def resource_view_delete(context, data_dict):
if context.get('resource'):
return authz.is_authorized('resource_delete', context, {})
if context.get('resource_view'):
return authz.is_authorized('resource_delete', context, {'id': context['resource_view'].resource_id})
resource_id = data_dict.get('resource_id')
if not resource_id:
resource_view = context['model'].ResourceView.get(data_dict['id'])
if not resource_view:
raise logic.NotFound(_('Resource view not found, cannot check auth.'))
resource_id = resource_view.resource_id
return authz.is_authorized('resource_delete', context, {'id': resource_id})
def group_create_rest(context, data_dict):
model = context['model']
user = context['user']
if not user:
return {'success': False, 'msg': _('Valid API key needed to create a group')}
return authz.is_authorized('group_create', context, data_dict)
def resource_create(context, data_dict):
model = context['model']
user = context.get('user')
package_id = data_dict.get('package_id')
if not package_id and data_dict.get('id'):
# This can happen when auth is deferred, eg from `resource_view_create`
resource = logic_auth.get_resource_object(context, data_dict)
package_id = resource.package_id
if not package_id:
raise logic.NotFound(
_('No dataset id provided, cannot check auth.')
)
# check authentication against package
pkg = model.Package.get(package_id)
if not pkg:
raise logic.NotFound(
_('No package found for this resource, cannot check auth.')
)
pkg_dict = {'id': pkg.id}
authorized = authz.is_authorized('package_update', context, pkg_dict).get('success')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to create resources on dataset %s') %
(str(user), package_id)}
else:
return {'success': True}
def package_update_rest(context, data_dict):
model = context['model']
user = context['user']
if user in (model.PSEUDO_USER__VISITOR, ''):
return {'success': False,
'msg': _('Valid API key needed to edit a package')}
return authz.is_authorized('package_update', context, data_dict)
def package_update_rest(context, data_dict):
model = context['model']
user = context['user']
if not user:
return {'success': False,
'msg': _('Valid API key needed to edit a package')}
return authz.is_authorized('package_update', context, data_dict)
def _followee_list(context, data_dict):
model = context['model']
# Visitors cannot see what users are following.
authorized_user = model.User.get(context.get('user'))
if not authorized_user:
return {'success': False, 'msg': _('Not authorized')}
# Any user is authorized to see what she herself is following.
requested_user = model.User.get(data_dict.get('id'))
if authorized_user == requested_user:
return {'success': True}
# Sysadmins are authorized to see what anyone is following.
return authz.is_authorized('sysadmin', context, data_dict)
def resource_show(context, data_dict):
model = context["model"]
user = context.get("user")
resource = get_resource_object(context, data_dict)
# check authentication against package
pkg = model.Package.get(resource.package_id)
if not pkg:
raise logic.NotFound(_("No package found for this resource, cannot check auth."))
pkg_dict = {"id": pkg.id}
authorized = authz.is_authorized("package_show", context, pkg_dict).get("success")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to read resource %s") % (user, resource.id)}
else:
return {"success": True}
def resource_show(context, data_dict):
model = context['model']
user = context.get('user')
resource = get_resource_object(context, data_dict)
# check authentication against package
pkg = model.Package.get(resource.package_id)
if not pkg:
raise logic.NotFound(_('No package found for this resource, cannot check auth.'))
pkg_dict = {'id': pkg.id}
authorized = authz.is_authorized('package_show', context, pkg_dict).get('success')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
else:
return {'success': True}
def package_show(context, data_dict):
user = context.get("user")
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith("draft"):
auth = authz.is_authorized("package_update", context, data_dict)
authorized = auth.get("success")
elif package.owner_org is None and package.state == "active":
return {"success": True}
else:
# anyone can see a public package
if not package.private and package.state == "active":
return {"success": True}
authorized = authz.has_user_permission_for_group_or_org(package.owner_org, user, "read")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to read package %s") % (user, package.id)}
else:
return {"success": True}
def package_show(context, data_dict):
user = context.get('user')
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = authz.is_authorized('package_update',
context, data_dict)
authorized = auth.get('success')
elif package.owner_org is None and package.state == 'active':
return {'success': True}
else:
# anyone can see a public package
if not package.private and package.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
else:
return {'success': True}
def spc_thematic_area_list(context, data_dict=None):
return is_authorized('site_read', context, data_dict)
def current_package_list_with_resources(context, data_dict):
return authz.is_authorized('package_list', context, data_dict)
def package_revision_list(context, data_dict):
return authz.is_authorized('package_show', context, data_dict)
def resource_create_default_resource_views(context, data_dict):
return authz.is_authorized('resource_create', context, {'id': data_dict['resource']['id']})
def resource_view_reorder(context, data_dict):
return authz.is_authorized('resource_update', context,
{'id': data_dict['resource_id']})
def resource_create_default_resource_views(context: Context,
data_dict: DataDict) -> AuthResult:
return authz.is_authorized(
'resource_create', context, {'id': data_dict['resource']['id']})
def package_relationship_update(context, data_dict):
return authz.is_authorized('package_relationship_create',
context,
data_dict)
def dashboard_mark_activities_old(context: Context,
data_dict: DataDict) -> AuthResult:
return authz.is_authorized("dashboard_activity_list", context, data_dict)
def resource_view_list(context, data_dict):
return authz.is_authorized('resource_show', context, data_dict)
def package_create_default_resource_views(context, data_dict):
if authz.config.get('ckan.gov_theme.is_back'):
return authz.is_authorized('package_update', context,data_dict['package'])
else:
return {'success': False}
def test_auth_plugin_override():
package_list_original = authz.is_authorized("package_list", {})
with plugins.use_plugin("auth_plugin"):
assert authz.is_authorized("package_list", {}) != package_list_original
assert authz.is_authorized("package_list", {}) == package_list_original
def package_revise(context, data_dict):
return authz.is_authorized('package_update', context, data_dict['update'])
def dashboard_mark_activities_old(context, data_dict):
return authz.is_authorized('dashboard_activity_list', context, data_dict)
def package_relationship_update(context, data_dict):
return authz.is_authorized('package_relationship_create', context,
data_dict)
def check_access(action, context, data_dict=None):
'''Calls the authorization function for the provided action
This is the only function that should be called to determine whether a
user (or an anonymous request) is allowed to perform a particular action.
The function accepts a context object, which should contain a 'user' key
with the name of the user performing the action, and optionally a
dictionary with extra data to be passed to the authorization function.
For example::
check_access('package_update', context, data_dict)
If not already there, the function will add an `auth_user_obj` key to the
context object with the actual User object (in case it exists in the
database). This check is only performed once per context object.
Raise :py:exc:`~ckan.plugins.toolkit.NotAuthorized` if the user is not
authorized to call the named action function.
If the user *is* authorized to call the action, return ``True``.
:param action: the name of the action function, eg. ``'package_create'``
:type action: string
:param context:
:type context: dict
:param data_dict:
:type data_dict: dict
:raises: :py:exc:`~ckan.plugins.toolkit.NotAuthorized` if the user is not
authorized to call the named action
'''
# Auth Auditing. We remove this call from the __auth_audit stack to show
# we have called the auth function
try:
audit = context.get('__auth_audit', [])[-1]
except IndexError:
audit = ''
if audit and audit[0] == action:
context['__auth_audit'].pop()
user = context.get('user')
try:
if not 'auth_user_obj' in context:
context['auth_user_obj'] = None
if not context.get('ignore_auth'):
if not context.get('__auth_user_obj_checked'):
if context.get('user') and not context.get('auth_user_obj'):
context['auth_user_obj'] = \
model.User.by_name(context['user'])
context['__auth_user_obj_checked'] = True
context = _prepopulate_context(context)
logic_authorization = authz.is_authorized(action, context,
data_dict)
if not logic_authorization['success']:
msg = logic_authorization.get('msg', '')
raise NotAuthorized(msg)
except NotAuthorized, e:
log.debug(u'check access NotAuthorized - %s user=%s "%s"',
action, user, unicode(e))
raise
def package_autocomplete(context, data_dict):
return authz.is_authorized('package_list', context, data_dict)
def member_delete(context, data_dict):
return authz.is_authorized('member_create', context, data_dict)
def group_autocomplete(context, data_dict):
return authz.is_authorized('group_list', context, data_dict)
def package_create_default_resource_views(context: Context,
data_dict: DataDict) -> AuthResult:
return authz.is_authorized('package_update', context,
data_dict['package'])
def organization_autocomplete(context, data_dict):
return authz.is_authorized('organization_list', context, data_dict)
def test_auth_plugin_override(self):
package_list_original = authz.is_authorized('package_list', {})
with plugins.use_plugin('auth_plugin'):
assert authz.is_authorized('package_list', {}) != package_list_original
assert authz.is_authorized('package_list', {}) == package_list_original
def tag_autocomplete(context, data_dict):
return authz.is_authorized('tag_list', context, data_dict)
def test_auth_plugin_override(self):
package_list_original = authz.is_authorized('package_list', {})
with plugins.use_plugin('auth_plugin'):
assert authz.is_authorized('package_list', {}) != package_list_original
assert authz.is_authorized('package_list', {}) == package_list_original
def user_autocomplete(context, data_dict):
return authz.is_authorized('user_list', context, data_dict)
def organization_follower_list(context, data_dict):
return authz.is_authorized('sysadmin', context, data_dict)
def dashboard_new_activities_count(context, data_dict):
# FIXME: This should go through check_access() not call is_authorized()
# directly, but wait until 2939-orgs is merged before fixing this.
# This is so a better not authourized message can be sent.
return authz.is_authorized('dashboard_activity_list', context, data_dict)
def organization_revision_list(context, data_dict):
return authz.is_authorized('group_show', context, data_dict)
def group_follower_list(context, data_dict):
return authz.is_authorized('sysadmin', context, data_dict)
def group_list_available(context, data_dict):
return authz.is_authorized('group_list', context, data_dict)
def organization_follower_list(context, data_dict):
return authz.is_authorized('sysadmin', context, data_dict)
def group_list_available(context, data_dict):
return authz.is_authorized('group_list', context, data_dict)
def current_package_list_with_resources(context, data_dict):
return authz.is_authorized('package_list', context, data_dict)
def check_access(action, context, data_dict=None):
'''Calls the authorization function for the provided action
This is the only function that should be called to determine whether a
user (or an anonymous request) is allowed to perform a particular action.
The function accepts a context object, which should contain a 'user' key
with the name of the user performing the action, and optionally a
dictionary with extra data to be passed to the authorization function.
For example::
check_access('package_update', context, data_dict)
If not already there, the function will add an `auth_user_obj` key to the
context object with the actual User object (in case it exists in the
database). This check is only performed once per context object.
Raise :py:exc:`~ckan.plugins.toolkit.NotAuthorized` if the user is not
authorized to call the named action function.
If the user *is* authorized to call the action, return ``True``.
:param action: the name of the action function, eg. ``'package_create'``
:type action: string
:param context:
:type context: dict
:param data_dict:
:type data_dict: dict
:raises: :py:exc:`~ckan.plugins.toolkit.NotAuthorized` if the user is not
authorized to call the named action
'''
# Auth Auditing. We remove this call from the __auth_audit stack to show
# we have called the auth function
try:
audit = context.get('__auth_audit', [])[-1]
except IndexError:
audit = ''
if audit and audit[0] == action:
context['__auth_audit'].pop()
user = context.get('user')
try:
if 'auth_user_obj' not in context:
context['auth_user_obj'] = None
if not context.get('ignore_auth'):
if not context.get('__auth_user_obj_checked'):
if context.get('user') and not context.get('auth_user_obj'):
context['auth_user_obj'] = \
model.User.by_name(context['user'])
context['__auth_user_obj_checked'] = True
context = _prepopulate_context(context)
logic_authorization = authz.is_authorized(action, context,
data_dict)
if not logic_authorization['success']:
msg = logic_authorization.get('msg', '')
raise NotAuthorized(msg)
except NotAuthorized, e:
log.debug(u'check access NotAuthorized - %s user=%s "%s"',
action, user, unicode(e))
raise
def organization_revision_list(context, data_dict):
return authz.is_authorized('group_show', context, data_dict)
def package_delete(context, data_dict):
# Defer authorization for package_delete to package_update, as deletions
# are essentially changing the state field
return authz.is_authorized('package_update', context, data_dict)
def get_access_request(context, data_dict):
return is_authorized('site_read', context, data_dict)
def dashboard_mark_activities_old(context, data_dict):
return authz.is_authorized('dashboard_activity_list',
context,
data_dict)
def tag_show_rest(context, data_dict):
return authz.is_authorized('tag_show', context, data_dict)
def resource_view_reorder(context, data_dict):
return authz.is_authorized('resource_update', context, {'id': data_dict['resource_id']})
def datastore_search_sql(up_func, context, data_dict):
return is_authorized('sysadmin', context)
def group_show(context, data_dict):
if not authz.is_authorized('member_list', context, {'id': data_dict.get('id')}).get('success'):
data_dict['include_users'] = False
return ckan.logic.action.get.group_show(context, data_dict)
def tag_autocomplete(context, data_dict):
return authz.is_authorized('tag_list', context, data_dict)
def resource_view_create(context, data_dict):
return authz.is_authorized('resource_create', context, {'id': data_dict['resource_id']})
def user_autocomplete(context, data_dict):
return authz.is_authorized('user_list', context, data_dict)
def package_create_default_resource_views(context, data_dict):
return authz.is_authorized('package_update', context,
data_dict['package'])
def group_follower_list(context, data_dict):
return authz.is_authorized('sysadmin', context, data_dict)
def package_revision_list(context, data_dict):
return authz.is_authorized('package_show', context, data_dict)
def spc_dcat_show(context, data_dict):
return is_authorized('package_show', context, data_dict)
def dashboard_new_activities_count(context, data_dict):
# FIXME: This should go through check_access() not call is_authorized()
# directly, but wait until 2939-orgs is merged before fixing this.
# This is so a better not authourized message can be sent.
return authz.is_authorized('dashboard_activity_list',
context, data_dict)
def group_show_rest(context, data_dict):
return authz.is_authorized('group_show', context, data_dict)