def access_request_update(context, data_dict): user = context.get('user') request_id = toolkit.get_or_bust(data_dict, "id") request = model.Session.query(AccessRequest).get(request_id) if not request: raise toolkit.ObjectNotFound("Access Request not found") if request.object_type not in ['organization', 'package', 'user']: raise toolkit.Invalid("Unknown Object Type") if request.object_type == 'package': package = toolkit.get_action('package_show')(context, { 'id': request.object_id }) org_id = package['owner_org'] return { 'success': has_user_permission_for_group_or_org(org_id, user, 'admin') } elif request.object_type == 'organization': org_id = request.object_id return { 'success': has_user_permission_for_group_or_org(org_id, user, 'admin') } elif request.object_type == 'user': data_dict = { 'id': request.object_id, 'renew_expiry_date': request.data.get( 'user_request_type', USER_REQUEST_TYPE_NEW) == USER_REQUEST_TYPE_RENEWAL } return external_user_update_state(context, data_dict)
def user_has_admin_editor_org_access(group_id, user_name): """ Return False if the user does not have admin, editor, or sysadmin access to the datasets organisation. """ return authz.has_user_permission_for_group_or_org(group_id, user_name, 'create_dataset')
def page_privacy(context, data_dict): if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') page = data_dict.get('page') out = db.Page.get(group_id=org_id, name=page) if out and out.private == False: return {'success': True} # no org_id means it's a universal page if not org_id: if out and out.private: return {'success': False} return {'success': True} group = context['model'].Group.get(org_id) user = context['user'] authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'read') if not authorized: return { 'success': False, 'msg': p.toolkit._('User %s not authorized to read this page') % user } else: return {'success': True}
def package_create(context, data_dict=None): user = context['user'] if authz.auth_is_anon_user(context): check1 = all(authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def get_packages_for_this_group(group_, just_the_count=False): # Ask SOLR for the list of packages for this org/group q = { 'facet': 'false', 'rows': 0, } if group_.is_organization: q['fq'] = 'owner_org:"{0}"'.format(group_.id) else: q['fq'] = 'groups:"{0}"'.format(group_.name) # Allow members of organizations to see private datasets. if group_.is_organization: is_group_member = (context.get('user') and authz.has_user_permission_for_group_or_org( group_.id, context.get('user'), 'read')) if is_group_member: context['ignore_capacity_check'] = True if not just_the_count: # Is there a packages limit in the context? try: packages_limit = context['limits']['packages'] except KeyError: q['rows'] = 1000 # Only the first 1000 datasets are returned else: q['rows'] = packages_limit search_context = dict((k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(search_context, q) return search_results['count'], search_results['results']
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) if value == '': if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) return group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not context.get(u'ignore_auth', False) and not ( user.sysadmin or authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def get_packages_for_this_group(group_, just_the_count=False): # Ask SOLR for the list of packages for this org/group q = { 'facet': 'false', 'rows': 0, } if group_.is_organization: q['fq'] = 'owner_org:"{0}"'.format(group_.id) else: q['fq'] = 'groups:"{0}"'.format(group_.name) # Allow members of organizations to see private datasets. if group_.is_organization: is_group_member = (context.get('user') and authz.has_user_permission_for_group_or_org( group_.id, context.get('user'), 'read')) if is_group_member: q['include_private'] = True if not just_the_count: # Is there a packages limit in the context? try: packages_limit = context['limits']['packages'] except KeyError: q['rows'] = 1000 # Only the first 1000 datasets are returned else: q['rows'] = packages_limit search_context = dict( (k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(search_context, q) return search_results['count'], search_results['results']
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) if value == '': if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) return group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not context.get(u'ignore_auth', False) and not(user.sysadmin or authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def page_privacy(context, data_dict): if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') page = data_dict.get('page') out = db.Page.get(group_id=org_id, name=page) if out and out.private == False: return {'success': True} # CCG change: permit anonymous listing of available pages if page == '' and out is None: return {'success': True} # no org_id means it's a universal page if not org_id: if out and out.private: return {'success': False} return {'success': True} group = context['model'].Group.get(org_id) user = context['user'] authorized = authz.has_user_permission_for_group_or_org(group.id, user, 'read') if not authorized: return {'success': False, 'msg': p.toolkit._( 'User %s not authorized to read this page') % user} else: return {'success': True}
def _pages_list(context, data_dict): search = {} if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') ordered = data_dict.get('order') order_publish_date = data_dict.get('order_publish_date') page_type = data_dict.get('page_type') private = data_dict.get('private', True) if ordered: search['order'] = True if page_type: search['page_type'] = page_type if order_publish_date: search['order_publish_date'] = True if not org_id: search['group_id'] = None try: p.toolkit.check_access('ckanext_pages_update', context, data_dict) if not private: search['private'] = False except p.toolkit.NotAuthorized: search['private'] = False else: group = context['model'].Group.get(org_id) user = context['user'] member = authz.has_user_permission_for_group_or_org( group.id, user, 'read') search['group_id'] = org_id if not member: search['private'] = False out = db.Page.pages(**search) out_list = [] for pg in out: parser = HTMLFirstImage() parser.feed(pg.content) img = parser.first_image pg_row = { 'title': pg.title, 'title_nl': pg.title_nl, 'title_fr': pg.title_fr, 'title_de': pg.title_de, 'content': pg.content, 'content_nl': pg.content_nl, 'content_fr': pg.content_fr, 'content_de': pg.content_de, 'name': pg.name, 'publish_date': pg.publish_date.isoformat() if pg.publish_date else None, 'group_id': pg.group_id, 'page_type': pg.page_type, 'private': pg.private } if img: pg_row['image'] = img extras = pg.extras if extras: pg_row.update(json.loads(pg.extras)) out_list.append(pg_row) return out_list
def package_create(context, data_dict=None): user = context['user'] user_object = context.get('auth_user_obj') #Sysadmin user has all the previliges if user_object and user_object.sysadmin : {'success': True} #Do not authorize anonymous users if authz.auth_is_anon_user(context): return {'success': False, 'msg': _('User %s not authorized to create packages') % user} #Check if the user has the editor or admin role in some org/suborg check1 = all(authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def get_packages_for_this_group(group_, just_the_count=False): # Ask SOLR for the list of packages for this org/group q = { 'facet': 'false', 'rows': 0, } if group_.is_organization: q['fq'] = 'owner_org:"{0}"'.format(group_.id) else: q['fq'] = 'groups:"{0}"'.format(group_.name) # Allow members of organizations to see private datasets. if group_.is_organization: is_group_member = (context.get('user') and authz.has_user_permission_for_group_or_org( group_.id, context.get('user'), 'read')) if is_group_member: q['include_private'] = True if not just_the_count: # package_search limits 'rows' anyway, so this is only if you # want even fewer try: packages_limit = context['limits']['packages'] except KeyError: del q['rows'] # leave it to package_search to limit it else: q['rows'] = packages_limit search_context = dict((k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(search_context, q) return search_results['count'], search_results['results']
def get_dataset_search_results(self, org_code): user = c.user or c.author ignore_capacity_check = False is_org_member = (user and new_authz.has_user_permission_for_group_or_org(org_code, user, 'read')) if is_org_member: ignore_capacity_check = True package_type = 'dataset' suffix = '#datasets-section' params_nopage = { k: v for k, v in request.params.items() if k != 'page'} def pager_url(q=None, page=None): params = params_nopage params['page'] = page return h.url_for('organization_read', id=org_code, **params) + suffix fq = 'organization:"{}"'.format(org_code) # facets = { # 'vocab_Topics': _('Topics') # } full_facet_info = self._search(package_type, pager_url, additional_fq=fq, ignore_capacity_check=ignore_capacity_check) full_facet_info.get('facets', {}).pop('organization', {}) c.other_links['current_page_url'] = h.url_for('organization_read', id=org_code) return full_facet_info
def member_create(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' authorized = authz.has_user_permission_for_group_or_org( group.id, user, permission) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id) } else: if authz.config.get('ckan.gov_theme.is_back'): return {'success': True} else: return {'success': False}
def member_create(context, data_dict): try: group = tk.get_action('group_show')(data_dict=data_dict) except toolkit.ObjectNotFound: return {'success': False, 'msg': 'Couldn' 't find group'} if group['name'] == u'local': return {'success': True} user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group['is_organization'] and data_dict.get( 'object_type') == 'package': permission = 'manage_group' authorized = authz.has_user_permission_for_group_or_org( group['id'], user, permission) if not authorized: return { 'success': False, 'msg': 'User %s not authorized to edit group %s' % (str(user), group['id']) } else: return {'success': True}
def fetch_dataset_info(self): self._fetched_dataset_info = True context = { 'model': model, 'session': model.Session, 'user': self._username, } user = self._username ignore_capacity_check = False is_org_member = (user and new_authz.has_user_permission_for_group_or_org(self.id, user, 'read')) if is_org_member: ignore_capacity_check = True context['ignore_capacity_check'] = ignore_capacity_check data_dict = { 'q': '', 'fq': 'organization:"{}" +dataset_type:dataset'.format(self.org_dict.get('name')), 'rows': 1, 'start': 0, 'include_private': True if ignore_capacity_check else False, 'extras': {} } query = logic.get_action('package_search')(context, data_dict) self.datasets_num = query['count']
def get_packages_for_this_group(group_, just_the_count=False): # Ask SOLR for the list of packages for this org/group q = { 'facet': 'false', 'rows': 0, } if group_.is_organization: q['fq'] = '+owner_org:"{0}"'.format(group_.id) else: q['fq'] = '+groups:"{0}"'.format(group_.name) # Allow members of organizations to see private datasets. if group_.is_organization: is_group_member = (context.get('user') and authz.has_user_permission_for_group_or_org( group_.id, context.get('user'), 'read')) if is_group_member: q['include_private'] = True if not just_the_count: # package_search limits 'rows' anyway, so this is only if you # want even fewer try: packages_limit = context['limits']['packages'] except KeyError: del q['rows'] # leave it to package_search to limit it else: q['rows'] = packages_limit search_context = dict((k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(search_context, q) return search_results['count'], search_results['results']
def is_owner(context, data_dict): ''' This is used in "request edit rights" feature. Checks if the user is creator, admin or editor of the package in question :param context: context :param data_dict: package data :type data_dict: dictionary :rtype: dictionary ''' # Package creator is always owner regardless of organizations pkg = context.get('package', None) or Package.get(data_dict['id']) user = context.get('user', False) # If user id can't be resolved, user can't be owner try: user_id = convert_user_name_or_id_to_id(user, context) except: return {'success': False} if pkg.creator_user_id == user_id: return {'success': True} # Check if the user has editor rights to this dataset through an organization package = get_package_object(context, data_dict) if authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'): return {'success': True} return {'success': False}
def package_show(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith('draft'): auth = authz.is_authorized('package_update', context, data_dict) authorized = auth.get('success') elif package.owner_org is None and package.state == 'active': return {'success': True} else: # anyone can see a public package if not package.private and package.state == 'active': return {'success': True} authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id) } else: return {'success': True}
def package_delete(context, data_dict): ''' Modified check from CKAN, whether the user has a permission to delete the package. In addition to privileges given by CKAN's authorisation, also the package owner has full privileges in Kata. :param context: context :type context: dictionary :param data_dict: package data :type data_dict: dictionary :rtype: dictionary with 'success': True|False ''' user = context['user'] package = get_package_object(context, data_dict) if is_owner(context, data_dict)['success'] == True: # if h.check_access('package_delete', data_dict): return {'success': True} else: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'delete_dataset') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user), package.id) } else: return {'success': True}
def member_create(context, data_dict): """ This code is largely borrowed from /src/ckan/ckan/logic/auth/create.py With a modification to allow users to add datasets to any group :param context: :param data_dict: :return: """ group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' if c.controller in ['package', 'dataset'] and c.action in ['groups']: authorized = helpers.user_has_admin_access(True) else: authorized = authz.has_user_permission_for_group_or_org( group.id, user, permission) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id) } else: return {'success': True}
def package_update(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') package = logic_auth.get_package_object(context, data_dict) # Only the package creator can update it if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # if the user has rights to update a dataset in the organization or in the group if package and package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') else: authorized = False if not authorized: return { 'success': False, 'msg': _('User %s is not authorized to edit package %s') % (user, package.id) } else: return {'success': True}
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) package = context.get('package') if value == '': if not authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('An organization must be provided')) return if (authz.check_config_permission('allow_dataset_collaborators') and not authz.check_config_permission( 'allow_collaborators_to_change_owner_org')): if package and user and not user.sysadmin: is_collaborator = authz.user_is_collaborator_on_dataset( user.id, package.id, ['admin', 'editor']) if is_collaborator: # User is a collaborator, check if it's also a member with # edit rights of the current organization (redundant, but possible) user_orgs = logic.get_action('organization_list_for_user')( { 'ignore_auth': True }, { 'id': user.id, 'permission': 'update_dataset' }) user_is_org_member = package.owner_org in [ org['id'] for org in user_orgs ] if data.get( key) != package.owner_org and not user_is_org_member: raise Invalid( _('You cannot move this dataset to another organization' )) group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not package or (package and package.owner_org != group_id): # This is a new dataset or we are changing the organization if not context.get(u'ignore_auth', False) and not ( user.sysadmin or authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def bulk_update_public(context: Context, data_dict: DataDict) -> AuthResult: org_id = data_dict.get('org_id') user = context['user'] authorized = authz.has_user_permission_for_group_or_org( org_id, user, 'update') if not authorized: return {'success': False} return {'success': True}
def bulk_update_delete(context, data_dict): org_id = data_dict.get('org_id') user = context['user'] authorized = authz.has_user_permission_for_group_or_org( org_id, user, 'update') if not authorized: return {'success': False} return {'success': True}
def csc_auth_organization_activity_list_html(context, data_dict): user = context.get('user') organization = logic_auth.get_group_object(context, data_dict) authorized = authz.has_user_permission_for_group_or_org( organization.id, user, 'update') if not authorized: return {'success': False, 'msg': _('Unauthorized to see this content')} return {'success': True}
def managing_users_package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) extras = dict([(key, value) for key, value in package.extras.items()]) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') #Managing users have to be specified for datasets within an organization managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all( authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all( authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') #Managing users have to be specified for datasets without owner #Else only creator can edit the dataset managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users if context['auth_user_obj'].id == package.creator_user_id: #If user is the creator of the package, he can edit it regardless check1 = True if not check1: return { 'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id) } else: check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user)) } return {'success': True}
def has_user_permission_for_org(context, data_dict): user = context.get('user', '') org_id = data_dict.get('org_id', '') permission = data_dict.get('permission', '') if authz.has_user_permission_for_group_or_org(org_id, user, permission): return {'success': True} else: return {'success': False, 'msg': _('User {0} is not authorized to {1} for organisation {2}'.format(user, permission, org_id))}
def _group_or_org_member_create(context: Context, data_dict: DataDict) -> AuthResult: user = context['user'] group_id = data_dict['id'] if not authz.has_user_permission_for_group_or_org( group_id, user, 'membership'): return {'success': False, 'msg': _('User %s not authorized to add members') % user} return {'success': True}
def resource_show(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') resource = logic_auth.get_resource_object(context, data_dict) # check authentication against package package_dict = {'id': resource.package_id} package = logic_auth.get_package_object(context, package_dict) if not package: raise tk.ObjectNotFound( _('No package found for this resource, cannot check auth.')) if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # active packages can only be seen by its owners if package.state == 'active': # anyone can see a public package if not package.private: return {'success': True} # if the user has rights to read in the organization or in the group if package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') else: authorized = False if not authorized: # Init the model db.init_db(context['model']) # Branch not executed if the database return an empty list if db.AllowedUser.get(package_id=package.id, user_name=user): authorized = True if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id) } else: return {'success': True} else: return { 'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id) }
def group_show(context, data_dict): user = context.get("user") group = get_group_object(context, data_dict) if group.state == "active": return {"success": True} authorized = authz.has_user_permission_for_group_or_org(group.id, user, "read") if authorized: return {"success": True} else: return {"success": False, "msg": _("User %s not authorized to read group %s") % (user, group.id)}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] if not authz.check_config_permission("user_delete_groups"): return {"success": False, "msg": _("User %s not authorized to delete groups") % user} authorized = authz.has_user_permission_for_group_or_org(group.id, user, "delete") if not authorized: return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)} else: return {"success": True}
def csc_auth_package_activity_list_html(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) authorized = False if package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') if not authorized: return {'success': False, 'msg': _('Unauthorized to see this content')} return {'success': True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = logic_auth.get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all( authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all( authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: success = False if authz.check_config_permission('allow_dataset_collaborators'): # if org-level auth failed, check dataset-level auth # (ie if user is a collaborator) user_obj = model.User.get(user) if user_obj: success = authz.user_is_collaborator_on_dataset( user_obj.id, package.id, ['admin', 'editor']) if not success: return { 'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id) } else: check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user)) } return {'success': True}
def _pages_list(context, data_dict): search = {} if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') ordered = data_dict.get('order') order_publish_date = data_dict.get('order_publish_date') page_type = data_dict.get('page_type') private = data_dict.get('private', True) if ordered: search['order'] = True if page_type: search['page_type'] = page_type if order_publish_date: search['order_publish_date'] = True if not org_id: search['group_id'] = None try: p.toolkit.check_access('ckanext_pages_update', context, data_dict) if not private: search['private'] = False except p.toolkit.NotAuthorized: search['private'] = False else: group = context['model'].Group.get(org_id) user = context['user'] member = authz.has_user_permission_for_group_or_org( group.id, user, 'read') search['group_id'] = org_id if not member: search['private'] = False out = db.Page.pages(**search) out_list = [] # cdc for pg in out: parser = HTMLFirstImage() parser.feed(pg.content) img = parser.first_image pg_row = {'title': pg.title, 'ename': pg.ename, 'cname': pg.cname, 'content': pg.content, 'econtent': pg.econtent, 'name': pg.name, 'publish_date': pg.publish_date.isoformat() if pg.publish_date else None, 'group_id': pg.group_id, 'page_type': pg.page_type, } if img: pg_row['image'] = img extras = pg.extras if extras: pg_row.update(json.loads(pg.extras)) out_list.append(pg_row) return out_list
def _populate_template_data(org_dict): user = c.user or c.author ignore_capacity_check = False is_org_member = (user and new_authz.has_user_permission_for_group_or_org(org_dict.get('name'), user, 'read')) if is_org_member: ignore_capacity_check = True package_type = 'dataset' search_logic = OrganizationSearchLogic(id=org_dict.get('name')) fq = 'organization:"{}"'.format(org_dict.get('name')) search_logic._search(package_type, additional_fq=fq, ignore_capacity_check=ignore_capacity_check) org_dict['template_data'] = search_logic.template_data
def organization_update(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def group_show(context, data_dict): user = context.get('user') group = get_group_object(context, data_dict) if group.state == 'active': return {'success': True} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'read') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def package_create(context, data_dict=None): ''' Modified from CKAN's original check. Any logged in user can add a dataset to any organisation. Packages owner check is done when adding a resource. :param context: context :param data_dict: data_dict :return: dictionary with 'success': True|False ''' user = context['user'] # Needed in metadata supplements if context.get('package', False): return is_owner(context, context.get('package').get('id')) # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org', False) if org_id and not kata_has_user_permission_for_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add a dataset') % user} elif org_id and kata_has_user_permission_for_org(org_id, user, 'create_dataset'): return {'success': True} # Below is copy-pasted from CKAN auth.create.package_create # to allow dataset creation without explicit organization permissions. if authz.auth_is_anon_user(context): check1 = all(authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = True # Registered users may create datasets if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def can_request_doi(pkg): ''' Users can request a DOI if they are in the same org as the owner of the dataset ''' userobj = toolkit.c.userobj owner_group_id = pkg['owner_org'] if not userobj: return False if userobj.sysadmin: return True if pkg['creator_user_id'] == userobj.id: return True if owner_group_id is None: return False return has_user_permission_for_group_or_org(owner_group_id, userobj.name, 'read')
def managing_users_package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) extras = dict([(key, value) for key, value in package.extras.items()]) if package.owner_org: # if there is an owner org then we must have update_dataset # permission for that organization check1 = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset' ) #Managing users have to be specified for datasets within an organization managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users else: # If dataset is not owned then we can edit if config permissions allow if authz.auth_is_anon_user(context): check1 = all(authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or authz.has_user_permission_for_some_org( user, 'create_dataset') #Managing users have to be specified for datasets without owner #Else only creator can edit the dataset managing_users = extras.get('managing_users', '') managing_users = managing_users.split(',') check1 = check1 and context['auth_user_obj'].name in managing_users if context['auth_user_obj'].id == package.creator_user_id: #If user is the creator of the package, he can edit it regardless check1 = True if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user))} return {'success': True}
def group_show(context, data_dict): user = context.get('user') group = get_group_object(context, data_dict) if group.state == 'active': if asbool(config.get('ckan.auth.public_user_details', True)) or \ (not asbool(data_dict.get('include_users', False)) and (data_dict.get('object_type', None) != 'user')): return {'success': True} authorized = authz.has_user_permission_for_group_or_org( group.id, user, 'read') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_edit_permissions(context, data_dict): user = context['user'] group = logic_auth.get_group_object(context, data_dict) authorized = authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user), group.id)} else: return {'success': True}
def _check_group_auth(context, data_dict): '''Has this user got update permission for all of the given groups? If there is a package in the context then ignore that package's groups. (owner_org is checked elsewhere.) :returns: False if not allowed to update one (or more) of the given groups. True otherwise. i.e. True is the default. A blank data_dict mentions no groups, so it returns True. ''' # FIXME This code is shared amoung other logic.auth files and should be # somewhere better if not data_dict: return True model = context['model'] user = context['user'] pkg = context.get("package") api_version = context.get('api_version') or '1' group_blobs = data_dict.get('groups', []) groups = set() for group_blob in group_blobs: # group_blob might be a dict or a group_ref if isinstance(group_blob, dict): if api_version == '1': id = group_blob.get('name') else: id = group_blob.get('id') if not id: continue else: id = group_blob grp = model.Group.get(id) if grp is None: raise logic.NotFound(_('Group was not found.')) groups.add(grp) if pkg: pkg_groups = pkg.get_groups() groups = groups - set(pkg_groups) for group in groups: if not authz.has_user_permission_for_group_or_org(group.id, user, 'update'): return False return True
def member_list(context, data_dict): ''' Limits group/organization member listing to editors and administrators of the organization. :param context: :param data_dict: :return: ''' user_name = context.get('user') organization_id = data_dict.get('id') if authz.has_user_permission_for_group_or_org(organization_id, user_name, 'editor'): return {'success': True} else: return {'success': False}
def package_show(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') package = logic_auth.get_package_object(context, data_dict) # datasets can be read by its creator if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # Not active packages can only be seen by its owners if package.state == 'active': # anyone can see a public package if package.private: acquired = False if package.owner_org: acquired = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') if not acquired: # Init the model db.init_db(context['model']) # Branch not executed if the database return an empty list if db.AllowedUser.get(package_id=package.id, user_name=user): acquired = True if not acquired: # Show a flash message with the URL to acquire the dataset # This message only can be shown when the user tries to access the dataset via its URL (/dataset/...) # The message cannot be displayed in other pages that uses the package_show function such as # the user profile page if hasattr(package, 'extras') and 'acquire_url' in package.extras and request.path.startswith( '/dataset/') \ and package.extras['acquire_url'] != '': helpers.flash_notice(_('This private dataset can be acquired. To do so, please click ' + '<a target="_blank" href="%s">here</a>') % package.extras['acquire_url'], allow_html=True) return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
def has_permission_for_project(context, data_dict, permission, project_id_parameter): try: project = get_package_object(context, {'id': data_dict[project_id_parameter]}) except KeyError: raise toolkit.ValidationError( {project_id_parameter: 'missing parameter'} ) user = context['user'] if has_user_permission_for_group_or_org(project.owner_org, user, permission): return {'success': True} return { 'success': False, 'msg': _('User {0} not authorized to {1}').format( user, permission.replace('_', ' ')) }
def resource_show(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') resource = logic_auth.get_resource_object(context, data_dict) # check authentication against package package_dict = {'id': resource.package_id} package = logic_auth.get_package_object(context, package_dict) if not package: raise tk.ObjectNotFound(_('No package found for this resource, cannot check auth.')) if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # active packages can only be seen by its owners if package.state == 'active': # anyone can see a public package if not package.private: return {'success': True} # if the user has rights to read in the organization or in the group if package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') else: authorized = False if not authorized: # Init the model db.init_db(context['model']) # Branch not executed if the database return an empty list if db.AllowedUser.get(package_id=package.id, user_name=user): authorized = True if not authorized: return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)} else: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
def package_show(context, data_dict): user = context.get("user") package = get_package_object(context, data_dict) # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith("draft"): auth = authz.is_authorized("package_update", context, data_dict) authorized = auth.get("success") elif package.owner_org is None and package.state == "active": return {"success": True} else: # anyone can see a public package if not package.private and package.state == "active": return {"success": True} authorized = authz.has_user_permission_for_group_or_org(package.owner_org, user, "read") if not authorized: return {"success": False, "msg": _("User %s not authorized to read package %s") % (user, package.id)} else: return {"success": True}
def member_create(context, data_dict): group = logic_auth.get_group_object(context, data_dict) user = context['user'] # User must be able to update the group to add a member to it permission = 'update' # However if the user is member of group then they can add/remove datasets if not group.is_organization and data_dict.get('object_type') == 'package': permission = 'manage_group' authorized = authz.has_user_permission_for_group_or_org(group.id, user, permission) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user), group.id)} else: return {'success': True}
def check_access_account_requests(context, data_dict=None): """ :param context: :return: True if user is sysadmin or admin in top level org """ user = context.get('user') orgs = model.Group.get_top_level_groups(type='organization') user_is_admin_in_top_org = None if orgs: for org in orgs: if authz.has_user_permission_for_group_or_org( org.id, user, 'admin' ): user_is_admin_in_top_org = True break return { 'success': True if user_is_admin_in_top_org or h.check_access('sysadmin') else False }
def package_update(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') package = logic_auth.get_package_object(context, data_dict) # Only the package creator can update it if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # if the user has rights to update a dataset in the organization or in the group if package and package.owner_org: authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset') else: authorized = False if not authorized: return {'success': False, 'msg': _('User %s is not authorized to edit package %s') % (user, package.id)} else: return {'success': True}
def package_show(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith('draft'): auth = authz.is_authorized('package_update', context, data_dict) authorized = auth.get('success') elif package.owner_org is None and package.state == 'active': return {'success': True} else: # anyone can see a public package if not package.private and package.state == 'active': return {'success': True} authorized = authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') if not authorized: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)} else: return {'success': True}
def package_delete(context, data_dict): ''' Modified check from CKAN, whether the user has a permission to delete the package. In addition to privileges given by CKAN's authorisation, also the package owner has full privileges in Kata. :param context: context :type context: dictionary :param data_dict: package data :type data_dict: dictionary :rtype: dictionary with 'success': True|False ''' user = context['user'] package = get_package_object(context, data_dict) if is_owner(context, data_dict)['success'] == True: # if h.check_access('package_delete', data_dict): return {'success': True} else: authorized = authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user), package.id)} else: return {'success': True}