def member_delete(context, data_dict=None): ''' Remove an object (e.g. a user, dataset or group) from a group. Custom organization permission handling added on top of CKAN's own member_create action. ''' _log_action('Member', 'delete', context['user'], data_dict.get('id')) # NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS user = context['user'] user_id = authz.get_user_id_for_username(user, allow_none=True) group_id, target_name, obj_type = _get_or_bust(data_dict, ['id', 'object', 'object_type']) if obj_type == 'user': # get user's role for this group user_role = utils.get_member_role(group_id, user_id) target_id = authz.get_user_id_for_username(target_name, allow_none=True) # get target's role for this group target_role = utils.get_member_role(group_id, target_id) if authz.is_sysadmin(user): # Sysadmin can do anything. pass elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, 'member', user_id == target_id), False): raise ckan.logic.NotAuthorized(_("You don't have permission to remove this user.")) return ckan.logic.action.delete.member_delete(context, data_dict)
def member_create(context, data_dict=None): ''' Make an object (e.g. a user, dataset or group) a member of a group. Custom organization permission handling added on top of CKAN's own member_create action. ''' _log_action('Member', 'create', context['user'], data_dict.get('id')) # NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS user = context['user'] user_id = authz.get_user_id_for_username(user, allow_none=True) group_id, obj_id, obj_type, capacity = _get_or_bust(data_dict, ['id', 'object', 'object_type', 'capacity']) # get role the user has for the group user_role = utils.get_member_role(group_id, user_id) if obj_type == 'user': # get role for the target of this role change target_role = utils.get_member_role(group_id, obj_id) if target_role is None: target_role = capacity if authz.is_sysadmin(user): # Sysadmin can do anything pass elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, capacity, user_id == obj_id), False): raise ckan.logic.NotAuthorized(_("You don't have permission to modify roles for this organization.")) return ckan.logic.action.create.member_create(context, data_dict)
def package_owner_org_update(context, data_dict): ''' Update the owning organization of a dataset Used by both package_create and package_update ''' user_id = model.User.by_name(context.get('user')).id org_id = data_dict.get('organization_id') # get role the user has for the group user_role = utils.get_member_role(org_id, user_id) pkg = model.Package.get(data_dict['id']) return ckan.logic.action.update.package_owner_org_update(context, data_dict)
def check_private(key, data, errors, context): ''' Changes to owner_org_validator requires checking of private value. :param key: key :param data: data :param errors: errors :param context: context :return: nothing. Raise invalid if not organisation editor and private == False ''' value = data.get(key) is_editor = False if not value or value == u'False': user = context.get('user', False) if user: if utils.get_member_role(data.get((u'owner_org',)), User.get(user).id) in ('admin', 'editor'): is_editor = True if not is_editor: raise Invalid(_('Only organization\'s editors and admins can create a public dataset'))