def get(self, group_type, is_organization, id=None):
extra_vars = {}
set_org(is_organization)
context = self._prepare(id)
user = request.params.get(u'user')
data_dict = {u'id': id}
data_dict['include_datasets'] = False
group_dict = _action(u'group_show')(context, data_dict)
roles = _action(u'member_roles_list')(context, {
u'group_type': group_type
})
if user:
user_dict = get_action(u'user_show')(context, {u'id': user})
user_role =\
authz.users_role_for_group_or_org(id, user) or u'member'
# TODO: Remove
g.user_dict = user_dict
extra_vars["user_dict"] = user_dict
else:
user_role = u'member'
# TODO: Remove
g.group_dict = group_dict
g.roles = roles
g.user_role = user_role
extra_vars = {
u"group_dict": group_dict,
u"roles": roles,
u"user_role": user_role,
u"group_type": group_type
}
return base.render(_replace_group_org(u'group/member_new.html'),
extra_vars)
def package_create(next_auth, context, data_dict):
'''
:param next_auth:
:param context:
:param data_dict:
'''
user = context['auth_user_obj']
if data_dict and 'owner_org' in data_dict:
role = users_role_for_group_or_org(data_dict['owner_org'], user.name)
if role == 'member':
return {
'success': True
}
else:
# If there is no organisation, then this should return success if the user can
# create datasets for *some* organisation (see the ckan implementation), so
# either if anonymous packages are allowed or if we have member status in any
# organisation.
if has_user_permission_for_some_org(user.name, 'read'):
return {
'success': True
}
return next_auth(context, data_dict)
def get(self, group_type, is_organization, id=None):
extra_vars = {}
set_org(is_organization)
context = self._prepare(id)
user = request.params.get(u'user')
data_dict = {u'id': id}
data_dict['include_datasets'] = False
group_dict = _action(u'group_show')(context, data_dict)
roles = _action(u'member_roles_list')(context, {
u'group_type': group_type
})
if user:
user_dict = get_action(u'user_show')(context, {u'id': user})
user_role =\
authz.users_role_for_group_or_org(id, user) or u'member'
# TODO: Remove
g.user_dict = user_dict
extra_vars["user_dict"] = user_dict
else:
user_role = u'member'
# TODO: Remove
g.group_dict = group_dict
g.roles = roles
g.user_role = user_role
extra_vars = {
u"group_dict": group_dict,
u"roles": roles,
u"user_role": user_role,
u"group_type": group_type
}
return base.render(_replace_group_org(u'group/member_new.html'),
extra_vars)
def member_new(self, id):
group_type = self._ensure_controller_matches_group_type(id)
context = {'model': model, 'session': model.Session,
'user': c.user or c.author}
#self._check_access('group_delete', context, {'id': id})
try:
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('group_show')(context, data_dict)
c.roles = self._action('member_roles_list')(
context, {'group_type': group_type}
)
if request.method == 'POST':
data_dict = clean_dict(dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
email = data_dict.get('email')
if email:
users_model = context['model']
result = users_model.User.by_email(email)
if result:
message = _(u'User with this {email} email already exists.').format(
email=email)
raise ValidationError({'message': message}, error_summary=message)
else:
user_data_dict = {
'email': email,
'group_id': data_dict['id'],
'role': data_dict['role']
}
del data_dict['email']
user_dict = self._action('user_invite')(
context, user_data_dict)
data_dict['username'] = user_dict['name']
c.group_dict = self._action('group_member_create')(
context, data_dict)
self._redirect_to_this_controller(action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = \
get_action('user_show')(context, {'id': user})
c.user_role = \
authz.users_role_for_group_or_org(id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(401, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError, e:
h.flash_error(e.error_summary)
def ckan_get_user_role_in_group(group_id, context=None):
# type: (str, OptionalCkanContext) -> Optional[str]
"""Get the current user's role in a group / organization
"""
user = _get_username(context)
if not user:
return None
return users_role_for_group_or_org(group_id, user)
def package_show(context, data_dict=None):
# Identify the current package
package = get_package_object(context, data_dict)
# If the package isn't private, allow anyone to view the dataset
if (package.private):
# Check the currently logged in user
user = context.get('user')
# If the user is part of the organization that
# owns this dataset, allow access as normal.
if (authz.users_role_for_group_or_org(package.owner_org, user) !=
None):
return {'success': True}
# Modify the context to allow for all datasets to be searched
context['ignore_capacity_check'] = True
# Get all groups in the CKAN instance
all_groups = get.group_list(context, data_dict)
# Iterate through all of the groups
for group in all_groups:
# Use the group ID to collect all packages owned by a group
current_group = get.group_package_show(context, {'id': group})
# Skip if the current group has no packages
if (len(current_group) > 0):
# Iterate through all packages in a group
for i in range(len(current_group)):
# Get the title of the package
group_package_title = str(current_group[i]['name'])
# If the user has any affiliation with the group that
# contains this package, allow access to the package.
if ((group_package_title == str(package.name))
and (authz.users_role_for_group_or_org(
group, user) != None)):
return {'success': True}
# Otherwise deny access to the package.
return {'success': False}
# If the package isn't private, allow access to the package.
return {'success': True}
def member_new(self, id):
context = {
'model': model,
'session': model.Session,
'user': c.user or c.author
}
#self._check_access('group_delete', context, {'id': id})
try:
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('group_show')(context, data_dict)
group_type = 'organization' if c.group_dict[
'is_organization'] else 'group'
c.roles = self._action('member_roles_list')(
context, {
'group_type': group_type
})
if request.method == 'POST':
data_dict = clean_dict(
dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
email = data_dict.get('email')
if email:
user_data_dict = {
'email': email,
'group_id': data_dict['id'],
'role': data_dict['role']
}
del data_dict['email']
user_dict = self._action('user_invite')(context,
user_data_dict)
data_dict['username'] = user_dict['name']
c.group_dict = self._action('group_member_create')(context,
data_dict)
self._redirect_to(controller='group', action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = get_action('user_show')(context, {
'id': user
})
c.user_role = authz.users_role_for_group_or_org(
id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(401, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError, e:
h.flash_error(e.error_summary)
def owner_org_validator(key, data, errors, context):
owner_org = data.get(key)
user = context['auth_user_obj']
if owner_org is not missing and owner_org is not None and owner_org != '':
role = users_role_for_group_or_org(owner_org, user.name)
if role == 'member':
return
default_oov(key, data, errors, context)
def member_new(self, id):
group_type = self._ensure_controller_matches_group_type(id)
context = {'model': model, 'session': model.Session, 'user': c.user}
try:
self._check_access('group_member_create', context, {'id': id})
except NotAuthorized:
abort(403, _('Unauthorized to create group %s members') % '')
try:
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('group_show')(context, data_dict)
c.roles = self._action('member_roles_list')(
context, {
'group_type': group_type
})
if request.method == 'POST':
data_dict = clean_dict(
dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
email = data_dict.get('email')
if email:
user_data_dict = {
'email': email,
'group_id': data_dict['id'],
'role': data_dict['role']
}
del data_dict['email']
user_dict = self._action('user_invite')(context,
user_data_dict)
data_dict['username'] = user_dict['name']
c.group_dict = self._action('group_member_create')(context,
data_dict)
self._redirect_to_this_controller(action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = \
get_action('user_show')(context, {'id': user})
c.user_role = \
authz.users_role_for_group_or_org(id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(403, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError as e:
h.flash_error(e.error_summary)
return self._render_template('group/member_new.html', group_type)
def member_new(self, id):
group_type = self._ensure_controller_matches_group_type(id)
context = {'model': model, 'session': model.Session,
'user': c.user}
try:
self._check_access('group_member_create', context, {'id': id})
except NotAuthorized:
abort(403, _('Unauthorized to create group %s members') % '')
try:
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('group_show')(context, data_dict)
c.roles = self._action('member_roles_list')(
context, {'group_type': group_type}
)
if request.method == 'POST':
data_dict = clean_dict(dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
email = data_dict.get('email')
if email:
user_data_dict = {
'email': email,
'group_id': data_dict['id'],
'role': data_dict['role']
}
del data_dict['email']
user_dict = self._action('user_invite')(
context, user_data_dict)
data_dict['username'] = user_dict['name']
c.group_dict = self._action('group_member_create')(
context, data_dict)
h.redirect_to(group_type + '_members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = \
get_action('user_show')(context, {'id': user})
c.user_role = \
authz.users_role_for_group_or_org(id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(403, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError as e:
h.flash_error(e.error_summary)
return self._render_template('group/member_new.html', group_type)
def user_is_member_of_package_org(user, package):
"""Return True if the package is in an organization and the user has the member role in that organization
@param user: A user object
@param package: A package object
@return: True if the user has the 'member' role in the organization that owns the package, False otherwise
"""
if package.owner_org:
role_in_org = users_role_for_group_or_org(package.owner_org, user.name)
if role_in_org == 'member':
return True
return False
def member_new(self, id):
context = {'model': model, 'session': model.Session,
'user': c.user or c.author}
#self._check_access('group_delete', context, {'id': id})
try:
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('group_show')(context, data_dict)
group_type = 'organization' if c.group_dict['is_organization'] else 'group'
c.roles = self._action('member_roles_list')(
context, {'group_type': group_type}
)
if request.method == 'POST':
data_dict = clean_dict(dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
email = data_dict.get('email')
if email:
user_data_dict = {
'email': email,
'group_id': data_dict['id'],
'role': data_dict['role']
}
del data_dict['email']
user_dict = self._action('user_invite')(context,
user_data_dict)
data_dict['username'] = user_dict['name']
c.group_dict = self._action('group_member_create')(context, data_dict)
self._redirect_to(controller='group', action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = get_action('user_show')(context, {'id': user})
c.user_role = authz.users_role_for_group_or_org(id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(401, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError, e:
h.flash_error(e.error_summary)
def package_create(context, data_dict):
user = context['auth_user_obj']
if data_dict and 'owner_org' in data_dict:
role = users_role_for_group_or_org(data_dict['owner_org'], user.name)
if role == 'member':
return {'success': True}
else:
# If there is no organization, then this should return success if the user can create datasets for *some*
# organisation (see the ckan implementation), so either if anonymous packages are allowed or if we have
# member status in any organization.
if has_user_permission_for_some_org(user.name, 'read'):
return {'success': True}
fallback = get_default_auth('create', 'package_create')
return fallback(context, data_dict)
def create(self, entity):
user = toolkit.g.userobj
if authz.is_sysadmin(user.name):
return
parents = entity.get_parent_group_hierarchy('organization')
if parents:
parent = parents[-1]
role = authz.users_role_for_group_or_org(parent.id, user.name)
if not role or role != 'admin':
raise ValidationError({
'parent': [
'You do not belong to the selected parent organisation'
]
})
def owner_org_validator(key, data, errors, context):
'''
:param key:
:param data:
:param errors:
:param context:
'''
owner_org = data.get(key)
if owner_org is not toolkit.missing and owner_org is not None and owner_org != '':
if context.get('auth_user_obj', None) is not None:
username = context['auth_user_obj'].name
else:
username = context['user']
role = users_role_for_group_or_org(owner_org, username)
if role == 'member':
return
default_owner_org_validator(key, data, errors, context)
def member_new(self, id):
group_type = self._ensure_controller_matches_group_type(id)
context = {"model": model, "session": model.Session, "user": c.user}
# self._check_access('group_delete', context, {'id': id})
try:
data_dict = {"id": id}
data_dict["include_datasets"] = False
c.group_dict = self._action("group_show")(context, data_dict)
c.roles = self._action("member_roles_list")(context, {"group_type": group_type})
if request.method == "POST":
data_dict = clean_dict(dict_fns.unflatten(tuplize_dict(parse_params(request.params))))
data_dict["id"] = id
email = data_dict.get("email")
if email:
user_data_dict = {"email": email, "group_id": data_dict["id"], "role": data_dict["role"]}
del data_dict["email"]
user_dict = self._action("user_invite")(context, user_data_dict)
data_dict["username"] = user_dict["name"]
c.group_dict = self._action("group_member_create")(context, data_dict)
self._redirect_to_this_controller(action="members", id=id)
else:
user = request.params.get("user")
if user:
c.user_dict = get_action("user_show")(context, {"id": user})
c.user_role = authz.users_role_for_group_or_org(id, user) or "member"
else:
c.user_role = "member"
except NotAuthorized:
abort(403, _("Unauthorized to add member to group %s") % "")
except NotFound:
abort(404, _("Group not found"))
except ValidationError, e:
h.flash_error(e.error_summary)
def can_request_doi(user, data):
'''
Determine whether the user can request a doi for a package.
'''
# If we can request doi outside of orgs, allow everyone to request.
if toolkit.asbool(config.get('ckanext.doi.doi_request_only_in_orgs')) \
is False:
return True
if user:
user_obj = toolkit.get_action('user_show')(
data_dict={'id': user})
# Sysadmins can do anything
if user_obj['sysadmin']:
return True
org_id = data.get('owner_org') or data.get('group_id') \
or data.get(('owner_org',), None)
# ckanext.doi.doi_request_only_in_orgs must be True, so we need a user and
# an org
if not user or not org_id:
return False
# Roles authorized if ckanext.doi.doi_request_roles_in_orgs if not defined
# in config.
default_roles = "admin editor"
# Is the user's role in the allowed roles list?
user_role = authz.users_role_for_group_or_org(org_id, user)
if user_role in config.get("ckanext.doi.doi_request_roles_in_orgs",
default_roles).split():
return True
return False
def member_new(self, id):
# FIXME: heavily customized version of GroupController.member_new
# that is tied to our particular auth mechanism and permissions
# This would be better in the idir extension
import ckan.lib.navl.dictization_functions as dict_fns
import ckan.authz as authz
context = {'model': model, 'session': model.Session,
'user': c.user or c.author}
errors = {}
try:
group_type = 'organization'
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('organization_show')(context, {'id' : data_dict['id']})
c.roles = self._action('member_roles_list')(context, {'group_type': group_type})
if request.method == 'POST':
data_dict = clean_dict(dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
idir_account = data_dict.get('idir')
if idir_account:
'''
Check if the account has only alphanumeric characters
'''
import re
name_match = re.compile('[a-z0-9_\-]*$')
if not name_match.match(idir_account) :
errors['idir'] = _('must be purely lower case alphanumeric (ascii) characters and these symbols: -_')
vars = {'data': data_dict, 'errors': errors}
return render('organization/member_new.html', extra_vars=vars)
try:
user_dict = get_action('user_show')(context, {'id': idir_account.lower(), 'include_datasets': False})
except NotFound:
user_dict = {}
if not user_dict :
user_data_dict = {
'name': idir_account.lower(),
'email': '*****@*****.**',
'password' : 't35tu53r'
}
del data_dict['idir']
user_dict = self._action('user_create')(context,
user_data_dict)
data_dict['username'] = user_dict['name']
data_dict['role'] = data_dict.get('role', 'editor')
c.group_dict = self._action('group_member_create')(context, data_dict)
self._redirect_to_this_controller(action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = get_action('user_show')(context, {'id': user})
c.user_role = authz.users_role_for_group_or_org(id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(401, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError, e:
h.flash_error(e.error_summary)
def member_new(self, id):
# FIXME: heavily customized version of GroupController.member_new
# that is tied to our particular auth mechanism and permissions
# This would be better in the idir extension
import ckan.lib.navl.dictization_functions as dict_fns
import ckan.authz as authz
context = {
'model': model,
'session': model.Session,
'user': c.user or c.author
}
errors = {}
try:
group_type = 'organization'
data_dict = {'id': id}
data_dict['include_datasets'] = False
c.group_dict = self._action('organization_show')(
context, {
'id': data_dict['id']
})
c.roles = self._action('member_roles_list')(
context, {
'group_type': group_type
})
if request.method == 'POST':
data_dict = clean_dict(
dict_fns.unflatten(
tuplize_dict(parse_params(request.params))))
data_dict['id'] = id
idir_account = data_dict.get('idir')
if idir_account:
'''
Check if the account has only alphanumeric characters
'''
import re
name_match = re.compile('[a-z0-9_\-]*$')
if not name_match.match(idir_account):
errors['idir'] = _(
'must be purely lower case alphanumeric (ascii) characters and these symbols: -_'
)
vars = {'data': data_dict, 'errors': errors}
return render('organization/member_new.html',
extra_vars=vars)
try:
user_dict = get_action('user_show')(
context, {
'id': idir_account.lower(),
'include_datasets': False
})
except NotFound:
user_dict = {}
if not user_dict:
user_data_dict = {
'name': idir_account.lower(),
'email': '*****@*****.**',
'password': '******'
}
del data_dict['idir']
user_dict = self._action('user_create')(context,
user_data_dict)
data_dict['username'] = user_dict['name']
data_dict['role'] = data_dict.get('role', 'editor')
c.group_dict = self._action('group_member_create')(context,
data_dict)
self._redirect_to_this_controller(action='members', id=id)
else:
user = request.params.get('user')
if user:
c.user_dict = get_action('user_show')(context, {
'id': user
})
c.user_role = authz.users_role_for_group_or_org(
id, user) or 'member'
else:
c.user_role = 'member'
except NotAuthorized:
abort(401, _('Unauthorized to add member to group %s') % '')
except NotFound:
abort(404, _('Group not found'))
except ValidationError, e:
h.flash_error(e.error_summary)
def role_in_org(organization_id, user_name):
return authz.users_role_for_group_or_org(organization_id, user_name)
