def package_create(context, data_dict=None): user = context['user'] if new_authz.auth_is_anon_user(context): check1 = all(new_authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(new_authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or new_authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # premission for that organization check1 = new_authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset' ) else: # If dataset is not owned then we can edit if config permissions allow if not new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission( 'create_dataset_if_not_in_organization') else: check1 = new_authz.check_config_permission('anon_create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user))} return {'success': True}
def package_create(context, data_dict=None): user = context['user'] user_roles = user_custom_roles(context, data_dict) if 'datovy-kurator' in user_roles: return {'success': True} if new_authz.auth_is_anon_user(context): check1 = all(new_authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(new_authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or new_authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def datahub_package_create(context, data_dict): from ckan.logic.auth.create import _check_group_auth if authz.is_sysadmin(context.get('user')): return {'success': True} user = context['user'] if not authz.auth_is_registered_user(): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return {'success': False, 'msg': _('You must login to create a dataset')} check1 = authz.check_config_permission('create_dataset_if_not_in_organization') \ or authz.check_config_permission('create_unowned_dataset') #if not authorized and not a part of any org, redirect to help page on how to join one if not check1 and not authz.has_user_permission_for_some_org(user, 'create_dataset'): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2 and not check1: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) if value == '' : if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) package = context.get('package') # only sysadmins can remove datasets from org if package and package.owner_org and not user.sysadmin: raise Invalid(_('You cannot remove a dataset from an existing organization')) return group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not(user.sysadmin or new_authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) if value == '': if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) package = context.get('package') # only sysadmins can remove datasets from org if package and package.owner_org and not user.sysadmin: raise Invalid( _('You cannot remove a dataset from an existing organization')) return group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not (user.sysadmin or new_authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def datahub_package_create(context, data_dict): from ckan.logic.auth.create import _check_group_auth if new_authz.is_sysadmin(context.get('user')): return {'success': True} user = context['user'] if not new_authz.auth_is_registered_user(): return {'success': False, 'msg': _('You must login to create a dataset')} else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \ or new_authz.check_config_permission('create_unowned_dataset') if not check1 and not new_authz.has_user_permission_for_some_org(user, 'create_dataset'): h.redirect_to('/pages/requesting-an-organization') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def datahub_package_create(context, data_dict): from ckan.logic.auth.create import _check_group_auth if new_authz.is_sysadmin(context.get('user')): return {'success': True} user = context['user'] if not new_authz.auth_is_registered_user(): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return { 'success': False, 'msg': _('You must login to create a dataset') } check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \ or new_authz.check_config_permission('create_unowned_dataset') #if not authorized and not a part of any org, redirect to help page on how to join one if not check1 and not new_authz.has_user_permission_for_some_org( user, 'create_dataset'): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return { 'success': False, 'msg': _('User %s not authorized to create packages') % user } check2 = _check_group_auth(context, data_dict) if not check2 and not check1: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % user } # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return { 'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user } return {'success': True}
def user_create(context, data_dict=None): using_api = 'api_version' in context create_user_via_api = new_authz.check_config_permission( 'create_user_via_api') create_user_via_web = new_authz.check_config_permission( 'create_user_via_web') if using_api and not create_user_via_api: return {'success': False, 'msg': _('User {user} not authorized to ' 'create users via the API').format(user=context.get('user'))} if not using_api and not create_user_via_web: return {'success': False, 'msg': _('Not authorized to ' 'create users')} return {'success': True}
def package_create(context, data_dict=None): import ckan.new_authz as new_authz from ckan.logic.auth.create import _check_group_auth user = context['user'] if new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission('anon_create_dataset') else: # CKAN default options that grant any user rights to create datasets removed here. check1 = new_authz.has_user_permission_for_some_org(user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} # Note the default value True except when we're actually trying to create a new dataset... if data_dict: org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} elif not org_id: return {'success': False} return {'success': True}
def organization_create(context, data_dict): """ This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """ if not c.userobj: return {'success': False, 'msg': _('Only registered users can create organizations')} # Check that user has admin permissions in selected parent organizations if data_dict and data_dict.get('groups'): admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity == 'admin').filter(model.Member.table_id == c.userobj.id) for group in data_dict['groups']: if any(group['name'] == admin_org.group.name for admin_org in admin_in_orgs): break else: return {'success': False, 'msg': _('User %s is not administrator in the selected parent organization') % context['user']} check = _check_public_adminstration_flag(context, data_dict) if check: return check if new_authz.check_config_permission('user_create_organizations'): return {'success': True} return {'success': False, 'msg': _('User %s not authorized to create organizations') % context['user']}
def test_roles_that_cascade_to_sub_groups_is_a_list(self): assert_equals( sorted( auth.check_config_permission( 'roles_that_cascade_to_sub_groups')), sorted(['admin', 'editor']))
def kata_owner_org_validator(key, data, errors, context): ''' Modified version of CKAN's owner_org_validator. Anyone can add a private dataset to an organisation :param key: key :param data: data :param errors: errors :param context: context :return: nothing. Raise invalid if organisation is not given or it doesn't exist ''' value = data.get(key) if value is missing or not value: if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be supplied')) data.pop(key, None) raise df.StopOnError model = context['model'] group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id data[key] = group_id
def organization_create(context, data_dict=None): user = context['user'] user = new_authz.get_user_id_for_username(user, allow_none=True) if user and new_authz.check_config_permission('user_create_organizations'): return {'success': True} return {'success': False, 'msg': _('User %s not authorized to create organizations') % user}
def user_create(context, data_dict=None): user = context['user'] if ('api_version' in context and not new_authz.check_config_permission('create_user_via_api')): return {'success': False, 'msg': _('User %s not authorized to create users') % user} else: return {'success': True}
def package_create(context, data_dict=None): user = context['user'] if not new_authz.auth_is_registered_user(): check1 = new_authz.check_config_permission('anon_create_dataset') else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \ or new_authz.has_user_permission_for_some_org(user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}
def package_create(context, data_dict=None): import ckan.new_authz as new_authz from ckan.logic.auth.create import _check_group_auth user = context['user'] if new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission( 'anon_create_dataset') else: # CKAN default options that grant any user rights to create datasets removed here. check1 = new_authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return { 'success': False, 'msg': _('User %s not authorized to create packages') % user } check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % user } # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return { 'success': False, 'msg': _('User %s not authorized to add dataset to this organization' ) % user } # Note the default value True except when we're actually trying to create a new dataset... if data_dict: org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return { 'success': False, 'msg': _('User %s not authorized to add dataset to this organization' ) % user } elif not org_id: return {'success': False} return {'success': True}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] if not new_authz.check_config_permission("user_delete_groups"): return {"success": False, "msg": _("User %s not authorized to delete groups") % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete") if not authorized: return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)} else: return {"success": True}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not new_authz.check_config_permission('user_delete_groups'): return {'success': False, 'msg': _('User %s not authorized to delete groups') % user} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (user ,group.id)} else: return {'success': True}
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not new_authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def package_update(context, data_dict): user = context.get("user") package = get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # premission for that organization check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, "update_dataset") else: # If dataset is not owned then we can edit if config permissions allow if new_authz.auth_is_registered_user(): check1 = new_authz.check_config_permission("create_dataset_if_not_in_organization") else: check1 = new_authz.check_config_permission("anon_create_dataset") if not check1: return {"success": False, "msg": _("User %s not authorized to edit package %s") % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)} return {"success": True}
def package_create(context, data_dict=None): user = context['user'] if not new_authz.auth_is_registered_user(): check1 = new_authz.check_config_permission('anon_create_dataset') else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \ or new_authz.has_user_permission_for_some_org(user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def package_update(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) if package.owner_org: check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset') else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or not value: if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) data.pop(key, None) raise df.StopOnError model = context['model'] group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id user = context['user'] user = model.User.get(user) if not(user.sysadmin or user.is_in_group(group_id)): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def test_config_overrides_default(self): assert_equals(auth.check_config_permission( 'anon_create_dataset'), True)
def test_get_default_value_if_not_set_in_config(self): assert_equals(auth.check_config_permission( 'anon_create_dataset'), auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_default_roles_that_cascade_to_sub_groups_is_a_list(self): assert isinstance( auth.check_config_permission('roles_that_cascade_to_sub_groups'), list)
def test_roles_that_cascade_to_sub_groups_is_a_list(self): assert_equals(sorted(auth.check_config_permission( 'roles_that_cascade_to_sub_groups')), sorted(['admin', 'editor']))
def test_config_override_also_works_with_prefix(self): assert_equals( auth.check_config_permission('ckan.auth.anon_create_dataset'), True)
def test_unknown_permission_not_in_config_returns_false(self): assert_equals(auth.check_config_permission('unknown_permission'), False)
def test_get_default_value_also_works_with_prefix(self): assert_equals( auth.check_config_permission('ckan.auth.anon_create_dataset'), auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_config_overrides_default(self): assert_equals(auth.check_config_permission('anon_create_dataset'), True)
def test_get_default_value_if_not_set_in_config(self): assert_equals(auth.check_config_permission('anon_create_dataset'), auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_unknown_permission_not_in_config_returns_false(self): assert_equals(auth.check_config_permission( 'unknown_permission'), False)
def test_get_default_value_also_works_with_prefix(self): assert_equals(auth.check_config_permission( 'ckan.auth.anon_create_dataset'), auth.CONFIG_PERMISSIONS_DEFAULTS['anon_create_dataset'])
def test_config_override_also_works_with_prefix(self): assert_equals(auth.check_config_permission( 'ckan.auth.anon_create_dataset'), True)
def test_default_roles_that_cascade_to_sub_groups_is_a_list(self): assert isinstance(auth.check_config_permission( 'roles_that_cascade_to_sub_groups'), list)