def package_create(context, data_dict=None):
user = context['user']
if new_authz.auth_is_anon_user(context):
check1 = all(new_authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(new_authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or new_authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
if package.owner_org:
# if there is an owner org then we must have update_dataset
# premission for that organization
check1 = new_authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset'
)
else:
# If dataset is not owned then we can edit if config permissions allow
if not new_authz.auth_is_anon_user(context):
check1 = new_authz.check_config_permission(
'create_dataset_if_not_in_organization')
else:
check1 = new_authz.check_config_permission('anon_create_dataset')
if not check1:
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {'success': False,
'msg': _('User %s not authorized to edit these groups') %
(str(user))}
return {'success': True}
def package_create(context, data_dict=None):
user = context['user']
user_roles = user_custom_roles(context, data_dict)
if 'datovy-kurator' in user_roles:
return {'success': True}
if new_authz.auth_is_anon_user(context):
check1 = all(new_authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(new_authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or new_authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def datahub_package_create(context, data_dict):
from ckan.logic.auth.create import _check_group_auth
if authz.is_sysadmin(context.get('user')):
return {'success': True}
user = context['user']
if not authz.auth_is_registered_user():
if '/new' in c.environ['PATH_INFO']:
h.redirect_to(CREATE_DATASET_HELP_PAGE)
else:
return {'success': False, 'msg': _('You must login to create a dataset')}
check1 = authz.check_config_permission('create_dataset_if_not_in_organization') \
or authz.check_config_permission('create_unowned_dataset')
#if not authorized and not a part of any org, redirect to help page on how to join one
if not check1 and not authz.has_user_permission_for_some_org(user, 'create_dataset'):
if '/new' in c.environ['PATH_INFO']:
h.redirect_to(CREATE_DATASET_HELP_PAGE)
else:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2 and not check1:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or value is None:
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
user = context['user']
user = model.User.get(user)
if value == '' :
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
package = context.get('package')
# only sysadmins can remove datasets from org
if package and package.owner_org and not user.sysadmin:
raise Invalid(_('You cannot remove a dataset from an existing organization'))
return
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
if not(user.sysadmin or
new_authz.has_user_permission_for_group_or_org(
group_id, user.name, 'create_dataset')):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or value is None:
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
user = context['user']
user = model.User.get(user)
if value == '':
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
package = context.get('package')
# only sysadmins can remove datasets from org
if package and package.owner_org and not user.sysadmin:
raise Invalid(
_('You cannot remove a dataset from an existing organization'))
return
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
if not (user.sysadmin or new_authz.has_user_permission_for_group_or_org(
group_id, user.name, 'create_dataset')):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def datahub_package_create(context, data_dict):
from ckan.logic.auth.create import _check_group_auth
if new_authz.is_sysadmin(context.get('user')):
return {'success': True}
user = context['user']
if not new_authz.auth_is_registered_user():
return {'success': False, 'msg': _('You must login to create a dataset')}
else:
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \
or new_authz.check_config_permission('create_unowned_dataset')
if not check1 and not new_authz.has_user_permission_for_some_org(user, 'create_dataset'):
h.redirect_to('/pages/requesting-an-organization')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def datahub_package_create(context, data_dict):
from ckan.logic.auth.create import _check_group_auth
if new_authz.is_sysadmin(context.get('user')):
return {'success': True}
user = context['user']
if not new_authz.auth_is_registered_user():
if '/new' in c.environ['PATH_INFO']:
h.redirect_to(CREATE_DATASET_HELP_PAGE)
else:
return {
'success': False,
'msg': _('You must login to create a dataset')
}
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \
or new_authz.check_config_permission('create_unowned_dataset')
#if not authorized and not a part of any org, redirect to help page on how to join one
if not check1 and not new_authz.has_user_permission_for_some_org(
user, 'create_dataset'):
if '/new' in c.environ['PATH_INFO']:
h.redirect_to(CREATE_DATASET_HELP_PAGE)
else:
return {
'success': False,
'msg': _('User %s not authorized to create packages') % user
}
check2 = _check_group_auth(context, data_dict)
if not check2 and not check1:
return {
'success': False,
'msg': _('User %s not authorized to edit these groups') % user
}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {
'success':
False,
'msg':
_('User %s not authorized to add dataset to this organization') %
user
}
return {'success': True}
def user_create(context, data_dict=None):
using_api = 'api_version' in context
create_user_via_api = new_authz.check_config_permission(
'create_user_via_api')
create_user_via_web = new_authz.check_config_permission(
'create_user_via_web')
if using_api and not create_user_via_api:
return {'success': False, 'msg': _('User {user} not authorized to '
'create users via the API').format(user=context.get('user'))}
if not using_api and not create_user_via_web:
return {'success': False, 'msg': _('Not authorized to '
'create users')}
return {'success': True}
def user_create(context, data_dict=None):
using_api = 'api_version' in context
create_user_via_api = new_authz.check_config_permission(
'create_user_via_api')
create_user_via_web = new_authz.check_config_permission(
'create_user_via_web')
if using_api and not create_user_via_api:
return {'success': False, 'msg': _('User {user} not authorized to '
'create users via the API').format(user=context.get('user'))}
if not using_api and not create_user_via_web:
return {'success': False, 'msg': _('Not authorized to '
'create users')}
return {'success': True}
def package_create(context, data_dict=None):
import ckan.new_authz as new_authz
from ckan.logic.auth.create import _check_group_auth
user = context['user']
if new_authz.auth_is_anon_user(context):
check1 = new_authz.check_config_permission('anon_create_dataset')
else:
# CKAN default options that grant any user rights to create datasets removed here.
check1 = new_authz.has_user_permission_for_some_org(user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
# Note the default value True except when we're actually trying to create a new dataset...
if data_dict:
org_id = data_dict.get('owner_org')
if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
elif not org_id:
return {'success': False}
return {'success': True}
def organization_create(context, data_dict):
""" This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """
if not c.userobj:
return {'success': False, 'msg': _('Only registered users can create organizations')}
# Check that user has admin permissions in selected parent organizations
if data_dict and data_dict.get('groups'):
admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \
.filter(model.Member.capacity == 'admin').filter(model.Member.table_id == c.userobj.id)
for group in data_dict['groups']:
if any(group['name'] == admin_org.group.name for admin_org in admin_in_orgs):
break
else:
return {'success': False, 'msg': _('User %s is not administrator in the selected parent organization') % context['user']}
check = _check_public_adminstration_flag(context, data_dict)
if check:
return check
if new_authz.check_config_permission('user_create_organizations'):
return {'success': True}
return {'success': False,
'msg': _('User %s not authorized to create organizations') % context['user']}
def test_roles_that_cascade_to_sub_groups_is_a_list(self):
assert_equals(
sorted(
auth.check_config_permission(
'roles_that_cascade_to_sub_groups')),
sorted(['admin', 'editor']))
def kata_owner_org_validator(key, data, errors, context):
'''
Modified version of CKAN's owner_org_validator. Anyone
can add a private dataset to an organisation
:param key: key
:param data: data
:param errors: errors
:param context: context
:return: nothing. Raise invalid if organisation is not given or it doesn't exist
'''
value = data.get(key)
if value is missing or not value:
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be supplied'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
data[key] = group_id
def organization_create(context, data_dict=None):
user = context['user']
user = new_authz.get_user_id_for_username(user, allow_none=True)
if user and new_authz.check_config_permission('user_create_organizations'):
return {'success': True}
return {'success': False,
'msg': _('User %s not authorized to create organizations') % user}
def user_create(context, data_dict=None):
user = context['user']
if ('api_version' in context
and not new_authz.check_config_permission('create_user_via_api')):
return {'success': False, 'msg': _('User %s not authorized to create users') % user}
else:
return {'success': True}
def package_create(context, data_dict=None):
user = context['user']
if not new_authz.auth_is_registered_user():
check1 = new_authz.check_config_permission('anon_create_dataset')
else:
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \
or new_authz.has_user_permission_for_some_org(user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def organization_create(context, data_dict=None):
user = context['user']
user = new_authz.get_user_id_for_username(user, allow_none=True)
if user and new_authz.check_config_permission('user_create_organizations'):
return {'success': True}
return {'success': False,
'msg': _('User %s not authorized to create organizations') % user}
def user_create(context, data_dict=None):
user = context['user']
if ('api_version' in context
and not new_authz.check_config_permission('create_user_via_api')):
return {'success': False, 'msg': _('User %s not authorized to create users') % user}
else:
return {'success': True}
def package_create(context, data_dict=None):
user = context['user']
if not new_authz.auth_is_registered_user():
check1 = new_authz.check_config_permission('anon_create_dataset')
else:
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \
or new_authz.has_user_permission_for_some_org(user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def package_create(context, data_dict=None):
import ckan.new_authz as new_authz
from ckan.logic.auth.create import _check_group_auth
user = context['user']
if new_authz.auth_is_anon_user(context):
check1 = new_authz.check_config_permission(
'anon_create_dataset')
else:
# CKAN default options that grant any user rights to create datasets removed here.
check1 = new_authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {
'success': False,
'msg':
_('User %s not authorized to create packages') % user
}
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success': False,
'msg':
_('User %s not authorized to edit these groups') % user
}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {
'success':
False,
'msg':
_('User %s not authorized to add dataset to this organization'
) % user
}
# Note the default value True except when we're actually trying to create a new dataset...
if data_dict:
org_id = data_dict.get('owner_org')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {
'success':
False,
'msg':
_('User %s not authorized to add dataset to this organization'
) % user
}
elif not org_id:
return {'success': False}
return {'success': True}
def group_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context["user"]
if not new_authz.check_config_permission("user_delete_groups"):
return {"success": False, "msg": _("User %s not authorized to delete groups") % user}
authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)}
else:
return {"success": True}
def group_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not new_authz.check_config_permission('user_delete_groups'):
return {'success': False,
'msg': _('User %s not authorized to delete groups') % user}
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (user ,group.id)}
else:
return {'success': True}
def organization_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not new_authz.check_config_permission('user_delete_organizations'):
return {'success': False,
'msg': _('User %s not authorized to delete organizations') % user}
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)}
else:
return {'success': True}
def package_update(context, data_dict):
user = context.get("user")
package = get_package_object(context, data_dict)
if package.owner_org:
# if there is an owner org then we must have update_dataset
# premission for that organization
check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, "update_dataset")
else:
# If dataset is not owned then we can edit if config permissions allow
if new_authz.auth_is_registered_user():
check1 = new_authz.check_config_permission("create_dataset_if_not_in_organization")
else:
check1 = new_authz.check_config_permission("anon_create_dataset")
if not check1:
return {"success": False, "msg": _("User %s not authorized to edit package %s") % (str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)}
return {"success": True}
def package_create(context, data_dict=None):
user = context['user']
if not new_authz.auth_is_registered_user():
check1 = new_authz.check_config_permission('anon_create_dataset')
else:
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \
or new_authz.has_user_permission_for_some_org(user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('organization_id')
if org_id and not new_authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def package_update(context, data_dict):
user = context.get('user')
package = get_package_object(context, data_dict)
if package.owner_org:
check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset')
else:
check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or not value:
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
user = context['user']
user = model.User.get(user)
if not(user.sysadmin or user.is_in_group(group_id)):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or not value:
if not new_authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('A organization must be supplied'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
user = context['user']
user = model.User.get(user)
if not(user.sysadmin or user.is_in_group(group_id)):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def test_config_overrides_default(self):
assert_equals(auth.check_config_permission(
'anon_create_dataset'),
True)
def test_get_default_value_if_not_set_in_config(self):
assert_equals(auth.check_config_permission(
'anon_create_dataset'),
auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_default_roles_that_cascade_to_sub_groups_is_a_list(self):
assert isinstance(
auth.check_config_permission('roles_that_cascade_to_sub_groups'),
list)
def test_roles_that_cascade_to_sub_groups_is_a_list(self):
assert_equals(sorted(auth.check_config_permission(
'roles_that_cascade_to_sub_groups')),
sorted(['admin', 'editor']))
def test_config_override_also_works_with_prefix(self):
assert_equals(
auth.check_config_permission('ckan.auth.anon_create_dataset'),
True)
def test_unknown_permission_not_in_config_returns_false(self):
assert_equals(auth.check_config_permission('unknown_permission'),
False)
def test_get_default_value_also_works_with_prefix(self):
assert_equals(
auth.check_config_permission('ckan.auth.anon_create_dataset'),
auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_config_overrides_default(self):
assert_equals(auth.check_config_permission('anon_create_dataset'),
True)
def test_get_default_value_if_not_set_in_config(self):
assert_equals(auth.check_config_permission('anon_create_dataset'),
auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_unknown_permission_not_in_config_returns_false(self):
assert_equals(auth.check_config_permission(
'unknown_permission'),
False)
def test_get_default_value_also_works_with_prefix(self):
assert_equals(auth.check_config_permission(
'ckan.auth.anon_create_dataset'),
auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_config_override_also_works_with_prefix(self):
assert_equals(auth.check_config_permission(
'ckan.auth.anon_create_dataset'),
True)
def test_default_roles_that_cascade_to_sub_groups_is_a_list(self):
assert isinstance(auth.check_config_permission(
'roles_that_cascade_to_sub_groups'),
list)
