sciapp · flooobauer · Oct 16, 2025 · Oct 24, 2025 · Oct 29, 2025 · Nov 4, 2025
diff --git a/docs/developer_guide/api.rst b/docs/developer_guide/api.rst
@@ -537,6 +537,162 @@ Setting the permissions for anonymous users
     :statuscode 404: the object does not exist
 
 
+Reading all permissions of an object
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. http:get:: /api/v1/objects/(int:object_id)/permissions/
+
+    Get all permission mappings.
+
+    **Example request**:
+
+    .. sourcecode:: http
+
+        GET /api/v1/objects/1/permissions/ HTTP/1.1
+        Host: iffsamples.fz-juelich.de
+        Accept: application/json
+        Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
+
+    **Example response**:
+
+    .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Content-Type: application/json
+
+        {
+            "users": {
+                1: "grant"
+            },
+            "groups": {
+                2: "read"
+            },
+            "projects": {
+                2: "read"
+            },
+            "authenticated_users" : "none",
+            "anonymous_users": "none"
+        }
+
+    :<json object users: user_ids and their associated permission for this object
+    :<json object groups: group_ids and their associated permission for this object
+    :<json object projects: project_ids and their associated permission for this object
+    :<json object authenticated_users: permission all authenticated users have to this object
+    :<json object anonymous_users: permission all users have to this object
+    :statuscode 200: no error
+    :statuscode 403: the user does not have READ permissions for this object
+    :statuscode 404: the object does not exist
+
+
+Setting all permissions of an object
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. http:put:: /api/v1/objects/(int:object_id)/permissions/
+
+    Set and/or change multiple permissions to the given object.
+    Does keep non-colliding permissions that are already set and will return all currently applied permissions for this object.
+
+    **Example request**:
+
+    .. sourcecode:: http
+
+        PUT /api/v1/objects/1/permissions/ HTTP/1.1
+        Host: iffsamples.fz-juelich.de
+        Content-Type: application/json
+        Accept: application/json
+        Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
+
+        {
+            "users": {
+                1: "grant"
+            },
+            "groups": {
+                2: "read"
+            },
+            "projects": {
+                2: "write"
+            },
+            "authenticated_users" : "none",
+            "anonymous_users": "none"
+        }
+    :<json object users: user_ids and their associated permission for this object (optional)
+    :<json object groups: group_ids and their associated permission for this object (optional)
+    :<json object projects: project_ids and their associated permission for this object (optional)
+    :<json object authenticated_users: permission all authenticated users have to this object (optional)
+    :<json object anonymous_users: permission all users have to this object (optional)
+
+    **Example response**:
+
+    .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Content-Type: application/json
+
+        {
+            "users": {
+                1: "grant"
+            },
+            "groups": {
+                2: "read"
+            },
+            "projects": {
+                2: "write"
+            },
+            "authenticated_users" : "none",
+            "anonymous_users": "none"
+        }
+
+    :statuscode 200: no error
+    :statuscode 400: invalid data (should be "read", "write", "grant" or "none")
+    :statuscode 403: the user does not have GRANT permissions for this object
+    :statuscode 404: the object or user does not exist
+
+
+Copying all permissions from one object to another
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. http:post:: /api/v1/objects/permissions/copy/
+
+    Sets the permissions of the target object exactly to the permissions of the source object.
+    Request object can either be a list of objects or one object providing a source- and a target-object_id.
+
+    **Example request**:
+
+    .. sourcecode:: http
+
+        PUT /api/v1/objects/permissions/copy/ HTTP/1.1
+        Host: iffsamples.fz-juelich.de
+        Content-Type: application/json
+        Accept: application/json
+        Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
+
+        [
+            {
+                "source_object_id": 1,
+                "target_object_id": 3,
+            },
+            {
+                "source_object_id": 4,
+                "target_object_id": 2,
+            }
+        ]
+
+    :<json number source_object_id: the object_id from which the permissions should be copied
+    :<json number target_object_id: the object_id where the copied permissions should be applied to
+
+    **Example response**:
+
+    .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Content-Type: application/json
+
+    :statuscode 200: no error
+    :statuscode 400: invalid data (must be either list of json objects or json object with properties 'source' and 'target')
+    :statuscode 403: user does not have GRANT permissions on 'target' object or READ permission on 'source' object
+    :statuscode 404: 'target' or 'source' object does not exist
+
+
 Reading all users' permissions
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -22,6 +22,7 @@ authors = [
     { name="Nils Holle", email="[email protected]" },
     { name="Moritz Hannemann", email="[email protected]" },
     { name="Moritz Velde", email="[email protected]" },
+    { name="Florian Bauer", email="[email protected]" },
     { name="Dorothea Henkel" },
     { name="Du Kim Nguyen" },
     { name="Frederik Peters" },

diff --git a/sampledb/api/server/__init__.py b/sampledb/api/server/__init__.py
@@ -15,7 +15,7 @@
 from .instrument_log import InstrumentLogEntry, InstrumentLogEntries, InstrumentLogEntryVersions, InstrumentLogEntryVersion, InstrumentLogEntryFileAttachment, InstrumentLogEntryFileAttachments, InstrumentLogEntryObjectAttachment, InstrumentLogEntryObjectAttachments, InstrumentLogCategory, InstrumentLogCategories
 from .locations import Location, Locations, ObjectLocationAssignment, ObjectLocationAssignments, LocationType, LocationTypes
 from .object_log import ObjectLogEntries
-from .object_permissions import UsersObjectPermissions, UserObjectPermissions, GroupsObjectPermissions, GroupObjectPermissions, ProjectsObjectPermissions, ProjectObjectPermissions, PublicObjectPermissions, AuthenticatedUserObjectPermissions, AnonymousUserObjectPermissions
+from .object_permissions import ObjectPermissions, UsersObjectPermissions, UserObjectPermissions, GroupsObjectPermissions, GroupObjectPermissions, ProjectsObjectPermissions, ProjectObjectPermissions, PublicObjectPermissions, AuthenticatedUserObjectPermissions, AnonymousUserObjectPermissions, CopyObjectsPermissions
 from .users import CurrentUser, User, Users
 from .groups import Group, Groups
 from .projects import Project, Projects
@@ -50,10 +50,12 @@
 api.add_url_rule('/api/v1/locations/<int:location_id>', endpoint='location', view_func=Location.as_view('location'))
 api.add_url_rule('/api/v1/location_types/', endpoint='location_types', view_func=LocationTypes.as_view('location_types'))
 api.add_url_rule('/api/v1/location_types/<int(signed=True):location_type_id>', endpoint='location_type', view_func=LocationType.as_view('location_type'))
+api.add_url_rule('/api/v1/objects/permissions/copy/', endpoint='copy_objects_permissions', view_func=CopyObjectsPermissions.as_view('copy_objects_permissions'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/files/', endpoint='object_files', view_func=ObjectFiles.as_view('object_files'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/files/<int:file_id>', endpoint='object_file', view_func=ObjectFile.as_view('object_file'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/locations/', endpoint='object_location_assignments', view_func=ObjectLocationAssignments.as_view('object_location_assignments'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/locations/<int:object_location_assignment_index>', endpoint='object_location_assignment', view_func=ObjectLocationAssignment.as_view('object_location_assignment'))
+api.add_url_rule('/api/v1/objects/<int:object_id>/permissions/', endpoint='object_permissions', view_func=ObjectPermissions.as_view('object_permissions'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/permissions/users/', endpoint='users_object_permissions', view_func=UsersObjectPermissions.as_view('users_object_permissions'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/permissions/users/<int:user_id>', endpoint='user_object_permissions', view_func=UserObjectPermissions.as_view('user_object_permissions'))
 api.add_url_rule('/api/v1/objects/<int:object_id>/permissions/groups/', endpoint='groups_object_permissions', view_func=GroupsObjectPermissions.as_view('groups_object_permissions'))