Jrm/can create model ingestion (#486 )

* Add `canCreateModelIngestion` model permission check * format * oops
feat(api)!: Add model permission checks (#485 )
2026-01-29 14:23:44 +00:00 · 2026-01-29 12:04:21 +01:00 · 2026-01-27 19:52:30 +03:00 · 2026-01-15 20:06:13 +03:00
9 changed files with 195 additions and 8 deletions
@@ -8,6 +8,10 @@ from specklepy.core.api.inputs.model_inputs import (
 )
 from specklepy.core.api.inputs.project_inputs import ProjectModelsFilter
 from specklepy.core.api.models import Model, ModelWithVersions, ResourceCollection
+from specklepy.core.api.models.current import (
+    ModelPermissionChecks,
+    PermissionCheckResult,
+)
 from specklepy.core.api.resources import ModelResource as CoreResource
 from specklepy.logging import metrics

@@ -72,3 +76,17 @@ class ModelResource(CoreResource):
    def update(self, input: UpdateModelInput) -> Model:
        metrics.track(metrics.SDK, self.account, {"name": "Model Update"})
        return super().update(input)
+
+    def get_permissions(self, model_id: str, project_id: str) -> ModelPermissionChecks:
+        metrics.track(metrics.SDK, self.account, {"name": "Model Get Permissions"})
+        return super().get_permissions(model_id, project_id)
+
+    def can_create_model_ingestion(
+        self, model_id: str, project_id: str
+    ) -> PermissionCheckResult:
+        metrics.track(
+            metrics.SDK,
+            self.account,
+            {"name": "Model Get Permissions canCreateIngestion"},
+        )
+        return super().can_create_model_ingestion(model_id, project_id)
@@ -7,6 +7,7 @@ class ProjectVisibility(str, Enum):
    PRIVATE = "PRIVATE"
    PUBLIC = "PUBLIC"
    UNLISTED = "UNLISTED"
+    """Deprecated, use PUBLIC instead"""
    WORKSPACE = "WORKSPACE"


@@ -34,4 +34,8 @@ class MarkReceivedVersionInput(GraphQLBaseModel):
    version_id: str
    project_id: str
    source_application: str
+    """
+    IMPORTANT: this is meant to be the slug of the application that has done the
+    receiving, not to be confused with `Version.sourceApplication`
+    """
    message: Optional[str] = None
@@ -105,7 +105,7 @@ class PendingStreamCollaborator(GraphQLBaseModel):
    project_name: str
    title: str
    role: str
-    invited_by: LimitedUser
+    invited_by: LimitedUser | None = None
    user: LimitedUser | None = None
    token: str | None

@@ -137,6 +137,12 @@ class Version(GraphQLBaseModel):
    source_application: str | None


+class ModelPermissionChecks(GraphQLBaseModel):
+    can_update: "PermissionCheckResult"
+    can_delete: "PermissionCheckResult"
+    can_create_version: "PermissionCheckResult"
+
+
 class Model(GraphQLBaseModel):
    author: LimitedUser | None
    created_at: datetime
@@ -156,7 +162,6 @@ class ProjectPermissionChecks(GraphQLBaseModel):
    can_create_model: "PermissionCheckResult"
    can_delete: "PermissionCheckResult"
    can_load: "PermissionCheckResult"
-    can_publish: "PermissionCheckResult"


 class Project(GraphQLBaseModel):
@@ -10,6 +10,10 @@ from specklepy.core.api.inputs.model_inputs import (
 )
 from specklepy.core.api.inputs.project_inputs import ProjectModelsFilter
 from specklepy.core.api.models import Model, ModelWithVersions, ResourceCollection
+from specklepy.core.api.models.current import (
+    ModelPermissionChecks,
+    PermissionCheckResult,
+)
 from specklepy.core.api.resource import ResourceBase
 from specklepy.core.api.responses import DataResponse

@@ -299,3 +303,71 @@ class ModelResource(ResourceBase):
        return self.make_request_and_parse_response(
            DataResponse[DataResponse[Model]], QUERY, variables
        ).data.data
+
+    def get_permissions(self, project_id: str, model_id: str) -> ModelPermissionChecks:
+        QUERY = gql(
+            """
+            query ModelPermissions($projectId: String!, $modelId: String!) {
+              data:project(id: $projectId) {
+                data:model(id: $modelId) {
+                  data:permissions {
+                    canUpdate {
+                      authorized
+                      code
+                      message
+                    }
+                    canDelete {
+                      authorized
+                      code
+                      message
+                    }
+                    canCreateVersion {
+                      authorized
+                      code
+                      message
+                    }
+                  }
+                }
+              }
+            }
+            """
+        )
+
+        variables = {"projectId": project_id, "modelId": model_id}
+
+        return self.make_request_and_parse_response(
+            DataResponse[DataResponse[DataResponse[ModelPermissionChecks]]],
+            QUERY,
+            variables,
+        ).data.data.data
+
+    def can_create_model_ingestion(
+        self, project_id: str, model_id: str
+    ) -> PermissionCheckResult:
+        QUERY = gql(
+            """
+            query ModelPermissions($projectId: String!, $modelId: String!) {
+              data:project(id: $projectId) {
+                data:model(id: $modelId) {
+                  data:permissions {
+                    data:canCreateIngestion {
+                      authorized
+                      code
+                      message
+                    }
+                  }
+                }
+              }
+            }
+            """
+        )
+
+        variables = {"projectId": project_id, "modelId": model_id}
+
+        return self.make_request_and_parse_response(
+            DataResponse[
+                DataResponse[DataResponse[DataResponse[PermissionCheckResult]]]
+            ],
+            QUERY,
+            variables,
+        ).data.data.data.data
@@ -50,12 +50,10 @@ class TestActiveUserResourcePermissions:
        assert hasattr(permissions, "can_create_model")
        assert hasattr(permissions, "can_delete")
        assert hasattr(permissions, "can_load")
-        assert hasattr(permissions, "can_publish")

        assert permissions.can_create_model.authorized is True
        assert permissions.can_delete.authorized is True
        assert permissions.can_load.authorized is True
-        assert permissions.can_publish.authorized is True

    def test_active_user_get_projects_with_permissions_with_filter(
        self, client: SpeckleClient, test_project: Project
@@ -1,6 +1,7 @@
 import pytest

 from specklepy.api.client import SpeckleClient
+from specklepy.core.api.enums import ProjectVisibility
 from specklepy.core.api.inputs.model_inputs import (
    CreateModelInput,
    DeleteModelInput,
@@ -12,11 +13,14 @@ from specklepy.core.api.inputs.project_inputs import (
 )
 from specklepy.core.api.models.current import (
    Model,
+    ModelPermissionChecks,
+    PermissionCheckResult,
    Project,
    ProjectWithModels,
    ResourceCollection,
 )
 from specklepy.logging.exceptions import GraphQLException
+from tests.integration.conftest import is_internal, is_public


@pytest.mark.run()
@@ -24,7 +28,9 @@ class TestModelResource:
    @pytest.fixture()
    def test_project(self, client: SpeckleClient) -> Project:
        project = client.project.create(
-            ProjectCreateInput(name="Test project", description="", visibility=None)
+            ProjectCreateInput(
+                name="Test project", description="", visibility=ProjectVisibility.PUBLIC
+            )
        )
        return project

@@ -149,3 +155,52 @@ class TestModelResource:

        with pytest.raises(GraphQLException):
            client.model.delete(delete_data)
+
+    def test_model_get_permissions(
+        self,
+        client: SpeckleClient,
+        second_client: SpeckleClient,
+        test_project: Project,
+        test_model: Model,
+    ):
+        result = client.model.get_permissions(test_project.id, test_model.id)
+
+        assert isinstance(result, ModelPermissionChecks)
+        assert result.can_update.authorized is True
+        assert result.can_create_version.authorized is True
+        assert result.can_delete.authorized is True
+
+        guest = second_client.model.get_permissions(test_project.id, test_model.id)
+
+        assert isinstance(guest, ModelPermissionChecks)
+        assert guest.can_update.authorized is False
+        assert guest.can_create_version.authorized is False
+        assert guest.can_delete.authorized is False
+
+    @pytest.mark.skipif(
+        is_public(), reason="API only available on server versions 3.0.11 or greater"
+    )
+    def test_can_create_model_ingestion_internal_server(
+        self,
+        client: SpeckleClient,
+        test_project: Project,
+        test_model: Model,
+    ):
+        result = client.model.can_create_model_ingestion(test_project.id, test_model.id)
+
+        assert isinstance(result, PermissionCheckResult)
+        assert result.authorized is True
+
+    @pytest.mark.skipif(
+        is_internal(),
+        reason="API only available on server versions 3.0.11 or greater",
+    )
+    def test_can_create_model_ingestion_public_server(
+        self,
+        client: SpeckleClient,
+        test_project: Project,
+        test_model: Model,
+    ):
+        with pytest.raises(GraphQLException) as ex:
+            _ = client.model.can_create_model_ingestion(test_project.id, test_model.id)
+        assert "GRAPHQL_VALIDATION_FAILED" in str(ex.value)
@@ -24,6 +24,17 @@ class TestProjectResource:
        )
        return project

+    @pytest.fixture()
+    def test_public_project(self, client: SpeckleClient) -> Project:
+        project = client.project.create(
+            ProjectCreateInput(
+                name="test project123",
+                description="desc",
+                visibility=ProjectVisibility.PUBLIC,
+            )
+        )
+        return project
+
    @pytest.mark.parametrize(
        "name, description, visibility",
        [
@@ -50,7 +61,7 @@ class TestProjectResource:
        assert result.id is not None
        assert result.name == name
        assert result.description == (description or "")
-        # we've disabled creation of public projects for now, they fall back to unlisted
+        # we've disabled creation of unlisted projects for now, they fall back to public
        if visibility == ProjectVisibility.UNLISTED:
            assert result.visibility == ProjectVisibility.PUBLIC
        else:
@@ -67,13 +78,32 @@ class TestProjectResource:
        assert result.created_at == test_project.created_at

    def test_project_get_permissions(
-        self, client: SpeckleClient, test_project: Project
+        self,
+        client: SpeckleClient,
+        second_client: SpeckleClient,
+        test_project: Project,
+        test_public_project: Project,
    ):
-        result = client.project.get_permissions(test_project.id)
+        result_private = client.project.get_permissions(test_project.id)
+
+        assert isinstance(result_private, ProjectPermissionChecks)
+        assert result_private.can_create_model.authorized is True
+        assert result_private.can_delete.authorized is True
+        assert result_private.can_load.authorized is True
+
+        result = client.project.get_permissions(test_public_project.id)

        assert isinstance(result, ProjectPermissionChecks)
        assert result.can_create_model.authorized is True
        assert result.can_delete.authorized is True
+        assert result.can_load.authorized is True
+
+        guest = second_client.project.get_permissions(test_public_project.id)
+
+        assert isinstance(result, ProjectPermissionChecks)
+        assert guest.can_create_model.authorized is False
+        assert guest.can_delete.authorized is False
+        assert guest.can_load.authorized is False

    def test_project_update(self, client: SpeckleClient, test_project: Project):
        new_name = "MY new name"
@@ -34,6 +34,10 @@ def is_public() -> bool:
    return os.getenv("IS_PUBLIC", "false").lower() == "true"


+def is_internal() -> bool:
+    return not is_public()
+
+
 def seed_user(host: str) -> Dict[str, str]:
    seed = uuid.uuid4().hex
    user_dict = {
Author	SHA1	Message	Date
Jedd Morgan	c53a51c8ad	Jrm/can create model ingestion (#486 ) Publish Python Package / test (push) Has been cancelled Details Publish Python Package / Build and Publish Python Package (push) Has been cancelled Details * Add `canCreateModelIngestion` model permission check * format * oops	2026-01-29 14:23:44 +00:00
Jedd Morgan	c1f27b78f9	feat(api)!: Add model permission checks (#485 ) * Add model permission checks * test_public * This is the real fix * mistake * public api resource	2026-01-29 12:04:21 +01:00
Jedd Morgan	49d4b7d44d	doc: MarkReceivedVersionInput clarification (#484 ) * MarkReceivedVersionInput clarification * Reformat	2026-01-27 19:52:30 +03:00
Jedd Morgan	7181f50dda	update nullability of invitedBy (#483 )	2026-01-15 20:06:13 +03:00