def check_group_auth(context, data_dict):
if not data_dict:
return True
model = context['model']
pkg = context.get("package")
api_version = context.get('api_version') or '1'
group_blobs = data_dict.get("groups", [])
groups = set()
for group_blob in group_blobs:
# group_blob might be a dict or a group_ref
if isinstance(group_blob, dict):
if api_version == '1':
id = group_blob.get('name')
else:
id = group_blob.get('id')
if not id:
continue
else:
id = group_blob
grp = model.Group.get(id)
if grp is None:
raise NotFound(_('Group was not found.'))
groups.add(grp)
if pkg:
groups = groups - set(pkg.groups)
for group in groups:
if not check_access_old(group, model.Action.EDIT, context):
return False
return True
def authorization_group_create(context, data_dict=None):
model = context['model']
user = context['user']
authorized = check_access_old(model.System(), model.Action.AUTHZ_GROUP_CREATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to create authorization groups') % str(user)}
else:
return {'success': True}
def user_create(context, data_dict=None):
model = context['model']
user = context['user']
authorized = check_access_old(model.System(), model.Action.USER_CREATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to create users') % str(user)}
else:
return {'success': True}
def user_create(context, data_dict=None):
model = context["model"]
user = context["user"]
authorized = logic.check_access_old(model.System(), model.Action.USER_CREATE, context)
if not authorized:
return {"success": False, "msg": _("User %s not authorized to create users") % str(user)}
else:
return {"success": True}
def group_change_state(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def package_change_state(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def package_delete(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user),package.id)}
else:
return {'success': True}
def package_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_update(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.EDIT, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user),group.id)}
else:
return {'success': True}
def authorization_group_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
authorization_group = get_authorization_group_object(context, data_dict)
authorized = logic.check_access_old(authorization_group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of authorization group %s') % (str(user),authorization_group.id)}
else:
return {'success': True}
def package_change_state(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_show(context, data_dict):
model = context['model']
user = context.get('user')
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_show(context, data_dict):
model = context['model']
user = context.get('user')
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)}
else:
return {'success': True}
def authorization_group_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
authorization_group = get_authorization_group_object(context, data_dict)
authorized = logic.check_access_old(authorization_group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of authorization group %s') % (str(user),authorization_group.id)}
else:
return {'success': True}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
return {'success': True}
def relationship_delete(context, data_dict):
model = context['model']
user = context['user']
relationship = context['relationship']
authorized = check_access_old(relationship, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete relationship %s') % (str(user),relationship.id)}
else:
return {'success': True}
def package_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_delete(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_update(context, data_dict):
model = context["model"]
user = context["user"]
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.EDIT, context)
if not authorized:
return {"success": False, "msg": _("User %s not authorized to edit group %s") % (str(user), group.id)}
else:
return {"success": True}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
model = context["model"]
user = context["user"]
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def package_change_state(context, data_dict):
model = context["model"]
user = context["user"]
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def package_edit_permissions(context, data_dict):
model = context["model"]
user = context["user"]
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to edit permissions of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def user_create(context, data_dict=None):
model = context['model']
user = context['user']
authorized = check_access_old(model.System(), model.Action.USER_CREATE,
context)
if not authorized:
return {
'success': False,
'msg': _('User %s not authorized to create users') % str(user)
}
else:
return {'success': True}
def package_update(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
check1 = logic.check_access_old(package, model.Action.EDIT, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def package_create(context, data_dict=None):
model = context["model"]
user = context["user"]
check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context)
if not check1:
return {"success": False, "msg": _("User %s not authorized to create packages") % str(user)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)}
return {"success": True}
def package_relationship_delete(context, data_dict):
can_edit_this_relationship = package_relationship_create(context, data_dict)
if not can_edit_this_relationship['success']:
return can_edit_this_relationship
model = context['model']
user = context['user']
relationship = context['relationship']
authorized = logic.check_access_old(relationship, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete relationship %s') % (str(user),relationship.id)}
else:
return {'success': True}
def package_create(context, data_dict=None):
model = context['model']
user = context['user']
check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % str(user)}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def authorization_group_edit_permissions(context, data_dict):
model = context["model"]
user = context["user"]
authorization_group = get_authorization_group_object(context, data_dict)
authorized = check_access_old(authorization_group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to edit permissions of authorization group %s")
% (str(user), authorization_group.id),
}
else:
return {"success": True}
def package_update(context, data_dict):
model = context["model"]
user = context.get("user")
package = get_package_object(context, data_dict)
check1 = check_access_old(package, model.Action.EDIT, context)
if not check1:
return {"success": False, "msg": _("User %s not authorized to edit package %s") % (str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)}
return {"success": True}
def package_delete(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.PURGE, context)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to delete package %s') %
(str(user), package.id)
}
else:
return {'success': True}
def resource_create(context, data_dict):
# resource_create runs through package_update, no need to
# check users eligibility to add resource to package here.
model = context['model']
user = context['user']
check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % str(user)}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
def authorization_group_create(context, data_dict=None):
model = context['model']
user = context['user']
authorized = check_access_old(model.System(),
model.Action.AUTHZ_GROUP_CREATE, context)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to create authorization groups') %
str(user)
}
else:
return {'success': True}
def relationship_delete(context, data_dict):
model = context['model']
user = context['user']
relationship = context['relationship']
authorized = check_access_old(relationship, model.Action.PURGE, context)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to delete relationship %s') %
(str(user), relationship.id)
}
else:
return {'success': True}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = ckan.new_authz.is_authorized('package_update',
context, data_dict)
if not auth.get('success'):
msg = _('User %s not authorized to read package %s') \
% (str(user),package.id)
return {'success': False, 'msg': msg}
return {'success': True}
def package_relationship_delete(context, data_dict):
can_edit_this_relationship = package_relationship_create(
context, data_dict)
if not can_edit_this_relationship['success']:
return can_edit_this_relationship
model = context['model']
user = context['user']
relationship = context['relationship']
authorized = check_access_old(relationship, model.Action.PURGE, context)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to delete relationship %s') %
(str(user), relationship.id)
}
else:
return {'success': True}
def package_create(context, data_dict=None):
model = context['model']
user = context['user']
check1 = logic.check_access_old(model.System(),
model.Action.PACKAGE_CREATE, context)
if not check1:
return {
'success': False,
'msg': _('User %s not authorized to create packages') % str(user)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success': False,
'msg':
_('User %s not authorized to edit these groups') % str(user)
}
return {'success': True}
def _check_group_auth(context, data_dict):
if not data_dict:
return True
model = context["model"]
pkg = context.get("package")
api_version = context.get("api_version") or "1"
group_blobs = data_dict.get("groups", [])
groups = set()
for group_blob in group_blobs:
# group_blob might be a dict or a group_ref
if isinstance(group_blob, dict):
if api_version == "1":
id = group_blob.get("name")
else:
id = group_blob.get("id")
if not id:
continue
else:
id = group_blob
grp = model.Group.get(id)
if grp is None:
raise logic.NotFound(_("Group was not found."))
groups.add(grp)
if pkg:
pkg_groups = pkg.get_groups()
groups = groups - set(pkg_groups)
for group in groups:
if not logic.check_access_old(group, model.Action.EDIT, context):
return False
return True
def check_group_auth(context, data_dict):
if not data_dict:
return True
model = context['model']
pkg = context.get("package")
api_version = context.get('api_version') or '1'
group_blobs = data_dict.get("groups", [])
groups = set()
for group_blob in group_blobs:
# group_blob might be a dict or a group_ref
if isinstance(group_blob, dict):
if api_version == '1':
id = group_blob.get('name')
else:
id = group_blob.get('id')
if not id:
continue
else:
id = group_blob
grp = model.Group.get(id)
if grp is None:
raise NotFound(_('Group was not found.'))
groups.add(grp)
if pkg:
pkg_groups = pkg.get_groups()
groups = groups - set(pkg_groups)
for group in groups:
if not check_access_old(group, model.Action.EDIT, context):
return False
return True
def resource_create(context, data_dict):
# resource_create runs through package_update, no need to
# check users eligibility to add resource to package here.
model = context['model']
user = context['user']
check1 = logic.check_access_old(model.System(),
model.Action.PACKAGE_CREATE, context)
if not check1:
return {
'success': False,
'msg': _('User %s not authorized to create packages') % str(user)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success': False,
'msg':
_('User %s not authorized to edit these groups') % str(user)
}
return {'success': True}
