def _get_owner_org(self, context, data_dict, action): owner_org = None # Check the context so we find the relevant org if 'resource' in context and 'resource' in action: resource = context['resource'] owner_org = resource.extras.get('owner_org', None) if owner_org is None: owner_org = resource.package.owner_org elif 'group' in context: owner_org = logic_auth.get_group_object(context, data_dict).id elif 'owner_org' in data_dict: owner_org = data_dict.get('owner_org') elif 'package' in context and 'package' in action: package = context['package'] owner_org = package.owner_org elif 'org_data' in data_dict: org_data = data_dict['org_data'] owner_org = org_data.get('id', None) else: try: package = logic_auth.get_package_object(context, data_dict) except (ValidationError, NotFound): package = None if package is None: try: owner_org = logic_auth.get_group_object( context, data_dict).id except (ValidationError, NotFound): owner_org = None else: owner_org = package.owner_org return owner_org
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not model.User.get(user): return {'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object( context ) except logic.NotFound: return { 'success' : True } userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} authorized = _groups_intersect( userobj.get_groups('organization'), [group] ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} else: return {'success': True}
def group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user','') group = get_group_object(context, data_dict) if not user: return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')} # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } # Only allow package update if the user and package groups intersect userobj = model.User.get( user ) if not userobj: return { 'success' : False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect( userobj.get_groups( 'organization', 'admin' ), [group] ): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return { 'success': True }
def organization_update(context, data_dict): """ This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """ group = logic_auth.get_group_object(context, data_dict) user = context['user'] # Check that user has admin permissions in selected parent organizations if data_dict and data_dict.get('groups'): admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity == 'admin').filter(model.Member.table_id == new_authz.get_user_id_for_username(user, allow_none=True)) for parent_org in data_dict['groups']: if any(parent_org['name'] == admin_org.group.name for admin_org in admin_in_orgs): break else: return {'success': False, 'msg': _('User %s is not administrator in the selected parent organization') % user} if (data_dict and 'save' in data_dict and data_dict.get('public_adminstration_organization', None) != group.extras.get('public_adminstration_organization', None)): return {'success': False, 'msg': _('User %s is not allowed to change the public organization option') % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def dgu_group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group with a capacity of admin. """ model = context['model'] user = context.get('user','') group = get_group_object(context, data_dict) if not user: return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')} # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } # Only allow package update if the user and package groups intersect user_obj = model.User.get( user ) if not user_obj: return { 'success' : False, 'msg': _('Could not find user %s') % str(user) } parent_groups = list(publib.go_up_tree(group)) # Check if user is an admin of a parent group, and if so allow them to edit. if _groups_intersect( user_obj.get_groups('publisher', 'admin'), parent_groups ): return {'success': True} # Check admin of just this group if _groups_intersect( user_obj.get_groups('publisher', 'admin'), [group] ): return {'success': True} return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) }
def has_user_access_to_update_members_for_organsation(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context.get('user') # If the group is a organization it means we are trying to add a user as a member to the organisation # We want to lock this down to only allowing sysadmin user access: return group.is_organization and not authz.is_sysadmin(user)
def member_create(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' authorized = authz.has_user_permission_for_group_or_org( group.id, user, permission) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id) } else: if authz.config.get('ckan.gov_theme.is_back'): return {'success': True} else: return {'success': False}
def member_create(context, data_dict): """ This code is largely borrowed from /src/ckan/ckan/logic/auth/create.py With a modification to allow users to add datasets to any group :param context: :param data_dict: :return: """ group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' if c.controller in ['package', 'dataset'] and c.action in ['groups']: authorized = helpers.user_has_admin_access(True) else: authorized = authz.has_user_permission_for_group_or_org( group.id, user, permission) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id) } else: return {'success': True}
def package_update(context, data_dict): """Overrides CKAN auth function to support personal datasets setting in organizations""" result = _auth_update.package_update(context, data_dict) if result['success']: user = logic_auth.get_user_object(context, {'id': context.get('user')}) package = logic_auth.get_package_object(context, data_dict) # Showcases don't have organizations if package.type != "showcase": org = logic_auth.get_group_object(context, {'id': package.owner_org}) personal_datasets = 'personal_datasets' in org.extras.get( 'features', []) if personal_datasets and package.creator_user_id != user.id: result = { 'success': False, 'msg': _('Cannot modify dataset because of organization policy') } return result
def member_create(context, data_dict): group = logic_auth.get_group_object(context, data_dict) if group.type == 'topics': return {'success': True} else: return create.member_create(context, data_dict)
def organization_update(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "update") if not authorized: return {"success": False, "msg": _("User %s not authorized to edit organization %s") % (user, group.id)} else: return {"success": True}
def csc_auth_organization_activity_list_html(context, data_dict): user = context.get('user') organization = logic_auth.get_group_object(context, data_dict) authorized = authz.has_user_permission_for_group_or_org( organization.id, user, 'update') if not authorized: return {'success': False, 'msg': _('Unauthorized to see this content')} return {'success': True}
def group_edit_permissions(context, data_dict): user = context['user'] group = get_group_object(context, data_dict) if not new_authz.has_user_permission_for_group_or_org(group.id, user, 'update'): return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)} else: return {'success': True}
def organization_update(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] if not new_authz.check_config_permission("user_delete_groups"): return {"success": False, "msg": _("User %s not authorized to delete groups") % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete") if not authorized: return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)} else: return {"success": True}
def group_change_state(context, data_dict): model = context['model'] user = context['user'] group = get_group_object(context, data_dict) authorized = check_access_old(group, model.Action.CHANGE_STATE, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)} else: return {'success': True}
def group_edit_permissions(context, data_dict): model = context['model'] user = context['user'] group = get_group_object(context, data_dict) authorized = check_access_old(group, model.Action.EDIT_PERMISSIONS, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)} else: return {'success': True}
def group_edit_permissions(context, data_dict): model = context['model'] user = context['user'] group = get_group_object(context, data_dict) authorized = logic.check_access_old(group, model.Action.EDIT_PERMISSIONS, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)} else: return {'success': True}
def _group_or_org_member_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete_member') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s members') % (str(user),group.id)} else: return {'success': True} return {'success': True}
def group_show(context, data_dict): model = context['model'] user = context.get('user') group = get_group_object(context, data_dict) authorized = logic.check_access_old(group, model.Action.READ, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)} else: return {'success': True}
def group_show(context, data_dict): user = context.get("user") group = get_group_object(context, data_dict) if group.state == "active": return {"success": True} authorized = authz.has_user_permission_for_group_or_org(group.id, user, "read") if authorized: return {"success": True} else: return {"success": False, "msg": _("User %s not authorized to read group %s") % (user, group.id)}
def group_update(context, data_dict): model = context["model"] user = context["user"] group = get_group_object(context, data_dict) authorized = check_access_old(group, model.Action.EDIT, context) if not authorized: return {"success": False, "msg": _("User %s not authorized to edit group %s") % (str(user), group.id)} else: return {"success": True}
def group_update(context, data_dict): model = context['model'] user = context['user'] group = get_group_object(context, data_dict) authorized = logic.check_access_old(group, model.Action.EDIT, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user),group.id)} else: return {'success': True}
def group_change_state(context, data_dict): user = context['user'] group = get_group_object(context, data_dict) # use logic for group_update authorized = new_authz.is_authorized_boolean('group_update', context, data_dict) if not authorized: return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)} else: return {'success': True}
def group_delete(context, data_dict): model = context['model'] user = context['user'] group = get_group_object(context, data_dict) authorized = logic.check_access_old(group, model.Action.PURGE, context) if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)} else: return {'success': True}
def _group_or_org_member_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete_member') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s members') % (user, group.id)} else: return {'success': True} return {'success': True}
def group_show(context, data_dict): user = context.get('user') group = get_group_object(context, data_dict) if group.state == 'active': return {'success': True} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'read') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def organization_update(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def group_edit_permissions(context, data_dict): user = context["user"] group = get_group_object(context, data_dict) if not new_authz.has_user_permission_for_group_or_org(group.id, user, "update"): return { "success": False, "msg": _("User %s not authorized to edit permissions of group %s") % (str(user), group.id), } else: return {"success": True}
def test_get_group_object_with_id(self): user_name = helpers.call_action('get_site_user')['name'] group = helpers.call_action('group_create', context={'user': user_name}, name='test_group') context = {'model': core_model} obj = logic_auth.get_group_object(context, {'id': group['id']}) assert obj.id == group['id'] assert context['group'] == obj
def test_get_group_object_with_id(self): user_name = helpers.call_action("get_site_user")["name"] group = helpers.call_action("group_create", context={"user": user_name}, name="test_group") context = {"model": core_model} obj = logic_auth.get_group_object(context, {"id": group["id"]}) assert obj.id == group["id"] assert context["group"] == obj
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not new_authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def group_update(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] authorized = authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id)} else: return {'success': True}
def group_change_state(context, data_dict): model = context["model"] user = context["user"] group = get_group_object(context, data_dict) authorized = check_access_old(group, model.Action.CHANGE_STATE, context) if not authorized: return { "success": False, "msg": _("User %s not authorized to change state of group %s") % (str(user), group.id), } else: return {"success": True}
def group_change_state(context, data_dict): user = context["user"] group = get_group_object(context, data_dict) # use logic for group_update authorized = new_authz.is_authorized_boolean("group_update", context, data_dict) if not authorized: return { "success": False, "msg": _("User %s not authorized to change state of group %s") % (str(user), group.id), } else: return {"success": True}
def group_show(context, data_dict): """ Group show permission checks the user group if the state is deleted """ model = context['model'] user = context.get('user') group = get_group_object(context, data_dict) userobj = model.User.get( user ) if group.state == 'deleted': if not user or \ not _groups_intersect( userobj.get_groups('organization'), group.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to show group %s') % (str(user),group.id)} return {'success': True}
def group_edit_permissions(context, data_dict): model = context["model"] user = context["user"] group = get_group_object(context, data_dict) authorized = check_access_old(group, model.Action.EDIT_PERMISSIONS, context) if not authorized: return { "success": False, "msg": _("User %s not authorized to edit permissions of group %s") % (str(user), group.id), } else: return {"success": True}
def group_delete(context: Context, data_dict: DataDict) -> AuthResult: group = get_group_object(context, data_dict) user = context['user'] if not authz.check_config_permission('user_delete_groups'): return {'success': False, 'msg': _('User %s not authorized to delete groups') % user} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _( 'User %s not authorized to delete group %s') % (user ,group.id)} else: return {'success': True}
def group_edit_permissions(context, data_dict): user = context['user'] group = logic_auth.get_group_object(context, data_dict) authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user), group.id)} else: return {'success': True}
def group_show(context, data_dict): user = context.get('user') group = get_group_object(context, data_dict) if group.state == 'active': if asbool(config.get('ckan.auth.public_user_details', True)) or \ (not asbool(data_dict.get('include_users', False)) and (data_dict.get('object_type', None) != 'user')): return {'success': True} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'read') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_update(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] authorized = authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id)} else: if authz.config.get('ckan.gov_theme.is_back'): return {'success': True} else: return {'success': False}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not authz.check_config_permission('user_delete_groups'): return {'success': False, 'msg': _('User %s not authorized to delete groups') % user} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (user ,group.id)} else: if authz.config.get('ckan.gov_theme.is_back'): return {'success': True} else: return {'success': False}
def group_update(context: Context, data_dict: DataDict) -> AuthResult: group = logic_auth.get_group_object(context, data_dict) user = context['user'] authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id) } else: return {'success': True}
def organization_update(context, data_dict): """ This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """ group = logic_auth.get_group_object(context, data_dict) user = context['user'] # Check that user has admin permissions in selected parent organizations if data_dict and data_dict.get('groups'): admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity == 'admin').filter(model.Member.table_id == authz.get_user_id_for_username(user, allow_none=True)) for parent_org in data_dict['groups']: if any(parent_org['name'] == admin_org.group.name for admin_org in admin_in_orgs): break else: return { 'success': False, 'msg': _('User %s is not administrator in the selected parent organization' ) % user } if (data_dict and 'save' in data_dict and data_dict.get('public_adminstration_organization', None) != group.extras.get('public_adminstration_organization', None)): return { 'success': False, 'msg': _('User %s is not allowed to change the public organization option' ) % user } authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id) } else: return {'success': True}
def group_change_state(context, data_dict): user = context['user'] group = logic_auth.get_group_object(context, data_dict) # use logic for group_update authorized = new_authz.is_authorized_boolean('group_update', context, data_dict) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user), group.id) } else: return {'success': True}
def group_show(context, data_dict): """Check whether access to a group is authorised. If it's just the group metadata, this requires no privileges, but if user details have been requested, it requires a group admin. """ user = context.get('user') group = logic_auth.get_group_object(context, data_dict) if group.state == 'active' and \ not asbool(data_dict.get('include_users', False)) and \ data_dict.get('object_type', None) != 'user': return {'success': True} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'update') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def member_create(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' authorized = authz.has_user_permission_for_group_or_org(group.id, user, permission) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id)} else: return {'success': True}
def group_delete(context, data_dict): """ Group delete permission. Checks that the user specified is within the group to be deleted and also have 'admin' capacity. """ model = context['model'] user = context['user'] if not user: return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')} group = get_group_object(context, data_dict) userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')} authorized = _groups_intersect( userobj.get_groups('organization', 'admin'), [group] ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)} else: return {'success': True}
def package_update(context, data_dict): """Overrides CKAN auth function to support personal datasets setting in organizations""" result = _auth_update.package_update(context, data_dict) if result['success']: user = logic_auth.get_user_object(context, {'id': context.get('user')}) package = logic_auth.get_package_object(context, data_dict) # Showcases don't have organizations if package.type != "showcase": org = logic_auth.get_group_object(context, {'id': package.owner_org}) personal_datasets = 'personal_datasets' in org.extras.get('features', []) if personal_datasets and package.creator_user_id != user.id: result = { 'success': False, 'msg': _('Cannot modify dataset because of organization policy') } return result
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not user: return { 'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object(context) except logic.NotFound: return {'success': True} userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } authorized = _groups_intersect(userobj.get_groups('organization'), [group]) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } else: return {'success': True}
def dgu_group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user', '') group = get_group_object(context, data_dict) if not user: return { 'success': False, 'msg': _('Only members of this group are authorized to edit this group') } # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return {'success': True} # Only allow package update if the user and package groups intersect user_obj = model.User.get(user) if not user_obj: return { 'success': False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect(user_obj.get_groups('publisher', 'admin'), [group]): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return {'success': True}