def _get_recipients(context, dataset): organization = dataset.owner_org if not organization: return [] org_obj = model.Group.get(organization) if not org_obj: return [] recipients = [] roles = authz.get_roles_with_permission('update_dataset') for role in roles: members = p.toolkit.get_action('member_list')( context, data_dict={ 'id': organization, 'object_type': 'user', 'capacity': role, } ) for member in members: recipients.append(dict( user_id=member[0], capacity=member[2], organization_name=org_obj.name, organization_title=org_obj.title, )) return recipients
def _get_recipients(context, dataset): organization = dataset.owner_org if not organization: return [] org_obj = model.Group.get(organization) if not org_obj: return [] recipients = [] roles = authz.get_roles_with_permission('update_dataset') for role in roles: members = p.toolkit.get_action('member_list')(context, data_dict={ 'id': organization, 'object_type': 'user', 'capacity': role, }) for member in members: recipients.append( dict( user_id=member[0], capacity=member[2], organization_name=org_obj.name, organization_title=org_obj.title, )) return recipients
def _has_user_permission_for_some_group(user_name, permission): """Check if the user has the given permission for any group. """ user_id = authz.get_user_id_for_username(user_name, allow_none=True) if not user_id: return False roles = authz.get_roles_with_permission(permission) if not roles: return False # get any groups the user has with the needed role q = model.Session.query(model.Member) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.state == 'active') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) group_ids = [] for row in q.all(): group_ids.append(row.group_id) # if not in any groups has no permissions if not group_ids: return False # see if any of the groups are active q = model.Session.query(model.Group) \ .filter(model.Group.state == 'active') \ .filter(model.Group.id.in_(group_ids)) return bool(q.count())
def group_list_authz(context, data_dict): '''Return the list of groups that the user is authorized to edit. :param available_only: remove the existing groups in the package (optional, default: ``False``) :type available_only: boolean :param am_member: if ``True`` return only the groups the logged-in user is a member of, otherwise return all groups that the user is authorized to edit (for example, sysadmin users are authorized to edit all groups) (optional, default: ``False``) :type am-member: boolean :returns: list of dictized groups that the user is authorized to edit :rtype: list of dicts ''' model = context['model'] user = context['user'] available_only = data_dict.get('available_only', False) am_member = data_dict.get('am_member', False) group_type = data_dict.get('type', 'group') _check_access('group_list_authz', context, data_dict) sysadmin = authz.is_sysadmin(user) roles = authz.get_roles_with_permission('manage_group') if not roles: return [] user_id = authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] if not sysadmin or am_member: q = model.Session.query(model.Member) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) \ .filter(model.Member.state == 'active') group_ids = [] for row in q.all(): group_ids.append(row.group_id) if not group_ids: return [] q = model.Session.query(model.Group) \ .filter(model.Group.is_organization == False) \ .filter(model.Group.state == 'active') \ .filter(model.Group.type == group_type) if not sysadmin or am_member: q = q.filter(model.Group.id.in_(group_ids)) groups = q.all() if available_only: package = context.get('package') if package: groups = set(groups) - set(package.get_groups()) group_list = model_dictize.group_list_dictize(groups, context) return group_list
def inventory_entry_list_for_user(context, data_dict): # TODO @palcu: DRY the code below from organization_list_for_user model = context['model'] user = context['user'] check_access('organization_list_for_user', context, data_dict) sysadmin = authz.is_sysadmin(user) orgs_q = model.Session.query(InventoryEntry).join(model.Group) \ .filter(model.Group.is_organization == True) \ .filter(model.Group.state == 'active') if not sysadmin: # for non-Sysadmins check they have the required permission # NB 'edit_group' doesn't exist so by default this action returns just # orgs with admin role permission = data_dict.get('permission', 'edit_group') roles = authz.get_roles_with_permission(permission) if not roles: return [] user_id = authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] q = model.Session.query(model.Member, model.Group) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) \ .filter(model.Member.state == 'active') \ .join(model.Group) group_ids = set() roles_that_cascade = \ authz.check_config_permission('roles_that_cascade_to_sub_groups') for member, group in q.all(): if member.capacity in roles_that_cascade: group_ids |= set([ grp_tuple[0] for grp_tuple in group.get_children_group_hierarchy( type='organization') ]) group_ids.add(group.id) if not group_ids: return [] orgs_q = orgs_q.filter(model.Group.id.in_(group_ids)) return [table_dictize(obj, context) for obj in orgs_q.all()]
def inventory_entry_list_for_user(context, data_dict): # TODO @palcu: DRY the code below from organization_list_for_user model = context['model'] user = context['user'] check_access('organization_list_for_user', context, data_dict) sysadmin = authz.is_sysadmin(user) orgs_q = model.Session.query(InventoryEntry).join(model.Group) \ .filter(model.Group.is_organization == True) \ .filter(model.Group.state == 'active') if not sysadmin: # for non-Sysadmins check they have the required permission # NB 'edit_group' doesn't exist so by default this action returns just # orgs with admin role permission = data_dict.get('permission', 'edit_group') roles = authz.get_roles_with_permission(permission) if not roles: return [] user_id = authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] q = model.Session.query(model.Member, model.Group) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) \ .filter(model.Member.state == 'active') \ .join(model.Group) group_ids = set() roles_that_cascade = \ authz.check_config_permission('roles_that_cascade_to_sub_groups') for member, group in q.all(): if member.capacity in roles_that_cascade: group_ids |= set([ grp_tuple[0] for grp_tuple in group.get_children_group_hierarchy(type='organization') ]) group_ids.add(group.id) if not group_ids: return [] orgs_q = orgs_q.filter(model.Group.id.in_(group_ids)) return [table_dictize(obj, context) for obj in orgs_q.all()]
def _get_recipients(context, dataset): organization = dataset.owner_org if organization: roles = authz.get_roles_with_permission('update_dataset') recipients = [] for role in roles: recipients += p.toolkit.get_action('member_list')( context, data_dict={ 'id': organization, 'object_type': 'user', 'capacity': role, }) return [recipient[0] for recipient in recipients] else: return []
def _get_recipients(context, dataset): organization = dataset.owner_org if organization: roles = authz.get_roles_with_permission('update_dataset') recipients = [] for role in roles: recipients += p.toolkit.get_action('member_list')( context, data_dict={ 'id': organization, 'object_type': 'user', 'capacity': role, } ) return [recipient[0] for recipient in recipients] else: return []
def _service_organizations(self): ''' modified from organization_list_for_user ''' context = {'user': c.user} data_dict = {'permission': 'create_dataset'} user = context['user'] toolkit.check_access('organization_list_for_user', context, data_dict) sysadmin = authz.is_sysadmin(user) orgs_q = model.Session.query(model.Group) \ .filter(model.Group.is_organization == True) \ .filter(model.Group.state == 'active') # noqa if not sysadmin: # for non-Sysadmins check they have the required permission permission = data_dict.get('permission', 'edit_group') roles = authz.get_roles_with_permission(permission) if not roles: return [] user_id = authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] q = model.Session.query(model.Member) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) \ .filter(model.Member.state == 'active') group_ids = [] for row in q.all(): group_ids.append(row.group_id) if not group_ids: return [] orgs_q = orgs_q.filter(model.Group.id.in_(group_ids)) orgs_q = orgs_q.join(model.GroupExtra).filter(model.GroupExtra.key == u'public_adminstration_organization') \ .filter(model.GroupExtra.value == u'true') # YTP modification return model_dictize.group_list_dictize(orgs_q.all(), context)
def hdx_organization_list_for_user(context, data_dict): '''Return the organizations that the user has a given permission for. By default this returns the list of organizations that the currently authorized user can edit, i.e. the list of organizations that the user is an admin of. Specifically it returns the list of organizations that the currently authorized user has a given permission (for example: "manage_group") against. When a user becomes a member of an organization in CKAN they're given a "capacity" (sometimes called a "role"), for example "member", "editor" or "admin". Each of these roles has certain permissions associated with it. For example the admin role has the "admin" permission (which means they have permission to do anything). The editor role has permissions like "create_dataset", "update_dataset" and "delete_dataset". The member role has the "read" permission. This function returns the list of organizations that the authorized user has a given permission for. For example the list of organizations that the user is an admin of, or the list of organizations that the user can create datasets in. This takes account of when permissions cascade down an organization hierarchy. :param permission: the permission the user has against the returned organizations, for example ``"read"`` or ``"create_dataset"`` (optional, default: ``"edit_group"``) :type permission: string :returns: list of organizations that the user has the given permission for :rtype: list of dicts ''' model = context['model'] # added by HDX (from latest ckan code) if data_dict.get('id'): user_obj = model.User.get(data_dict['id']) if not user_obj: raise NotFound user = user_obj.name else: user = context['user'] _check_access('organization_list_for_user', context, data_dict) sysadmin = authz.is_sysadmin(user) orgs_q = model.Session.query(model.Group) \ .filter(model.Group.is_organization == True) \ .filter(model.Group.state == 'active') if not sysadmin: # for non-Sysadmins check they have the required permission # NB 'edit_group' doesn't exist so by default this action returns just # orgs with admin role permission = data_dict.get('permission', 'edit_group') roles = authz.get_roles_with_permission(permission) if not roles: return [] user_id = authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] q = model.Session.query(model.Member, model.Group) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) \ .filter(model.Member.state == 'active') \ .join(model.Group) group_ids = set() roles_that_cascade = \ authz.check_config_permission('roles_that_cascade_to_sub_groups') for member, group in q.all(): if member.capacity in roles_that_cascade: group_ids |= set([ grp_tuple[0] for grp_tuple in group.get_children_group_hierarchy( type='organization') ]) group_ids.add(group.id) if not group_ids: return [] orgs_q = orgs_q.filter(model.Group.id.in_(group_ids)) orgs_list = model_dictize.group_list_dictize(orgs_q.all(), context) return orgs_list
def group_list_authz(context, data_dict): ''' Return the list of groups that the user is authorized to edit. Action "group_list_authz" ovewrites core "group_list_authz" action. It does so in order to allow users, other than the sysadmin, add/delete members to/from a thematic group. The only precondition to that right, is the user having at least editor rights for at least one organization. :param available_only: remove the existing groups in the package (optional, default: ``False``) :type available_only: boolean :param am_member: if True return only the groups the logged-in user is a member of, otherwise return all groups that the user is authorized to edit (for example, sysadmin users are authorized to edit all groups) (optional, default: False) :type am-member: boolean :returns: list of dictized groups that the user is authorized to edit :rtype: list of dicts ''' model = context['model'] user = context['user'] available_only = data_dict.get('available_only', False) am_member = data_dict.get('am_member', False) _check_access('group_list_authz', context, data_dict) sysadmin = new_authz.is_sysadmin(user) roles = new_authz.get_roles_with_permission('update_dataset') if not roles: return [] user_id = new_authz.get_user_id_for_username(user, allow_none=True) if not user_id: return [] if not sysadmin or am_member: q = model.Session.query(model.Member) \ .filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity.in_(roles)) \ .filter(model.Member.table_id == user_id) group_ids = [] for row in q.all(): group_ids.append(row.group_id) if not group_ids: return [] if context.get('package'): package_org = context.get('package').owner_org if package_org not in group_ids: return [] q = model.Session.query(model.Group) \ .filter(model.Group.is_organization == False) \ .filter(model.Group.state == 'active') groups = q.all() if available_only: package = context.get('package') if package: groups = set(groups) - set(package.get_groups()) group_list = model_dictize.group_list_dictize(groups, context) return group_list