def authenticate(self, environ, identity):
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user = User.by_name(login)
## HDX HACK ##
if user is None:
users = User.by_email(login)
try:
user = users[0]
except:
user = None
## END HDX HACK ##
if user is None:
log.debug('Login failed - username %r not found', login)
elif not user.is_active():
log.debug('Login as %r failed - user isn\'t active', login)
elif not user.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
return user.name
return None
def send_email(req):
requestee = User.get(req.user_id)
pkg = Package.get(req.pkg_id)
selrole = False
for role in pkg.roles:
if role.role == "admin":
selrole = role
if not selrole:
return
admin = User.get(selrole.user_id)
msg = _("""%s (%s) is requesting editor access to a dataset you have created
%s.
Please click this link if you want to give this user write access:
%s%s""")
controller = 'ckanext.kata.controllers:AccessRequestController'
body = msg % (requestee.name, requestee.email, pkg.title if pkg.title else pkg.name,
config.get('ckan.site_url', ''),
h.url_for(controller=controller,
action="unlock_access",
id=req.id))
email_dict = {}
email_dict["subject"] = _("Access request for dataset %s" % pkg.title if pkg.title else pkg.name)
email_dict["body"] = body
send_notification(admin.as_dict(), email_dict)
def authenticate(self, environ, identity):
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user = User.by_name(login)
is_email = plugins.toolkit.config.get('ckan.authenticator.email', '').strip().lower() == 'true'
if user is None and is_email:
users = User.by_email(login)
try:
user = users[0]
except:
user = None
if user is None:
log.debug('Login failed - {} not found'.format(login))
elif not user.is_active():
log.debug('Login as {} failed - user isn\'t active'.format(login))
elif not user.validate_password(identity['password']):
log.debug('Login as {} failed - password not valid'.format(login))
else:
return user.name
return None
def authenticate(self, environ, identity):
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user = User.by_name(login)
## HDX HACK ##
if user is None:
users = User.by_email(login)
try:
user = users[0]
except:
user = None
## END HDX HACK ##
if user is None:
log.debug('Login failed - username %r not found', login)
elif not user.is_active():
log.debug('Login as %r failed - user isn\'t active', login)
elif not user.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
return user.name
return None
def send_notifications_on_new_post(post, lang):
from ckan.model import User
template_dir = os.path.join(os.path.dirname(__file__), 'templates')
locale_dir = os.path.join(os.path.dirname(__file__), 'i18n')
env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir),
extensions=['jinja2.ext.i18n'])
translations = Translations.load(locale_dir, [lang],
domain='ckanext-forum')
env.install_gettext_translations(translations)
env.globals['get_locale'] = lambda: lang
post_author = User.get(post.author_id)
thread = Thread.get_by_id(post.thread_id)
author_ids = set([p.author_id
for p in thread.forum_posts] + [thread.author_id])
author_ids -= set([
u.user_id for u in Unsubscription.filter_by_thread_id(post.thread_id)
])
for author_id in author_ids:
if author_id == post_author.id:
continue
user = User.get(author_id)
unsubscribe_url = tk.url_for('forum_unsubscribe',
base64_name=base64.b64encode(user.name),
thread_id=thread.id)
context = {
'user_name':
user.name,
'site_title':
tk.config.get('ckan.site_title'),
'site_url':
tk.config.get('ckan.site_url'),
'post_content':
post.content,
'title':
env.globals['gettext']('New post'),
'unsubscribe_url':
urljoin(tk.config['ckan.site_url'], unsubscribe_url),
'username':
post_author.name,
'thread_url':
urljoin(tk.config['ckan.site_url'], thread.get_absolute_url()),
}
template = env.get_template('forum_new_post_mail.html')
body = template.render(context)
log.debug('Email body %s', body)
tk.get_action('send_mail')(
{}, {
'to': user.email,
'subject': env.globals['gettext']('New post'),
'message_html': body
})
def authenticate(self, environ, identity):
""" Mimic most of UsernamePasswordAuthenticator.authenticate
but add account lockout after 10 failed attempts.
"""
if 'login' not in identity or 'password' not in identity:
return None
login_name = identity.get('login')
user = User.by_name(login_name)
if user is None:
LOG.debug('Login failed - username %r not found', login_name)
return None
cache_key = '{}.ckanext.qgov.login_attempts.{}'.format(
g.site_id, login_name)
redis_conn = connect_to_redis()
try:
login_attempts = int(redis_conn.get(cache_key) or 0)
except ValueError:
# shouldn't happen but let's play it safe
login_attempts = 0
if login_attempts >= 10:
LOG.debug('Login as %r failed - account is locked', login_name)
elif user.validate_password(identity.get('password')):
if login_attempts > 0:
LOG.debug("Clearing failed login attempts for %s", login_name)
# reset attempt count to 0
redis_conn.delete(cache_key)
return user.name
else:
LOG.debug('Login as %r failed - password not valid', login_name)
redis_conn.set(cache_key, login_attempts + 1, ex=LOGIN_THROTTLE_EXPIRY)
return None
def resource_tracker_create(context, data_dict):
'''Append a new resource tracker to the list of resource log
:param resource_id: the id of the resource
:param event: the action which the user take
:param obj_type: object type which the user action is applied to.
:param user_id: the username of the user
'''
check_access('resource_tracker_create', context, data_dict)
data, errors = validate(data_dict, resource_tracker_create_schema(),
context)
if errors:
raise ValidationError(errors)
logger = User.get(context.get('user'))
if logger:
tracker = ResourceLog(
resource_id=data.get('resource_id'),
event=data.get('event'),
obj_type=data.get('obj_type'),
user_id=logger.name,
)
else:
tracker = ResourceLog(
resource_id=data.get('resource_id'),
event=data.get('event'),
obj_type=data.get('obj_type'),
user_id=None,
)
tracker.save()
return tracker.as_dict()
def harvest_source_create(context, data_dict):
model = context['model']
user = context.get('user', '')
# Non-logged users can not create sources
if not user:
return {
'success':
False,
'msg':
_('Non-logged in users are not authorized to create harvest sources'
)
}
# Sysadmins and the rest of logged users can create sources,
# as long as they belong to a publisher
user_obj = User.get(user)
if not user_obj or not ckan.new_authz.is_sysadmin(user) and len(
user_obj.get_groups(u'organization')) == 0:
return {
'success':
False,
'msg':
_('User %s must belong to a publisher to create harvest sources') %
str(user)
}
else:
return {'success': True}
def authenticate(self, environ, identity):
if not 'login' in identity or not 'password' in identity:
return None
user = User.by_name(identity.get('login'))
if user is None:
log.debug('Login failed - username %r not found',
identity.get('login'))
return None
seedUser = Session.query(SEEDUser).filter_by(
name=identity.get('login')).first()
if seedUser.login_attempts >= 10:
log.debug('Login as %r failed - account is locked',
identity.get('login'))
elif user.validate_password(identity.get('password')):
# reset attempt count to 0
seedUser.login_attempts = 0
Session.commit()
return user.name
else:
log.debug('Login as %r failed - password not valid',
identity.get('login'))
seedUser.login_attempts += 1
Session.commit()
return None
def email_exists(key, data, errors, context):
result = User.by_email(data[key])
if result:
errors[('email', )] = errors.get(key, [])
errors[('email', )] = [
_('An account is already registered to that email.')
]
def authenticate(self, environ, identity):
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user = User.by_name(login)
if user is None:
log.debug('Login failed - username %r not found', login)
elif not user.is_active():
log.debug('Login as %r failed - user isn\'t active', login)
elif not user.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
msg = h.get_billing_api("api/RegisterAndSession/login",
request_type='post',
ckan_user_id=user.id,
ckan_user_name=user.name,
role=authz.is_sysadmin(login))
decoded = json.loads(msg)
if decoded['msg'] == 'error':
log.debug(
'Login as %r failed - Create the login session failed',
login)
elif decoded['msg'] == 'success':
return user.name
else:
return user.name
log.debug(
'Login as %r failed - api/RegisterAndSession/login return wrong data',
login)
return None
def authenticate(self, environ, identity):
request = Request(environ)
if request.method == 'POST':
came_from = request.params.get('came_from')
if came_from == "/user/logged_in":
if not custom_captcha.check_recaptcha(request):
log.debug('Bad Captcha error')
return None
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user = User.by_name(login)
if user is None:
log.debug('Login failed - username %r not found', login)
elif not user.is_active():
log.debug('Login as %r failed - user isn\'t active', login)
elif not user.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
return user.name
return None
def command(self):
self._load_config()
self._user = User.get(self.site_user['name'])
with app_context() as context:
context.g.user = self.site_user['name']
context.g.userobj = self._user
self.migrate_all_resources()
def authenticate(self, environ, identity):
""" Mimic most of UsernamePasswordAuthenticator.authenticate
but add account lockout after 10 failed attempts.
"""
if 'login' not in identity or 'password' not in identity:
return None
user = User.by_name(identity.get('login'))
if user is None:
LOG.debug('Login failed - username %r not found',
identity.get('login'))
return None
qgov_user = Session.query(QGOVUser).filter_by(
name=identity.get('login')).first()
if qgov_user.login_attempts >= 10:
LOG.debug('Login as %r failed - account is locked',
identity.get('login'))
elif user.validate_password(identity.get('password')):
# reset attempt count to 0
qgov_user.login_attempts = 0
Session.commit()
return user.name
else:
LOG.debug('Login as %r failed - password not valid',
identity.get('login'))
qgov_user.login_attempts += 1
Session.commit()
return None
def harvest_job_create(context, data_dict):
model = context['model']
user = context.get('user')
source_id = data_dict['source_id']
if not user:
return {
'success':
False,
'msg':
_('Non-logged in users are not authorized to create harvest jobs')
}
if ckan.new_authz.is_sysadmin(user):
return {'success': True}
user_obj = User.get(user)
source = HarvestSource.get(source_id)
if not source:
raise NotFound
if not user_obj or not source.publisher_id in [
g.id for g in user_obj.get_groups(u'organization')
]:
return {
'success':
False,
'msg':
_('User %s not authorized to create a job for source %s') %
(str(user), source.id)
}
else:
return {'success': True}
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
pkg = context.get('package', None)
roles = pkg.roles if pkg else Package.get(data_dict['id']).roles
user = context.get('user', False)
if user:
for role in roles:
ruser = User.get(role.user.id)
if user == ruser.name and role.role in ('admin', 'editor'):
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'):
return {'success': True}
return {'success': False}
def harvest_job_show(context, data_dict):
model = context['model']
user = context.get('user')
job = get_job_object(context, data_dict)
if not user:
return {
'success': False,
'msg':
_('Non-logged in users are not authorized to see harvest jobs')
}
if Authorizer().is_sysadmin(user):
return {'success': True}
user_obj = User.get(user)
if not user_obj or not job.source.publisher_id in [
g.id for g in user_obj.get_groups(u'publisher')
]:
return {
'success':
False,
'msg':
_('User %s not authorized to read harvest job %s') %
(str(user), job.id)
}
else:
return {'success': True}
def harvest_source_update(context, data_dict):
model = context['model']
user = context.get('user', '')
source = get_source_object(context, data_dict)
# Non-logged users can not update this source
if not user:
return {
'success':
False,
'msg':
_('Non-logged in users are not authorized to update harvest sources'
)
}
# Sysadmins can update the source
if Authorizer().is_sysadmin(user):
return {'success': True}
# Check if the source publisher id exists on the user's groups
user_obj = User.get(user)
if not user_obj or not source.publisher_id in [
g.id for g in user_obj.get_groups(u'publisher')
]:
return {
'success':
False,
'msg':
_('User %s not authorized to update harvest source %s') %
(str(user), source.id)
}
else:
return {'success': True}
def harvesters_info_show(context, data_dict):
model = context['model']
user = context.get('user', '')
# Non-logged users can not create sources
if not user:
return {
'success': False,
'msg': _('Non-logged in users can not see the harvesters info')
}
# Sysadmins and the rest of logged users can see the harvesters info,
# as long as they belong to a publisher
user_obj = User.get(user)
if not user_obj or not Authorizer().is_sysadmin(user) and len(
user_obj.get_groups(u'publisher')) == 0:
return {
'success':
False,
'msg':
_('User %s must belong to a publisher to see the harvesters info')
% str(user)
}
else:
return {'success': True}
def harvest_source_list(context, data_dict):
model = context['model']
user = context.get('user')
# Here we will just check that the user is logged in.
# The logic action will return an empty list if the user does not
# have permissons on any source.
if not user:
return {
'success': False,
'msg': _('Only logged users are authorized to see their sources')
}
else:
user_obj = User.get(user)
assert user_obj
# Only users belonging to a publisher can list sources,
# unless they are sysadmins
if Authorizer().is_sysadmin(user_obj):
return {'success': True}
if len(user_obj.get_groups(u'publisher')) > 0:
return {'success': True}
else:
return {
'success':
False,
'msg':
_('User %s must belong to a publisher to list harvest sources')
% str(user)
}
def send(self, pkg_id):
package = Package.get(pkg_id)
url = h.url_for(controller='package',
action="read",
id=package.id)
if c.user:
userid = None
for role in package.roles:
if role.role == "admin":
userid = role.user_id
break
if userid:
owner = User.get(userid)
msg = request.params.get('msg', '')
if msg:
send_contact_email(owner, c.userobj, package,\
msg)
else:
h.flash_error(_("No message"))
return redirect(url)
else:
h.flash_error(_("No owner found"))
return redirect(url)
h.flash_notice(_("Message sent"))
else:
h.flash_error(_("Please login"))
return redirect(url)
def inventory_resource_show(context, data_dict):
model = context['model']
user = User.by_name(context.get('user'))
resource = get_resource_object(context, data_dict)
# check authentication against package
pkg = model.Package.get(resource.package_id)
if not pkg:
raise logic.NotFound(
_('No package found for this resource,'
' cannot check auth.'))
if user is None:
if pkg.private:
return {'success': False}
else:
return {'success': True}
else:
pkg_dict = {'id': pkg.id}
authorized = authz.is_authorized('package_show', context, pkg_dict) \
.get('success')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read resource %s') %
(user, resource.id)
}
else:
return {'success': True}
def harvest_jobs_run(context,data_dict):
model = context['model']
user = context.get('user')
# Check user is logged in
if not user:
return {'success': False, 'msg': _('Only logged users are authorized to run harvest jobs')}
user_obj = User.get(user)
# Checks for non sysadmin users
if not Authorizer().is_sysadmin(user):
if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to run harvest jobs') % str(user)}
source_id = data_dict.get('source_id',False)
if not source_id:
return {'success': False, 'msg': _('Only sysadmins can run all harvest jobs') % str(user)}
source = HarvestSource.get(source_id)
if not source:
raise NotFound
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to run jobs from source %s') % (str(user),source.id)}
return {'success': True}
def get_user(openid):
username = get_username(openid)
user = User.by_name(username)
if user:
user_dict = toolkit.get_action('user_show')(data_dict={'id': user.id})
return user_dict
else:
return None
def _get_sources_for_user(context,
data_dict,
organization_id=None,
limit=None):
session = context['session']
user = context.get('user', '')
only_active = data_dict.get('only_active', False)
only_to_run = data_dict.get('only_to_run', False)
query = session.query(HarvestSource) \
.order_by(HarvestSource.created.desc())
if organization_id:
query = query.join(Package, HarvestSource.id == Package.id).filter(
Package.owner_org == organization_id)
if only_active:
query = query.filter(
HarvestSource.active == True # noqa: E712
) \
if only_to_run:
query = query.filter(HarvestSource.frequency != 'MANUAL')
query = query.filter(
or_(
HarvestSource.next_run <= datetime.datetime.utcnow(),
HarvestSource.next_run == None # noqa: E711
))
user_obj = User.get(user)
# Sysadmins will get all sources
if user_obj and not user_obj.sysadmin:
# This only applies to a non sysadmin user when using the
# publisher auth profile. When using the default profile,
# normal users will never arrive at this point, but even if they
# do, they will get an empty list.
publisher_filters = []
publishers_for_the_user = user_obj.get_groups(u'publisher')
for publisher_id in [g.id for g in publishers_for_the_user]:
publisher_filters.append(
HarvestSource.publisher_id == publisher_id)
if len(publisher_filters):
query = query.filter(or_(*publisher_filters))
else:
# This user does not belong to a publisher yet, no sources for him/her
return []
log.debug('User %s with publishers %r has Harvest Sources: %r', user,
publishers_for_the_user, [(hs.id, hs.url) for hs in query])
sources = query.limit(limit).all() if limit else query.all()
return sources
def authenticate(self, environ, identity):
if 'repoze.who.plugins.openid.userid' in identity:
openid = identity['repoze.who.plugins.openid.userid']
user = User.by_openid(openid)
if user is None or not user.is_active():
return None
else:
return user.name
return None
def authenticate(self, environ, identity):
if 'repoze.who.plugins.openid.userid' in identity:
openid = identity['repoze.who.plugins.openid.userid']
user = User.by_openid(openid)
if user is None or not user.is_active():
return None
else:
return user.name
return None
def authenticate(self, environ, identity):
if 'repoze.who.plugins.openid.userid' in identity:
openid = identity.get('repoze.who.plugins.openid.userid')
user = User.by_openid(openid)
if user is None:
return None
else:
return user.name
return None
def authenticate(self, environ, identity):
if not 'login' in identity or not 'password' in identity:
return None
user = User.by_name(identity.get('login'))
if user is None:
return None
if user.validate_password(identity.get('password')):
return user.name
return None
def authenticate(self, environ, identity):
if 'repoze.who.plugins.openid.userid' in identity:
openid = identity.get('repoze.who.plugins.openid.userid')
user = User.by_openid(openid)
if user is None:
return None
else:
return user.name
return None
def default_authenticate(identity: 'Mapping[str, Any]') -> Optional["User"]:
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user_obj = User.by_name(login)
if not user_obj:
user_obj = User.by_email(login)
if user_obj is None:
log.debug('Login failed - username or email %r not found', login)
elif not user_obj.is_active:
log.debug('Login as %r failed - user isn\'t active', login)
elif not user_obj.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
return user_obj
signals.failed_login.send(login)
return None
def test_authenticate_step_two(self):
plugin = self._makeOne()
environ = {"REQUEST_METHOD": "GET", "QUERY_STRING": "oauth_token=foo", "ckan.who.oauth.challenge": "1"}
identity = plugin.identify(environ)
username = identity.get("repoze.who.userid")
self.assertEqual(username, "boz")
user = User.by_name("boz")
self.assertEqual(user.email, "*****@*****.**")
groups = Session.query(AuthorizationGroup).filter(AuthorizationGroup.users.contains(user))
self.assertEqual(groups.count(), 1)
def get_ckanuser(self, user):
user_ckan = User.by_name(user)
if user_ckan:
user_dict = toolkit.get_action('user_show')(data_dict={
'id': user_ckan.id
})
return user_dict
else:
return None
def authenticate(self, environ, identity):
'''Fetch the user given its username in identity'''
if 'username' in identity:
user = User.by_name(identity['username'])
if user is None:
return None
else:
identity.update({'repoze.who.userid': user.name})
return user.name
return None
def user_organizations(user):
u = User.get(user['name'])
groups = u.get_groups(group_type="organization")
groups_data = []
for group in groups:
context = {'model': model}
data_dict = {'id': group.id, "include_extra": True, 'all_fields': True}
group_dict = get_action('organization_show')(context, data_dict)
groups_data.append(group_dict)
return groups_data
def authenticate(self, environ, identity):
if 'repoze.who.plugins.openid.userid' in identity:
openid = identity.get('repoze.who.plugins.openid.userid')
user = User.by_openid(openid)
if user is None:
# TODO: Implement a mask to ask for an alternative user
# name instead of just using the OpenID identifier.
name = identity.get('repoze.who.plugins.openid.nickname')
if not User.check_name_valid(name):
name = openid
if not User.check_name_available(name):
name = openid
user = User(openid=openid, name=name,
fullname=identity.get('repoze.who.plugins.openid.fullname'),
email=identity.get('repoze.who.plugins.openid.email'))
Session.add(user)
Session.commit()
Session.remove()
return user.name
return None
def unsubscribe(self, base64_name, thread_id):
log.debug('Unsubscribing %s %s', base64.b64decode(base64_name),
thread_id)
thread = Thread.get_by_id(thread_id)
user = User.get(base64.b64decode(base64_name))
if not thread or not user:
abort(404)
Unsubscription.add(user.id, thread.id)
flash_success(tk._('You successfully unsibsribed'))
tk.redirect_to(thread.get_absolute_url())
def authenticate(self, environ, identity):
if not 'login' in identity or not 'password' in identity:
return None
user = User.by_name(identity.get('login'))
if user is None:
log.debug('Login failed - username %r not found', identity.get('login'))
return None
if user.validate_password(identity.get('password')):
return user.name
log.debug('Login as %r failed - password not valid', identity.get('login'))
return None
def get_user_list_by_email(value):
"""
Get user id/name given email. Validate email beforehand.
"""
users = []
try:
potential_users = User.by_email(value)
return potential_users
except Exception as e:
log.error(e)
return users
def is_owner(context, data_dict):
pkg = context.get('package', None)
roles = pkg.roles if pkg else Package.get(data_dict['id']).roles
user = context.get('user', False)
if user:
for role in roles:
ruser = User.get(role.user_id)
if user == ruser.name and role.role in ('admin', 'editor'):
return {'success': True}
else:
return {'success': False}
return {'success': False}
def authenticate(self, environ, identity):
if 'shibboleth_auth' in identity:
userid = identity['shibboleth_auth']
user = User.get(userid)
if user is None or not user.is_active():
log.info("ShibbolethAuthenticator: user not found: %s", userid)
return None
else:
log.info("ShibbolethAuthenticator: user found %s", userid)
return user.name
return None
def send_edit_access_request_email(req):
"""
Send edit access request email.
:param user_id: user who requests access
:param pkg_id: dataset's id
"""
requester = User.get(req.user_id)
pkg = Package.get(req.pkg_id)
selrole = False
for role in pkg.roles:
if role.role == "admin":
selrole = role
if not selrole:
return
admin = User.get(selrole.user_id)
admin_dict = admin.as_dict()
admin_dict['name'] = admin.fullname if admin.fullname else admin.name
msg = u'{a} ({b}) is requesting editing rights to the metadata in dataset\n\n{c}\n\n\
for which you are currently an administrator. Please click this \
link if you want to allow this user to edit the metadata of the dataset:\n\
{d}\n\n{a} ({b}) pyytää muokkausoikeuksia tietoaineiston\n\n{c}\n\n\
metatietoihin, joiden ylläpitäjä olet. Klikkaa linkkiä, jos haluat tämän käyttäjän \
saavan muokkausoikeudet aineiston metatietoihin:\n\
{d}\n'
controller = 'ckanext.kata.controllers:EditAccessRequestController'
requester_name = requester.fullname if requester.fullname else requester.name
accessurl = config.get('ckan.site_url', '') + h.url_for(controller=controller, action="unlock_access", id=req.id)
body = msg.format(a=requester_name, b=requester.email, c=pkg.title if pkg.title else pkg.name, d=accessurl)
email_dict = {}
email_dict["subject"] = u"Access request for dataset / pyyntö koskien tietoaineistoa %s" % pkg.title if pkg.title else pkg.name
email_dict["body"] = body
send_notification(admin_dict, email_dict)
def _get_sources_for_user(context, data_dict):
model = context['model']
session = context['session']
user = context.get('user', '')
only_active = data_dict.get('only_active', False)
only_to_run = data_dict.get('only_to_run', False)
query = session.query(HarvestSource) \
.order_by(HarvestSource.created.desc())
if only_active:
query = query.filter(HarvestSource.active) \
if only_to_run:
query = query.filter(HarvestSource.frequency != 'MANUAL')
query = query.filter(or_(HarvestSource.next_run <=
datetime.datetime.utcnow(),
HarvestSource.next_run is None))
user_obj = User.get(user)
# Sysadmins will get all sources
if user_obj and not user_obj.sysadmin:
# This only applies to a non sysadmin user when using the
# publisher auth profile. When using the default profile,
# normal users will never arrive at this point, but even if they
# do, they will get an empty list.
publisher_filters = []
publishers_for_the_user = user_obj.get_groups(u'publisher')
for publisher_id in [g.id for g in publishers_for_the_user]:
publisher_filters.append(
HarvestSource.publisher_id == publisher_id)
if len(publisher_filters):
query = query.filter(or_(*publisher_filters))
else:
# This user does not belong to a publisher yet, no sources for
# him/her
return []
log.debug('User %s with publishers %r has Harvest Sources: %r',
user, publishers_for_the_user,
[(hs.id, hs.url) for hs in query])
sources = query.all()
return sources
def harvest_source_create(context,data_dict):
model = context['model']
user = context.get('user','')
# Non-logged users can not create sources
if not user:
return {'success': False, 'msg': _('Non-logged in users are not authorized to create harvest sources')}
# Sysadmins and the rest of logged users can create sources,
# as long as they belong to a publisher
user_obj = User.get(user)
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to create harvest sources') % str(user)}
else:
return {'success': True}
def preauthenticate(self, environ, identity):
# turn the oauth identity into a CKAN one; set it in our identity
import oauth2 as oauth
try:
access_token = dict(urlparse.parse_qsl(identity['userdata']))
oauth_token = access_token['oauth_token']
oauth_token_secret = access_token['oauth_token_secret']
except KeyError:
return None
access_token = oauth.Token(oauth_token,
oauth_token_secret)
client = oauth.Client(self.consumer, access_token)
resp, content = client.request(self.user_url, "GET")
data = json.loads(content)
user_id = data['id']
logging.info("Preauth: Got oauth user data for user %s" % user_id)
user = User.by_openid(user_id)
if user is None:
user = User(openid=user_id,
name=data['id'],
fullname=data['name'],
email=data['mail'])
Session.add(user)
else:
user.fullname = data['name'] # if the name is updated
Session.commit()
Session.remove()
logging.info("Preauth: Created new/updated user %s" % user_id)
# deal with groups
user_groups = data['groups']
_sync_auth_groups(user, user_groups)
name = user.name.encode("utf8")
logging.info("Preauth: Returning user identifier %s" % name)
identity['repoze.who.userid'] = name
return identity
def harvesters_info_show(context,data_dict):
model = context['model']
user = context.get('user','')
# Non-logged users can not create sources
if not user:
return {'success': False, 'msg': _('Non-logged in users can not see the harvesters info')}
# Sysadmins and the rest of logged users can see the harvesters info,
# as long as they belong to a publisher
user_obj = User.get(user)
if not user_obj or not authz.is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to see the harvesters info') % str(user)}
else:
return {'success': True}
def harvest_source_create(context, data_dict):
model = context["model"]
user = context.get("user", "")
# Non-logged users can not create sources
if not user:
return {"success": False, "msg": _("Non-logged in users are not authorized to create harvest sources")}
# Sysadmins and the rest of logged users can create sources,
# as long as they belong to a publisher
user_obj = User.get(user)
if not user_obj or not authz.is_sysadmin(user) and len(user_obj.get_groups(u"publisher")) == 0:
return {"success": False, "msg": _("User %s must belong to a publisher to create harvest sources") % str(user)}
else:
return {"success": True}
def unlock_access(self, id):
q = model.Session.query(KataAccessRequest)
q = q.filter_by(id=id)
req = q.first()
if req:
user = User.get(req.user_id)
pkg = Package.get(req.pkg_id)
add_user_to_role(user, 'editor', pkg)
url = h.url_for(controller='package', action='read', id=req.pkg_id)
h.flash_success(_("%s now has editor rights to package %s" % (user.name, pkg.name)))
req.delete()
meta.Session.commit()
redirect(url)
else:
h.flash_error(_("No such request found!"))
redirect('/')
def user_autocomplete(context, data_dict):
'''
Override to explicitly allow logged in users to have
user autocompletion even if user_list is disallowed.
:param context:
:param data_dict:
:return:
'''
user_name = context.get('user')
user_obj = User.get(user_name) if user_name else None
if user_obj:
return {'success': True}
else:
return {'success': False}
def after_search(self, search_params, search_results):
context = {'model': ckan.model,
'session': ckan.model.Session,
'user': pylons.c.user}
#set permission level: read (default is edit)
data_dict = {'user': pylons.c.user, 'permission': 'read'}
#get list of organisations that the user is a member of
orgs = ckan.logic.get_action('organization_list_for_user')(context, data_dict)
#user doesn't belong to an organisation
if not orgs:
print ('User is not a member of any organisations!')
c.maintainers = []
return search_params
#get a distinct list of members who belong to the organisations
members = []
for org in orgs:
params = {'id': org['id'], 'object_type': 'user'}
member_list = ckan.logic.get_action('member_list')(context, params)
for m in member_list:
members.append(m)
memberset = set(members)
#need the user name to match with the maintainer field
current_user_name = None
member_names = []
for member in memberset:
user = User.get(member[0]) #user id
member_names.append(user.name)
#get all maintainers
maintainers = [p[0] for p in meta.Session.query(distinct(Package.maintainer)) if p[0]]
maintset = set(maintainers)
#filter maintainers by user-related organisation members
results = maintset.intersection(member_names)
c.maintainers = results
return search_params
def harvest_job_show(context,data_dict):
model = context['model']
user = context.get('user')
job = get_job_object(context,data_dict)
if not user:
return {'success': False, 'msg': _('Non-logged in users are not authorized to see harvest jobs')}
if Authorizer().is_sysadmin(user):
return {'success': True}
user_obj = User.get(user)
if not user_obj or not job.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest job %s') % (str(user),job.id)}
else:
return {'success': True}
def _get_sources_for_user(context,data_dict):
model = context['model']
session = context['session']
user = context.get('user','')
only_mine = data_dict.get('only_mine', False)
only_active = data_dict.get('only_active',False)
only_organization = data_dict.get('organization') or data_dict.get('group')
query = session.query(HarvestSource) \
.order_by(HarvestSource.created.desc())
if only_active:
query = query.filter(HarvestSource.active==True) \
if only_mine:
# filter to only harvest sources from this user's organizations
user_obj = User.get(user)
publisher_filters = []
publishers_for_the_user = user_obj.get_groups(u'organization')
for publisher_id in [g.id for g in publishers_for_the_user]:
publisher_filters.append(HarvestSource.publisher_id==publisher_id)
if len(publisher_filters):
query = query.filter(or_(*publisher_filters))
else:
# This user does not belong to a publisher yet, no sources for him/her
return []
log.debug('User %s with publishers %r has Harvest Sources: %r',
user, publishers_for_the_user, [(hs.id, hs.url) for hs in query])
if only_organization:
org = model.Group.get(only_organization)
if not org:
raise p.toolkit.ObjectNotFound('Could not find: %s' % only_organization)
query = query.filter(HarvestSource.publisher_id==org.id)
sources = query.all()
return sources
def test_harvester_import(self):
harv, job = self._create_harvester()
res = "http://www.fsd.uta.fi/fi/aineistot/luettelo/FSD0115/FSD0115.xml"
urllib2.urlopen = mock.Mock(return_value=StringIO(res))
gathered = harv.gather_stage(job)
urllib2.urlopen = mock.Mock(return_value=StringIO(testdata.nr1))
harvest_obj = HarvestObject.get(gathered[0])
self.assert_(harv.fetch_stage(harvest_obj))
self.assert_(isinstance(json.loads(harvest_obj.content), dict))
self.assert_(harv.import_stage(harvest_obj))
self.assert_(len(Session.query(Package).all()) == 1)
# Lets see if the package is ok, according to test data
pkg = Session.query(Package).filter(Package.title == "Puolueiden ajankohtaistutkimus 1981").one()
self.assert_(pkg.title == "Puolueiden ajankohtaistutkimus 1981")
log.debug(pkg.extras)
self.assert_(len(pkg.get_groups()) == 2)
self.assert_(len(pkg.resources) == 4)
self.assert_(len(pkg.get_tags()) == 9)
self.assert_(pkg.url == "http://www.fsd.uta.fi/fi/aineistot/luettelo/FSD0115/FSD0115.xml")
self.assert_(isinstance(pkg.extras, _AssociationDict))
self.assert_(len(pkg.extras.items()) > 1)
urllib2.urlopen = mock.Mock(return_value=StringIO(testdata.nr2))
harvest_obj = HarvestObject.get(gathered[0])
harvest_obj.content = json.dumps({'url': 'http://foo'})
self.assert_(harv.fetch_stage(harvest_obj))
self.assert_(isinstance(json.loads(harvest_obj.content), dict))
self.assert_(harv.import_stage(harvest_obj))
self.assert_(len(Session.query(Package).all()) == 2)
# Test user access
user = User.get('testlogin2')
grp = pkg.get_groups()[0]
context = {'user': user.name, 'model': model}
data_dict = {'id': pkg.id}
auth_dict = package_show(context, data_dict)
self.assert_(auth_dict['success'])
data_dict = {'id': grp.id}
context = {'user': '', 'model': model}
auth_dict = group_show(context, data_dict)
self.assert_(auth_dict['success'])
def authenticate(self, environ, identity):
if not ('login' in identity and 'password' in identity):
return None
login = identity['login']
user_list = User.by_email(login)
if not user_list:
log.debug('Login failed - email %r not found', login)
return None
user = user_list[0]
if not user.is_active():
log.debug('Login as %r failed - user isn\'t active', login)
elif not user.validate_password(identity['password']):
log.debug('Login as %r failed - password not valid', login)
else:
return user.name
return None
def harvest_source_show(context,data_dict):
model = context['model']
user = context.get('user','')
source = get_source_object(context,data_dict)
# Non-logged users can not read the source
if not user:
return {'success': False, 'msg': _('Non-logged in users are not authorized to see harvest sources')}
# Sysadmins can read the source
if Authorizer().is_sysadmin(user):
return {'success': True}
# Check if the source publisher id exists on the user's groups
user_obj = User.get(user)
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest source %s') % (str(user),source.id)}
else:
return {'success': True}
def harvest_object_show(context,data_dict):
model = context['model']
user = context.get('user')
obj = get_obj_object(context,data_dict)
if context.get('ignore_auth', False):
return {'success': True}
if not user:
return {'success': False, 'msg': _('Non-logged in users are not authorized to see harvest objects')}
if authz.is_sysadmin(user):
return {'success': True}
user_obj = User.get(user)
if not user_obj or not obj.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest object %s') % (str(user),obj.id)}
else:
return {'success': True}
def harvest_source_delete(context,data_dict):
model = context['model']
user = context.get('user','')
source = get_source_object(context,data_dict)
# Non-logged users cannot delete this source
if not user:
return {'success': False, 'msg': _('Non-logged in users are not authorized to delete harvest sources')}
# Sysadmins can delete the source
if ckan.new_authz.is_sysadmin(user):
return {'success': True}
# Check if the source publisher id exists on the user's groups
user_obj = User.get(user)
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'organization')]:
return {'success': False, 'msg': _('User %s not authorized to delete harvest source %s') % (str(user),source.id)}
else:
return {'success': True}
