def package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # premission for that organization check1 = new_authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset' ) else: # If dataset is not owned then we can edit if config permissions allow if not new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission( 'create_dataset_if_not_in_organization') else: check1 = new_authz.check_config_permission('anon_create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user))} return {'success': True}
def hri_package_update(context, data_dict): if is_harvester(context, data_dict): return {'success': False, 'msg': _('Harvesters are not authorized to update packages')} else: user = context['model'].User.get(context['user']) # Check that we have a logged in user. if not user: return {'success': False, 'msg': _('Not authorized to update datasets without a valid login')} # Is the user an admin? if user.sysadmin: return {'success': True} # Does the user have global update rights through WordPress? if hri_auth('ckan_update_datasets'): return {'success': True} # Finally check if the user has update rights through the dataset's organization. # Modified version of /ckan/logic/auth/update.py:package_update from core to suit our needs. package = get_package_object(context, data_dict) if package.owner_org: import ckan.new_authz as new_authz check1 = new_authz.has_user_permission_for_group_or_org( package.owner_org, user.name, 'update_dataset' ) if check1: return {'success': True} return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
def package_show(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith('draft'): auth = new_authz.is_authorized('package_update', context, data_dict) authorized = auth.get('success') elif package.owner_org is None and package.state == 'active': return {'success': True} else: # anyone can see a public package if not package.private and package.state == 'active': return {'success': True} authorized = new_authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id) } else: return {'success': True}
def datapackage_show(context, data_dict): """ Generate the data required for a datapackage for the specified package. """ model = context["model"] try: p.toolkit.check_access("package_show", context, data_dict) pkg = get_package_object(context, data_dict).as_dict() except logic.NotFound: p.toolkit.abort(404) datapackage = { "id": pkg["id"], "name": pkg["name"], "title": pkg["title"], "license": LICENSE_LOOKUP.get(pkg["license_id"], ""), "resources": [], } if pkg["notes"]: datapackage["description"] = pkg["notes"] try: package_zip = PackageZip.get_for_package(pkg["id"]) datapackage["filepath"] = package_zip.filepath except Exception, ex: pass
def donl_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get(user) package = get_package_object(context, data_dict) # Allow sysadmins to edit anything if user_obj.sysadmin: return {'success': True} # Leave the core CKAN auth to work out the hierarchy stuff result = ckan.logic.auth.update.package_update(context, data_dict) # Check extras for donl_data_eigenaar # When extras contains a value for donl_data_eigenaar, don't authorize when package maintainer does not match extras value # TODO Should we authorize the user anyway if he is the owner of this dataset? extras = UserExtra.get_extra(user_obj.id) if extras and extras.get('donl_data_eigenaar'): result['success'] = result['success'] and ( extras.get('donl_data_eigenaar') == package.maintainer) log.debug( 'Allow donl_package_update? %s (pkg: %s - pkg.mnt: %s - user.mnt: %s', result['success'], package.name, package.maintainer, extras.get('donl_data_eigenaar')) return result
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get( user ) package = get_package_object(context, data_dict) # Allow sysadmins to edit anything # This includes UKLP harvested datasets. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() # Sysadmins can edit ONS packages. # Note: the dgu user *is* a sysadmin if user_obj.sysadmin: return {'success': True} fail = {'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user)} # UKLP datasets cannot be edited by the average admin/editor because they # are harvested if package.extras.get('UKLP', '') == 'True': return fail # ONSHUB datasets cannot be edited by the average admin/editor because they # are automatically updated if package.extras.get('external_reference') == 'ONSHUB': return fail # Leave the core CKAN auth to work out the hierarchy stuff return ckan.logic.auth.update.package_update(context, data_dict)
def package_update(context, data_dict): """Overrides CKAN auth function to support personal datasets setting in organizations""" result = _auth_update.package_update(context, data_dict) if result['success']: user = logic_auth.get_user_object(context, {'id': context.get('user')}) package = logic_auth.get_package_object(context, data_dict) # Showcases don't have organizations if package.type != "showcase": org = logic_auth.get_group_object(context, {'id': package.owner_org}) personal_datasets = 'personal_datasets' in org.extras.get( 'features', []) if personal_datasets and package.creator_user_id != user.id: result = { 'success': False, 'msg': _('Cannot modify dataset because of organization policy') } return result
def _get_owner_org(self, context, data_dict, action): owner_org = None # Check the context so we find the relevant org if 'resource' in context and 'resource' in action: resource = context['resource'] owner_org = resource.extras.get('owner_org', None) if owner_org is None: owner_org = resource.package.owner_org elif 'group' in context: owner_org = logic_auth.get_group_object(context, data_dict).id elif 'owner_org' in data_dict: owner_org = data_dict.get('owner_org') elif 'package' in context and 'package' in action: package = context['package'] owner_org = package.owner_org elif 'org_data' in data_dict: org_data = data_dict['org_data'] owner_org = org_data.get('id', None) else: try: package = logic_auth.get_package_object(context, data_dict) except (ValidationError, NotFound): package = None if package is None: try: owner_org = logic_auth.get_group_object( context, data_dict).id except (ValidationError, NotFound): owner_org = None else: owner_org = package.owner_org return owner_org
def is_owner(context, data_dict): ''' This is used in "request edit rights" feature. Checks if the user is creator, admin or editor of the package in question :param context: context :param data_dict: package data :type data_dict: dictionary :rtype: dictionary ''' # Package creator is always owner regardless of organizations pkg = context.get('package', None) or Package.get(data_dict['id']) user = context.get('user', False) # If user id can't be resolved, user can't be owner try: user_id = convert_user_name_or_id_to_id(user, context) except: return {'success': False} if pkg.creator_user_id == user_id: return {'success': True} # Check if the user has editor rights to this dataset through an organization package = get_package_object(context, data_dict) if authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'): return {'success': True} return {'success': False}
def journal_package_update(context, data_dict): """override ckan package_update. allow creator to update package if package is private and not in review. 'create_dataset' permission must be set in CKAN """ user = context.get('auth_user_obj') pkg_obj = get_package_object(context, data_dict) review_state_map = { 'true': True, 'false': False, 'reauthor': False, 'reviewed': False } def inreview(): if pkg_obj.state == 'draft': return False pkg_dict = tk.get_action('package_show')(None, {'id': pkg_obj.id}) return review_state_map.get(helpers.in_review(pkg_dict)) if user.id == getattr(pkg_obj, 'creator_user_id', False): private = getattr(pkg_obj, 'private', False) return {'success': private and not inreview()} return ckan_pkgupdate(context, data_dict)
def package_delete(context, data_dict): ''' Modified check from CKAN, whether the user has a permission to delete the package. In addition to privileges given by CKAN's authorisation, also the package owner has full privileges in Kata. :param context: context :type context: dictionary :param data_dict: package data :type data_dict: dictionary :rtype: dictionary with 'success': True|False ''' user = context['user'] package = get_package_object(context, data_dict) if is_owner(context, data_dict)['success'] == True: # if h.check_access('package_delete', data_dict): return {'success': True} else: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'delete_dataset') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user), package.id) } else: return {'success': True}
def dgu_dataset_delete(context, data_dict): """ Determines whether a dataset's state can be set to "deleted". Currently only sysadmin users can do this, apart from UKLP. """ model = context['model'] user = context.get('user') if not user: return {'success': False} user_obj = model.User.get(user) package = get_package_object(context, data_dict) # Sysadmin can delete any package, including UKLP if user_obj.sysadmin: return {'success': True} # Don't allow admin/editor to delete # * apart from UKLP datasets which CAN be withdrawn by the appropriate # admin/editor because they are all live services, so can't be cached to # preserve them without the service provider's help if package.extras.get('UKLP', '') != 'True': return {'success': False} # Leave the core CKAN auth to work out the hierarchy stuff return ckan.logic.auth.delete.package_delete(context, data_dict)
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get(user) package = get_package_object(context, data_dict) # Allow sysadmins to edit anything # This includes UKLP harvested and organogram datasets. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() if user_obj.sysadmin: return {'success': True} # UKLP datasets and other harvested datasets cannot be edited by the # average admin/editor because changes will be overwritten on next harvest. if dgu_helpers.was_dataset_harvested(package.extras): return {'success': False, 'msg': _('User %s not authorized to edit harvested datasets') % str(user)} # Organogram datasets are managed by Drupal via the API if dgu_helpers.is_dataset_organogram(package.extras): return {'success': False, 'msg': _('User %s not authorized to edit organogram datasets') % str(user)} # Leave the core CKAN auth to work out the hierarchy stuff return ckan.logic.auth.update.package_update(context, data_dict)
def package_update(fb, context, data_dict): user = context['auth_user_obj'] package = get_package_object(context, data_dict) if user_owns_package_as_member(user, package): return {'success': True} return fb(context, data_dict)
def is_owner(context, data_dict): ''' This is used in "request edit rights" feature. Checks if the user is admin or editor of the package in question :param context: context :param data_dict: package data :type data_dict: dictionary :rtype: dictionary ''' pkg = context.get('package', None) roles = pkg.roles if pkg else Package.get(data_dict['id']).roles user = context.get('user', False) if user: for role in roles: ruser = User.get(role.user.id) if user == ruser.name and role.role in ('admin', 'editor'): return {'success': True} # Check if the user has editor rights to this dataset through an organization package = get_package_object(context, data_dict) if new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'): return {'success': True} return {'success': False}
def datapackage_show(context, data_dict): """ Generate the data required for a datapackage for the specified package. """ model = context['model'] try: p.toolkit.check_access('package_show', context, data_dict) pkg = get_package_object(context, data_dict).as_dict() except logic.NotFound: p.toolkit.abort(404) datapackage = { 'id': pkg['id'], 'name': pkg['name'], 'title': pkg['title'], 'license': LICENSE_LOOKUP.get(pkg['license_id'], ''), 'resources': [], } if pkg['notes']: datapackage['description'] = pkg['notes'] try: package_zip = PackageZip.get_for_package(pkg['id']) datapackage['filepath'] = package_zip.filepath except Exception, ex: pass
def package_update(context, data_dict): ''' Customised package_update auth overrides default ckan behaviour. Packages that have been imported by the RDF importer should not be edited via the web interface. But obviously, they need to be updateable via the API. RDF-imported packages are identified by having an 'rdf' field. ''' authorised_by_core = publisher_auth.update.package_update( context, data_dict) if authorised_by_core['success'] is False: return authorised_by_core elif 'api_version' in context: return authorised_by_core else: package = ckan_auth.get_package_object(context, data_dict) if 'rdf' in package.extras: return { 'success': False, 'msg': 'Not authorized to edit RDF-imported datasets by hand. ' 'Please re-import this dataset instead.' } else: return authorised_by_core
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get(user) package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(user_obj): return {'success': True} # Only sysadmins can edit UKLP packages. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() if package.extras.get('UKLP', '') == 'True': return { 'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user) } if not user_obj or \ not _groups_intersect( user_obj.get_groups('publisher'), package.get_groups('publisher') ): return { 'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user) } return {'success': True}
def package_show(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) authorized = logic.check_access_old(package, model.Action.READ, context) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user), package.id) } else: # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith('draft'): auth = ckan.new_authz.is_authorized('package_update', context, data_dict) if not auth.get('success'): msg = _('User %s not authorized to read package %s') \ % (str(user),package.id) return {'success': False, 'msg': msg} return {'success': True}
def resource_show(context, data_dict): '''Override ckan's auth function ''' resource_id = data_dict.get('id') acls = model.Session.query(ResourceAcl).filter( ResourceAcl.resource_id == resource_id).all() resource_obj = get_resource_object(context, data_dict) package_obj = get_package_object(context, {'id': resource_obj.package_id}) # user = context.get('user') # userobj = model.User.get(user) user_obj = model.User.get(context.get('user')) if user_obj: user_id = user_obj.id org_ids = user_obj.get_group_ids('organization') for acl in acls: if acl.auth_id == user_id and acl.auth_type == 'user': return {'success': acl.permission == 'read'} for acl in acls: if acl.auth_id in org_ids and acl.auth_type == 'org' and acl.permission == 'read': return {'success': True} if package_obj.owner_org in org_ids: return {'success': True} # If there was an ACL and didn't get a match block access if acls: return {'success': False} # Otherwise default to package permissions return ckan_package_show(context, {'id': resource_obj.package_id})
def package_show(context, data_dict): """ Package show permission checks the user group if the state is deleted """ model = context['model'] package = get_package_object(context, data_dict) if package.state == 'deleted': if 'ignore_auth' in context and context['ignore_auth']: return {'success': True} user = context.get('user') if not user: return {'success': False, 'msg': _('User not authorized to read package %s') % (package.id)} userobj = model.User.get( user ) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} if not userobj: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} if not _groups_intersect( userobj.get_groups('publisher'), package.get_groups('publisher') ): return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} return {'success': True}
def package_update(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') package = logic_auth.get_package_object(context, data_dict) # Only the package creator can update it if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # if the user has rights to update a dataset in the organization or in the group if package and package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') else: authorized = False if not authorized: return { 'success': False, 'msg': _('User %s is not authorized to edit package %s') % (user, package.id) } else: return {'success': True}
def package_update(context, data_dict): user = context['auth_user_obj'] package = get_package_object(context, data_dict) if user_owns_package_as_member(user, package): return {'success': True} fallback = get_default_auth('update', 'package_update') return fallback(context, data_dict)
def package_update(context, data_dict): package = logic_auth.get_package_object(context, data_dict) workflow, _ = workflow_helpers.get_workflow_from_package(package) stage = workflow_helpers.get_stage_from_package(package) if stage != workflow.finish: return auth_update.package_update(context, data_dict) return _success(False, 'Cannot edit published dataset')
def _package_update(context, data_dict=None): user = context["user"] package = auth.get_package_object(context, data_dict) if package and package.type == "article": return {"success": False, "msg": _("User %s not authorized to update articles") % user} return auth.update.package_update(context, data_dict)
def managing_users_package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) extras = dict([(key, value) for key, value in package.extras.items()]) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') #Managing users have to be specified for datasets within an organization managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all( authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all( authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') #Managing users have to be specified for datasets without owner #Else only creator can edit the dataset managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users if context['auth_user_obj'].id == package.creator_user_id: #If user is the creator of the package, he can edit it regardless check1 = True if not check1: return { 'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id) } else: check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user)) } return {'success': True}
def resource_show(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') resource = logic_auth.get_resource_object(context, data_dict) # check authentication against package package_dict = {'id': resource.package_id} package = logic_auth.get_package_object(context, package_dict) if not package: raise tk.ObjectNotFound( _('No package found for this resource, cannot check auth.')) if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # active packages can only be seen by its owners if package.state == 'active': # anyone can see a public package if not package.private: return {'success': True} # if the user has rights to read in the organization or in the group if package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') else: authorized = False if not authorized: # Init the model db.init_db(context['model']) # Branch not executed if the database return an empty list if db.AllowedUser.get(package_id=package.id, user_name=user): authorized = True if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id) } else: return {'success': True} else: return { 'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id) }
def package_delete(context, data_dict): user = context['user'] package = get_package_object(context, data_dict) authorized = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (user, package.id)} else: return {'success': True}
def resource_create(fb, context, data_dict): user = context['auth_user_obj'] package = get_package_object(context, data_dict) if user_owns_package_as_member(user, package): return {'success': True} elif user_is_member_of_package_org(user, package): return {'success': False} return fb(context, data_dict)
def package_edit_permissions(context, data_dict): model = context['model'] user = context['user'] package = get_package_object(context, data_dict) authorized = logic.check_access_old(package, model.Action.EDIT_PERMISSIONS, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit permissions of package %s') % (str(user),package.id)} else: return {'success': True}
def resource_create(context, data_dict): user = context['auth_user_obj'] package = get_package_object(context, data_dict) if user_owns_package_as_member(user, package): return {'success': True} elif user_is_member_of_package_org(user, package): return {'success': False} fallback = get_default_auth('create', 'resource_create') return fallback(context, data_dict)
def package_change_state(context, data_dict): user = context['user'] package = get_package_object(context, data_dict) # use the logic for package_update authorized = new_authz.is_authorized_boolean('package_update', context, data_dict) if not authorized: return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)} else: return {'success': True}
def _package_review(context, data_dict=None): can_update = tk.check_access('package_update', context, data_dict) if can_update: package = logic_auth.get_package_object(context, data_dict) creator_user_id = converters.convert_user_name_or_id_to_id(tk.c.user, context) if package and (package.maintainer == tk.c.user or package.creator_user_id == creator_user_id): return {'success': True } return {'success': False, 'msg': 'Not allowed to update suspended packages'}
def package_show(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) authorized = logic.check_access_old(package, model.Action.READ, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} else: return {'success': True}
def package_delete(context, data_dict): model = context['model'] user = context['user'] package = get_package_object(context, data_dict) authorized = logic.check_access_old(package, model.Action.PURGE, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user),package.id)} else: return {'success': True}
def package_change_state(context, data_dict): model = context['model'] user = context['user'] package = get_package_object(context, data_dict) authorized = check_access_old(package, model.Action.CHANGE_STATE, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)} else: return {'success': True}
def csc_auth_package_activity_list_html(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) authorized = False if package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') if not authorized: return {'success': False, 'msg': _('Unauthorized to see this content')} return {'success': True}
def package_change_state(context, data_dict): model = context['model'] user = context['user'] package = get_package_object(context, data_dict) authorized = logic.check_access_old(package, model.Action.CHANGE_STATE, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)} else: return {'success': True}
def package_show(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) authorized = check_access_old(package, model.Action.READ, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} else: return {'success': True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = logic_auth.get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all( authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all( authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: success = False if authz.check_config_permission('allow_dataset_collaborators'): # if org-level auth failed, check dataset-level auth # (ie if user is a collaborator) user_obj = model.User.get(user) if user_obj: success = authz.user_is_collaborator_on_dataset( user_obj.id, package.id, ['admin', 'editor']) if not success: return { 'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id) } else: check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user)) } return {'success': True}
def test_get_package_object_with_id(self): user_name = helpers.call_action('get_site_user')['name'] dataset = helpers.call_action('package_create', context={'user': user_name}, name='test_dataset') context = {'model': core_model} obj = logic_auth.get_package_object(context, {'id': dataset['id']}) assert obj.id == dataset['id'] assert context['package'] == obj
def package_update(context, data_dict): '''Only allow creator of a package to update it ''' user = context.get('user') user_obj = model.User.get(user) package = logic_auth.get_package_object(context, data_dict) if package.creator_user_id == user_obj.id: return {'success': True } else: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
def package_delete(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) can_package_update = new_authz.is_authorized( 'package_update', context, {'id': package.id}) if can_package_update.get('success'): return can_package_update else: return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user), package.id)}
def package_change_state(context, data_dict): user = context["user"] package = get_package_object(context, data_dict) # use the logic for package_update authorized = new_authz.is_authorized_boolean("package_update", context, data_dict) if not authorized: return { "success": False, "msg": _("User %s not authorized to change state of package %s") % (str(user), package.id), } else: return {"success": True}
def package_change_state(context, data_dict): model = context["model"] user = context["user"] package = get_package_object(context, data_dict) authorized = check_access_old(package, model.Action.CHANGE_STATE, context) if not authorized: return { "success": False, "msg": _("User %s not authorized to change state of package %s") % (str(user), package.id), } else: return {"success": True}
def package_edit_permissions(context, data_dict): model = context["model"] user = context["user"] package = get_package_object(context, data_dict) authorized = check_access_old(package, model.Action.EDIT_PERMISSIONS, context) if not authorized: return { "success": False, "msg": _("User %s not authorized to edit permissions of package %s") % (str(user), package.id), } else: return {"success": True}
def managing_users_package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) extras = dict([(key, value) for key, value in package.extras.items()]) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset' ) #Managing users have to be specified for datasets within an organization managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all(authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') #Managing users have to be specified for datasets without owner #Else only creator can edit the dataset managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users if context['auth_user_obj'].id == package.creator_user_id: #If user is the creator of the package, he can edit it regardless check1 = True if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user))} return {'success': True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) check1 = logic.check_access_old(package, model.Action.EDIT, context) if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}