def package_relationship_create(context, data_dict): """ Permission for users to create a new package relationship requires that the user share a group with both packages. """ model = context['model'] user = context['user'] id = data_dict.get('id', '') id2 = data_dict.get('id2', '') pkg1 = model.Package.get(id) pkg2 = model.Package.get(id2) if not pkg1 or not pkg2: return {'success': False, 'msg': _('Two package IDs are required')} pkg1grps = pkg1.get_groups('organization') pkg2grps = pkg2.get_groups('organization') usergrps = model.User.get(user).get_groups('organization') authorized = _groups_intersect(usergrps, pkg1grps) and _groups_intersect( usergrps, pkg2grps) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit these packages') % str(user) } else: return {'success': True}
def package_relationship_create(context, data_dict): """ Permission for users to create a new package relationship requires that the user share a group with both packages. """ model = context['model'] user = context['user'] id = data_dict.get('id', '') id2 = data_dict.get('id2', '') pkg1 = model.Package.get(id) pkg2 = model.Package.get(id2) if not pkg1 or not pkg2: return {'success': False, 'msg': _('Two package IDs are required')} pkg1grps = pkg1.get_groups('organization') pkg2grps = pkg2.get_groups('organization') usergrps = model.User.get( user ).get_groups('organization') authorized = _groups_intersect( usergrps, pkg1grps ) and _groups_intersect( usergrps, pkg2grps ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit these packages') % str(user)} else: return {'success': True}
def dgu_group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group with a capacity of admin. """ model = context['model'] user = context.get('user','') group = get_group_object(context, data_dict) if not user: return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')} # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } # Only allow package update if the user and package groups intersect user_obj = model.User.get( user ) if not user_obj: return { 'success' : False, 'msg': _('Could not find user %s') % str(user) } parent_groups = list(publib.go_up_tree(group)) # Check if user is an admin of a parent group, and if so allow them to edit. if _groups_intersect( user_obj.get_groups('publisher', 'admin'), parent_groups ): return {'success': True} # Check admin of just this group if _groups_intersect( user_obj.get_groups('publisher', 'admin'), [group] ): return {'success': True} return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) }
def package_relationship_create(context, data_dict): """ Permission for users to create a new package relationship requires that the user share a group with both packages. """ model = context["model"] user = context["user"] id = data_dict.get("id", "") id2 = data_dict.get("id2", "") pkg1 = model.Package.get(id) pkg2 = model.Package.get(id2) if not pkg1 or not pkg2: return {"success": False, "msg": _("Two package IDs are required")} pkg1grps = pkg1.get_groups("publisher") pkg2grps = pkg2.get_groups("publisher") usergrps = model.User.get(user).get_groups("publisher") authorized = _groups_intersect(usergrps, pkg1grps) and _groups_intersect(usergrps, pkg2grps) if not authorized: return {"success": False, "msg": _("User %s not authorized to edit these packages") % str(user)} else: return {"success": True}
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get(user) package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(user_obj): return {'success': True} # Only sysadmins can edit UKLP packages. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() if package.extras.get('UKLP', '') == 'True': return { 'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user) } if not user_obj or \ not _groups_intersect( user_obj.get_groups('publisher'), package.get_groups('publisher') ): return { 'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user) } return {'success': True}
def related_delete(context, data_dict): model = context['model'] user = context['user'] if not user: return { 'success': False, 'msg': _('Only the owner can delete a related item') } if Authorizer().is_sysadmin(unicode(user)): return {'success': True} related = get_related_object(context, data_dict) userobj = model.User.get(user) if related.datasets: package = related.datasets[0] if _groups_intersect(userobj.get_groups('organization'), package.get_groups('organization')): return {'success': True} if not userobj or userobj.id != related.owner_id: return { 'success': False, 'msg': _('Only the owner can delete a related item') } return {'success': True}
def resource_show(context, data_dict): """ Resource show permission checks the user group if the package state is deleted """ model = context['model'] user = context.get('user') resource = get_resource_object(context, data_dict) package = resource.resource_group.package if package.state == 'deleted': userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('User %s not authorized to read resource %s') % (str(user), package.id) } if not _groups_intersect(userobj.get_groups('organization'), package.get_groups('organization')): return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user), package.id) } pkg_dict = {'id': package.id} return package_show(context, pkg_dict)
def dgu_package_create(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get( user ) if not user_obj: return {'success': False} if Authorizer().is_sysadmin(user_obj): return {'success': True} user_publishers = user_obj.get_groups('publisher') if not data_dict: # i.e. not asking in relation to a particular package. We only let # publishers do this return {'success': bool(user_publishers)} if not user_obj: return {'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user)} user_publisher_names = [pub.name for pub in user_publishers] if data_dict['groups'] and isinstance(data_dict['groups'][0], dict): package_group_names = [pub['name'] for pub in data_dict['groups']] else: # Just get the group name in the rest interface package_group_names = data_dict['groups'] if not _groups_intersect(user_publisher_names, package_group_names): return {'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user)} return {'success': True}
def resource_update(context, data_dict): """ Update resource permission checks the user is in a group that the resource's package is also a member of. """ model = context['model'] user = context.get('user') resource = get_resource_object(context, data_dict) userobj = model.User.get(user) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} if not userobj: return { 'success': False, 'msg': _('User %s not authorized to edit resources in this package') % str(user) } if not _groups_intersect( userobj.get_groups('organization'), resource.resource_group.package.get_groups('organization')): return { 'success': False, 'msg': _('User %s not authorized to edit resources in this package') % str(user) } return {'success': True}
def package_show(context, data_dict): """ Package show permission checks the user group if the state is deleted """ model = context['model'] package = get_package_object(context, data_dict) if package.state == 'deleted': if 'ignore_auth' in context and context['ignore_auth']: return {'success': True} user = context.get('user') if not user: return {'success': False, 'msg': _('User not authorized to read package %s') % (package.id)} userobj = model.User.get( user ) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} if not userobj: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} if not _groups_intersect( userobj.get_groups('publisher'), package.get_groups('publisher') ): return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} return {'success': True}
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not model.User.get(user): return {'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object( context ) except logic.NotFound: return { 'success' : True } userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} authorized = _groups_intersect( userobj.get_groups('organization'), [group] ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} else: return {'success': True}
def group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user','') group = get_group_object(context, data_dict) if not user: return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')} # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } # Only allow package update if the user and package groups intersect userobj = model.User.get( user ) if not userobj: return { 'success' : False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect( userobj.get_groups( 'organization', 'admin' ), [group] ): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return { 'success': True }
def package_show(context, data_dict): from pylons.controllers.util import abort """ Package show permission checks the user group if the state is deleted """ model = context['model'] package = get_package_object(context, data_dict) user = context.get('user') ignore_auth = context.get('ignore_auth', False) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} userobj = model.User.get(user) if user else None if ignore_auth: return {'success': True} if package.state == 'deleted': if not user or not userobj: return { 'success': False, 'msg': _('User not authorized to read package %s') % (package.id) } if not _groups_intersect(userobj.get_groups(), package.get_groups()): return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user), package.id) } # If package is in a private group then we require: # 1. Logged in user # 2. User in the group groups = package.get_groups(capacity='private') if groups: if userobj and _groups_intersect(userobj.get_groups(), groups): return {'success': True} # We want to abort with a 404 here instea #return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} abort(404) return {'success': True}
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get( user ) package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(user_obj): return {'success': True} fail = {'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user)} # Only sysadmins can edit UKLP packages. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() if package.extras.get('UKLP', '') == 'True': return fail # Only sysadmins can edit ONS packages. # Note: the dgu user *is* a sysadmin if package.extras.get('external_reference') == 'ONSHUB': return fail # To be able to edit this dataset the user is allowed if # (they are an 'editor' for this publisher) OR # (an admin for this publisher OR parent publishers). if not user_obj: return fail package_group = package.get_groups('publisher') parent_groups = list(publib.go_up_tree(package_group[0])) if package_group else [] # Check admin of this or parent groups. if _groups_intersect( user_obj.get_groups('publisher', 'admin'), parent_groups ): return {'success': True} # Check admin or editor of just this group if _groups_intersect( user_obj.get_groups('publisher'), package_group ): return {'success': True} return fail
def dgu_package_create(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get( user ) if not user_obj: return {'success': False} if Authorizer().is_sysadmin(user_obj): return {'success': True} user_publishers = user_obj.get_groups('publisher') if not data_dict: # i.e. not asking in relation to a particular package. We only let # publishers do this return {'success': bool(user_publishers)} if not user_obj: return {'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user)} # For users who are admins of groups, we should also include all of their child groups # in the list of user_publishers as_admin = user_obj.get_groups('publisher', 'admin') for g in as_admin: user_publishers.extend(list(publib.go_down_tree(g))) user_publisher_names = [pub.name for pub in set(user_publishers)] if data_dict['groups'] and isinstance(data_dict['groups'][0], dict): package_group_names = [pub['name'] for pub in data_dict['groups']] elif data_dict['groups'] and isinstance(data_dict['groups'], list): # data_dict['groups'] is already a list of names at this point so we # should just assign it. package_group_names = data_dict['groups'] else: # In the case where we have received a single string in the data_dict['groups'] # we should wrap it in a list to make sure the intersection check works package_group_names = [data_dict['groups']] if data_dict['groups'] else [] # If the user has a group (is a publisher), but there is no package # group name, then we need to continue to allow validation to cause the # failure. if user_publishers and package_group_names == [u' ']: return {'success': True} if not _groups_intersect(user_publisher_names, package_group_names): return {'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user)} return {'success': True}
def group_show(context, data_dict): """ Group show permission checks the user group if the state is deleted """ model = context['model'] user = context.get('user') group = get_group_object(context, data_dict) userobj = model.User.get( user ) if group.state == 'deleted': if not user or \ not _groups_intersect( userobj.get_groups('organization'), group.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to show group %s') % (str(user),group.id)} return {'success': True}
def dgu_dataset_delete(context, data_dict): """ Determines whether a dataset's state can be set to "deleted". Currently only sysadmin users can do this, apart from UKLP. """ model = context['model'] user = context.get('user') if not user: return {'success': False} user_obj = model.User.get(user) package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(user_obj): return {'success': True} if package.extras.get('UKLP', '') != 'True': return {'success': False} # To be able to delete this dataset the user is allowed if # (they are an 'editor' for this publisher) OR # (an admin for this publisher OR parent publishers). if not user_obj: return {'success': False} package_group = package.get_groups('publisher') parent_groups = list(publib.go_up_tree(package_group[0])) if package_group else [] # Check admin of this or parent groups. if _groups_intersect( user_obj.get_groups('publisher', 'admin'), parent_groups ): return {'success': True} # Check admin or editor of just this group if _groups_intersect( user_obj.get_groups('publisher'), package_group ): return {'success': True} return {'success': False}
def package_delete(context, data_dict): """ Delete a package permission. User must be in at least one group that that package is also in. """ model = context['model'] user = context['user'] package = get_package_object(context, data_dict) userobj = model.User.get( user ) if not userobj or \ not _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to delete packages in these group') % str(user)} return {'success': True}
def package_show(context, data_dict): from pylons.controllers.util import abort """ Package show permission checks the user group if the state is deleted """ model = context['model'] package = get_package_object(context, data_dict) user = context.get('user') ignore_auth = context.get('ignore_auth',False) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} userobj = model.User.get( user ) if user else None if ignore_auth: return {'success': True} if package.state == 'deleted': if not user or not userobj: return {'success': False, 'msg': _('User not authorized to read package %s') % (package.id)} if not _groups_intersect( userobj.get_groups(), package.get_groups() ): return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} # If package is in a private group then we require: # 1. Logged in user # 2. User in the group groups = package.get_groups(capacity='private') if groups: if userobj and _groups_intersect( userobj.get_groups(), groups ): return {'success': True} # We want to abort with a 404 here instea #return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} abort(404) return {'success': True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } userobj = model.User.get( user ) if not userobj or \ not _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user)} return {'success': True}
def resource_show(context, data_dict): """ Resource show permission checks the user group if the package state is deleted """ model = context['model'] user = context.get('user') resource = get_resource_object(context, data_dict) package = resource.resource_group.package if package.state == 'deleted': userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (str(user),package.id)} if not _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} pkg_dict = {'id': package.id} return package_show(context, pkg_dict)
def resource_update(context, data_dict): """ Update resource permission checks the user is in a group that the resource's package is also a member of. """ model = context['model'] user = context.get('user') resource = get_resource_object(context, data_dict) userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('User %s not authorized to edit resources in this package') % str(user)} if not _groups_intersect( userobj.get_groups('publisher'), resource.resource_group.package.get_groups('publisher') ): return {'success': False, 'msg': _('User %s not authorized to edit resources in this package') % str(user)} return {'success': True}
def related_create(context, data_dict=None): model = context['model'] user = context['user'] userobj = model.User.get(user) if not userobj: return {'success': False, 'msg': _('You must be logged in to add a related item')} if 'dataset_id' in data_dict: # If this is to be associated with a dataset then we need to make sure that # the user doing so is a member of that group dataset = model.Package.get(data_dict['dataset_id']) if dataset and not _groups_intersect( userobj.get_groups(), dataset.get_groups() ): return {'success': False, 'msg': _('You do not have permission to create an item')} return {'success': True }
def dgu_package_create(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get(user) if not user_obj: return {'success': False} if Authorizer().is_sysadmin(user_obj): return {'success': True} user_publishers = user_obj.get_groups('publisher') if not data_dict: # i.e. not asking in relation to a particular package. We only let # publishers do this return {'success': bool(user_publishers)} if not user_obj: return { 'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user) } user_publisher_names = [pub.name for pub in user_publishers] if data_dict['groups'] and isinstance(data_dict['groups'][0], dict): package_group_names = [pub['name'] for pub in data_dict['groups']] else: # Just get the group name in the rest interface package_group_names = data_dict['groups'] if not _groups_intersect(user_publisher_names, package_group_names): return { 'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user) } return {'success': True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} userobj = model.User.get(user) if not userobj or \ not _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return { 'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user) } return {'success': True}
def group_delete(context, data_dict): """ Group delete permission. Checks that the user specified is within the group to be deleted and also have 'admin' capacity. """ model = context['model'] user = context['user'] if not user: return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')} group = get_group_object(context, data_dict) userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')} authorized = _groups_intersect( userobj.get_groups('organization', 'admin'), [group] ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)} else: return {'success': True}
def related_delete(context, data_dict): model = context['model'] user = context['user'] if not user: return {'success': False, 'msg': _('Only the owner can delete a related item')} if Authorizer().is_sysadmin(unicode(user)): return {'success': True} related = get_related_object(context, data_dict) userobj = model.User.get( user ) if related.datasets: package = related.datasets[0] if _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': True} if not userobj or userobj.id != related.owner_id: return {'success': False, 'msg': _('Only the owner can delete a related item')} return {'success': True}
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not user: return { 'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object(context) except logic.NotFound: return {'success': True} userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } authorized = _groups_intersect(userobj.get_groups('organization'), [group]) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } else: return {'success': True}
def dgu_group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user', '') group = get_group_object(context, data_dict) if not user: return { 'success': False, 'msg': _('Only members of this group are authorized to edit this group') } # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return {'success': True} # Only allow package update if the user and package groups intersect user_obj = model.User.get(user) if not user_obj: return { 'success': False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect(user_obj.get_groups('publisher', 'admin'), [group]): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return {'success': True}
def dgu_package_update(context, data_dict): model = context['model'] user = context.get('user') user_obj = model.User.get( user ) package = get_package_object(context, data_dict) if Authorizer().is_sysadmin(user_obj): return {'success': True} # Only sysadmins can edit UKLP packages. # Note: the harvest user *is* a sysadmin # Note: if changing this, check the code and comments in # ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options() if package.extras.get('UKLP', '') == 'True': return {'success': False, 'msg': _('User %s not authorized to edit packages in these groups') % str(user)} if not user_obj or \ not _groups_intersect( user_obj.get_groups('publisher'), package.get_groups('publisher') ): return {'success': False, 'msg': _('User %s not authorized to edit packages of this publisher') % str(user)} return {'success': True}
def related_create(context, data_dict=None): model = context['model'] user = context['user'] userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('You must be logged in to add a related item') } if 'dataset_id' in data_dict: # If this is to be associated with a dataset then we need to make sure that # the user doing so is a member of that group dataset = model.Package.get(data_dict['dataset_id']) if dataset and not _groups_intersect(userobj.get_groups(), dataset.get_groups()): return { 'success': False, 'msg': _('You do not have permission to create an item') } return {'success': True}