_verdict = rule().apply(item, user_context, request, permissions)

elody-0.0.195/src/elody/policies/helpers.py

@@ -0,0 +1,31 @@
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from serialization.serialize import serialize  # pyright: ignore
+from werkzeug.exceptions import NotFound
+
+
+def get_content(item, request, content):
+    return serialize(
+        content,
+        type=item.get("type"),
+        from_format=serialize.get_format(
+            (request.view_args or {}).get("spec", "elody"), request.args
+        ),
+        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
+    )
+
+
+def get_item(storage_manager, user_context_bag, view_args) -> dict:
+    view_args = view_args or {}
+    if id := view_args.get("id"):
+        resolve_collections = user_context_bag.get("collection_resolver")
+        collections = resolve_collections(collection=view_args.get("collection"), id=id)
+        for collection in collections:
+            if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
+                collection, id
+            ):
+                return item
+
+    raise NotFound(
+        f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist."
+    )

{elody-0.0.194 → elody-0.0.195}/src/elody.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elody
-Version: 0.0.194
+Version: 0.0.195
 Summary: elody SDK for Python
 Author-email: Inuits <developers@inuits.eu>
 License:                     GNU GENERAL PUBLIC LICENSE

{elody-0.0.194 → elody-0.0.195}/src/elody.egg-info/SOURCES.txt

@@ -26,7 +26,6 @@ src/elody/object_configurations/job_configuration.py
 src/elody/policies/__init__.py
 src/elody/policies/helpers.py
 src/elody/policies/permission_handler.py
-src/elody/policies/tenant_id_resolver.py
 src/elody/policies/authentication/__init__.py
 src/elody/policies/authentication/base_user_tenant_validation_policy.py
 src/elody/policies/authentication/multi_tenant_policy.py

elody-0.0.194/src/elody/policies/authentication/base_user_tenant_validation_policy.py

@@ -1,125 +0,0 @@
-import re as regex
-
-from abc import ABC, abstractmethod
-from configuration import get_object_configuration_mapper  # pyright: ignore
-from copy import deepcopy
-from elody.util import get_raw_id
-from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
-    UserContext,
-)
-from inuits_policy_based_auth.helpers.tenant import Tenant  # pyright: ignore
-from storage.storagemanager import StorageManager  # pyright: ignore
-from werkzeug.exceptions import Forbidden  # pyright: ignore
-
-
-class BaseUserTenantValidationPolicy(ABC):
-    def __init__(self) -> None:
-        self.storage = StorageManager().get_db_engine()
-        self.super_tenant_id = "tenant:super"
-        self.user = {}
-
-    @abstractmethod
-    def get_user(self, id: str, user_context: UserContext) -> dict:
-        user_context.bag["roles_from_idp"] = deepcopy(user_context.x_tenant.roles)
-
-    @abstractmethod
-    def build_user_context_for_authenticated_user(
-        self, request, user_context: UserContext, user: dict
-    ):
-        self.user = user
-        user_context.x_tenant = Tenant()
-        user_context.x_tenant.id = self._determine_tenant_id(request, user)
-        user_context.x_tenant.roles = self.__get_tenant_roles(
-            user_context.x_tenant.id, request
-        )
-        user_context.x_tenant.raw = self.__get_x_tenant_raw(user_context.x_tenant.id)
-        user_context.tenants = [user_context.x_tenant]
-        user_context.bag["x_tenant_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_defining_entity_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_relation_type"] = "isIn"
-        user_context.bag["user_ids"] = self.user["identifiers"]
-        user_context.bag["http_method"] = request.method
-        user_context.bag["requested_endpoint"] = request.endpoint
-        user_context.bag["full_path"] = request.full_path
-
-    @abstractmethod
-    def build_user_context_for_anonymous_user(
-        self, user_context: UserContext, user: dict
-    ):
-        self.user = user
-        user_context.id = get_raw_id(user)
-        user_context.x_tenant = Tenant()
-        user_context.x_tenant.id = self.super_tenant_id
-        user_context.x_tenant.roles = ["anonymous"]
-        user_context.x_tenant.raw = self.__get_x_tenant_raw(user_context.x_tenant.id)
-        user_context.tenants = [user_context.x_tenant]
-        user_context.bag["x_tenant_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_defining_entity_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_relation_type"] = "isIn"
-        user_context.bag["user_ids"] = self.user["identifiers"]
-
-    @abstractmethod
-    def _determine_tenant_id(self, request, user) -> str:
-        pass
-
-    def __get_tenant_roles(self, x_tenant_id: str, request) -> list[str]:
-        roles = self.__get_user_tenant_relation(self.super_tenant_id).get("roles", [])
-        if x_tenant_id != self.super_tenant_id:
-            try:
-                user_tenant_relation = self.__get_user_tenant_relation(x_tenant_id)
-            except Forbidden as error:
-                user_tenant_relation = {}
-                if len(roles) == 0:
-                    raise Forbidden(error.description)
-            roles.extend(user_tenant_relation.get("roles", []))
-
-        if len(roles) == 0 and not regex.match(
-            "(/[^/]+/v[0-9]+)?/tenants$", request.path
-        ):
-            raise Forbidden("User has no global roles, switch to a specific tenant.")
-        return roles
-
-    def __get_user_tenant_relation(self, x_tenant_id: str) -> dict:
-        user_tenant_relation = None
-        for relation in self.user.get("relations", []):
-            if relation["key"] == x_tenant_id and relation["type"] == "hasTenant":
-                user_tenant_relation = relation
-                break
-
-        if not user_tenant_relation:
-            if x_tenant_id != self.super_tenant_id:
-                raise Forbidden(f"User is not a member of tenant {x_tenant_id}.")
-            else:
-                return {}
-
-        return user_tenant_relation
-
-    def __get_x_tenant_raw(self, x_tenant_id: str) -> dict:
-        collection = (
-            get_object_configuration_mapper().get("tenant").crud()["collection"]
-        )
-        x_tenant_raw = (
-            self.storage.get_item_from_collection_by_id(collection, x_tenant_id) or {}
-        )
-        if x_tenant_raw.get("type") != "tenant":
-            raise Forbidden(f"No tenant {x_tenant_id} exists.")
-
-        return x_tenant_raw
-
-    def _get_tenant_defining_entity_id(
-        self, x_tenant_id: str, x_tenant_raw: dict
-    ) -> str:
-        if x_tenant_id == self.super_tenant_id:
-            return x_tenant_id.removeprefix("tenant:")
-
-        tenant_defining_entity_id = None
-        for relation in x_tenant_raw.get("relations", []):
-            if relation["type"] == "definedBy":
-                tenant_defining_entity_id = relation["key"]
-                break
-        if not tenant_defining_entity_id:
-            raise Forbidden(
-                f"{x_tenant_raw['_id']} has no relation with a tenant defining entity."
-            )
-
-        return tenant_defining_entity_id

elody-0.0.194/src/elody/policies/helpers.py

@@ -1,37 +0,0 @@
-from elody.error_codes import ErrorCode, get_error_code, get_read
-from configuration import get_object_configuration_mapper  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
-from serialization.serialize import serialize  # pyright: ignore
-
-
-def get_content(item, request, content):
-    return serialize(
-        content,
-        type=item.get("type"),
-        from_format=serialize.get_format(
-            (request.view_args or {}).get("spec", "elody"), request.args
-        ),
-        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
-    )
-
-
-def get_item(storage_manager, user_context_bag, view_args):
-    view_args = view_args or {}
-    id = view_args.get("id")
-    resolve_collections = user_context_bag.get("collection_resolver")
-    if not resolve_collections:
-        abort(
-            403,
-            message=f"{get_error_code(ErrorCode.UNDEFINED_COLLECTION_RESOLVER, get_read())} - Collection resolver not defined for user.",
-        )
-    collections = resolve_collections(collection=view_args.get("collection"), id=id)
-    for collection in collections:
-        if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
-            collection, id
-        ):
-            return item
-    else:
-        abort(
-            404,
-            message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist.",
-        )

elody-0.0.194/src/elody/policies/tenant_id_resolver.py

@@ -1,375 +0,0 @@
-import re as regex
-
-from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
-from flask import Request
-from flask_restful import abort
-from storage.storagemanager import StorageManager  # pyright: ignore
-from elody.util import get_item_metadata_value
-from elody.exceptions import NotFoundException, NoTenantException
-
-
-class TenantIdResolver:
-    def resolve(self, request, user):
-        endpoints = [
-            EntityGetRequest,
-            EntityPostRequest,
-            EntityDetailGetRequest,
-            EntityDetailUpdateRequest,
-            EntityDetailDeleteRequest,
-            EntityDetailGetRelationsRequest,
-            EntityDetailUpdateRelationsRequest,
-            EntityDetailCreateRelationsRequest,
-            EntityDetailDeleteRelationsRequest,
-            EntityDetailGetMetadataRequest,
-            EntityDetailUpdateMetadataRequest,
-            EntityDetailCreateMetadataRequest,
-            EntityDetailGetMediafilesRequest,
-            EntityDetailCreateMediafilesRequest,
-            MediafileGetRequest,
-            MediafilePostRequest,
-            MediafileDetailGetRequest,
-            MediafileDetailUpdateRequest,
-            MediafileDetailDeleteRequest,
-            MediafileDetailGetDerivativesRequest,
-            MediafileDetailCreateDerivativesRequest,
-            MediafileDetailDeleteDerivativesRequest,
-        ]
-
-        for endpoint in endpoints:
-            tenant_id = endpoint().get_tenant_id(request)
-            if tenant_id != None:
-                relations = user.get("relations", [])
-                if len(relations) < 1:
-                    raise NoTenantException(f"User is not attached to a tenant")
-                has_tenant_relation = any(
-                    relation.get("type") == "hasTenant"
-                    and relation.get("key") == tenant_id
-                    for relation in relations
-                )
-                if has_tenant_relation:
-                    return tenant_id
-                elif len(relations) == 1 and relations[0].get("key") == "tenant:super":
-                    return "tenant:super"
-                else:
-                    return relations[0].get("key")
-        return "tenant:super"
-
-
-class BaseRequest:
-    def __init__(self) -> None:
-        self.storage = StorageManager().get_db_engine()
-        self.super_tenant_id = "tenant:super"
-        # TODO refactor this in a more generic way
-        self.global_types = [
-            "language",
-            "type",
-            "collectionForm",
-            "institution",
-            "tag",
-            "triple",
-            "person",
-            "externalRecord",
-            "verzameling",
-            "arches_record",
-            "manufacturer",
-            "photographer",
-            "creator",
-            "assetPart",
-            "set",
-            "download",
-            "license",
-            "share_link"
-            # TODO Mediafile should have a link to an asset
-            "mediafile",
-            "savedSearch",
-            "original_data",
-            "user",
-        ]
-
-    def _get_tenant_id_from_entity(self, entity_id):
-        entity_relations = self.storage.get_collection_item_relations(
-            "entities", entity_id
-        )
-        entity = self.storage.get_item_from_collection_by_id("entities", entity_id)
-        if not entity:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{entity_id} - Item with id {entity_id} doesn't exist",
-            )
-        type = entity.get("type")
-        if type in self.global_types:
-            return "tenant:super"
-        if entity_relations:
-            for entity_relation in entity_relations:
-                if entity_relation.get("type") == "isIn":
-                    tenant = self.storage.get_item_from_collection_by_id(
-                        "entities", entity_relation.get("key")
-                    )
-                    return tenant["_id"]
-                if entity_relation.get("type") == "hasInstitution":
-                    instution_relations = self.storage.get_collection_item_relations(
-                        "entities", entity_relation.get("key")
-                    )
-                    for institution_relation in instution_relations:
-                        if institution_relation.get("type") == "defines":
-                            return institution_relation.get("key")
-
-        if entity and get_item_metadata_value(entity, "institution"):
-            return f"tenant:{get_item_metadata_value(entity, 'institution')}"
-        abort(
-            400,
-            message=f"{get_error_code(ErrorCode.ENTITY_HAS_NO_TENANT, get_read())} - Entity has no tenant, and is suppose to have one.",
-        )
-
-    def _get_tenant_id_from_mediafile(self, mediafile_id):
-        mediafile_relations = self.storage.get_collection_item_relations(
-            "mediafiles", mediafile_id
-        )
-
-        for relation in mediafile_relations:
-            if relation.get("type") == "belongsTo":
-                return self._get_tenant_id_from_entity(relation.get("key"))
-
-    # TODO Mediafile should have a link to an asset
-    def _get_tenant_id_from_body(self, item, soft_call=False):
-        if soft_call:
-            return "tenant:super"
-        if item.get("type") in self.global_types or item.get("type") == "institution":
-            return "tenant:super"
-        if item.get("type") == "asset":
-            for relation in item.get("relations", []):
-                if relation.get("type") in [
-                    "hasArchesLink",
-                    "hasAdlibLink",
-                    "hasBrocadeLink",
-                ]:
-                    return "tenant:super"
-        institution_id = get_item_metadata_value(item, "institution")
-        if not institution_id:
-            for relation in item.get("relations", []):
-                if relation.get("type") == "hasInstitution":
-                    institution_id = relation.get("key")
-        if institution_id:
-            return f"tenant:{institution_id}"
-        abort(
-            400,
-            message=f"{get_error_code(ErrorCode.ENTITY_HAS_NO_TENANT, get_read())} - Item in body doesn't have an institution.",
-        )
-
-
-class EntityGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities(?:\?(.*))?$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-
-
-class EntityPostRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities(?:\?(.*))?$", request.path)
-            and request.method == "POST"
-        ):
-            is_soft_call = request.args.get("soft") is not None
-            return self._get_tenant_id_from_body(request.json, soft_call=is_soft_call)
-        return None
-
-
-class EntityDetailGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"/entities/(.+)$", request.path) and request.method == "GET":
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailUpdateRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"^/entities/(.+)$", request.path) and request.method in [
-            "PUT",
-            "PATCH",
-        ]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailDeleteRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/([^/]+)$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailGetRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailUpdateRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(
-            r"^/entities/(.+)/relations$", request.path
-        ) and request.method in ["PUT", "PATCH"]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailCreateRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailDeleteRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailGetMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/metadata$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailUpdateMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(
-            r"^/entities/(.+)/metadata$", request.path
-        ) and request.method in ["PUT", "PATCH"]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailCreateMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/metadata$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailGetMediafilesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/mediafiles$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-class EntityDetailCreateMediafilesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/mediafiles$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-
-
-# Mediafiles
-class MediafileGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles(?:\?(.*))?$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-
-
-class MediafilePostRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles(?:\?(.*))?$", request.path)
-            and request.method == "POST"
-        ):
-            is_soft_call = request.args.get("soft") is not None
-            return self._get_tenant_id_from_body(request.json, soft_call=is_soft_call)
-        return None
-
-
-class MediafileDetailGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/([^/]+)$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-
-
-class MediafileDetailUpdateRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"^/mediafiles/(.+)$", request.path) and request.method in [
-            "PUT",
-            "PATCH",
-        ]:
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-
-
-class MediafileDetailDeleteRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-
-
-class MediafileDetailGetDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-
-
-class MediafileDetailCreateDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-
-
-class MediafileDetailDeleteDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None