def get(self, group_type, is_organization, id=None): extra_vars = {} set_org(is_organization) context = self._prepare(id) user = request.params.get(u'user') data_dict = {u'id': id} data_dict['include_datasets'] = False group_dict = _action(u'group_show')(context, data_dict) roles = _action(u'member_roles_list')(context, { u'group_type': group_type }) if user: user_dict = get_action(u'user_show')(context, {u'id': user}) user_role =\ authz.users_role_for_group_or_org(id, user) or u'member' # TODO: Remove g.user_dict = user_dict extra_vars["user_dict"] = user_dict else: user_role = u'member' # TODO: Remove g.group_dict = group_dict g.roles = roles g.user_role = user_role extra_vars = { u"group_dict": group_dict, u"roles": roles, u"user_role": user_role, u"group_type": group_type } return base.render(_replace_group_org(u'group/member_new.html'), extra_vars)
def package_create(next_auth, context, data_dict): ''' :param next_auth: :param context: :param data_dict: ''' user = context['auth_user_obj'] if data_dict and 'owner_org' in data_dict: role = users_role_for_group_or_org(data_dict['owner_org'], user.name) if role == 'member': return { 'success': True } else: # If there is no organisation, then this should return success if the user can # create datasets for *some* organisation (see the ckan implementation), so # either if anonymous packages are allowed or if we have member status in any # organisation. if has_user_permission_for_some_org(user.name, 'read'): return { 'success': True } return next_auth(context, data_dict)
def member_new(self, id): group_type = self._ensure_controller_matches_group_type(id) context = {'model': model, 'session': model.Session, 'user': c.user or c.author} #self._check_access('group_delete', context, {'id': id}) try: data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) c.roles = self._action('member_roles_list')( context, {'group_type': group_type} ) if request.method == 'POST': data_dict = clean_dict(dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id email = data_dict.get('email') if email: users_model = context['model'] result = users_model.User.by_email(email) if result: message = _(u'User with this {email} email already exists.').format( email=email) raise ValidationError({'message': message}, error_summary=message) else: user_data_dict = { 'email': email, 'group_id': data_dict['id'], 'role': data_dict['role'] } del data_dict['email'] user_dict = self._action('user_invite')( context, user_data_dict) data_dict['username'] = user_dict['name'] c.group_dict = self._action('group_member_create')( context, data_dict) self._redirect_to_this_controller(action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = \ get_action('user_show')(context, {'id': user}) c.user_role = \ authz.users_role_for_group_or_org(id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(401, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: h.flash_error(e.error_summary)
def ckan_get_user_role_in_group(group_id, context=None): # type: (str, OptionalCkanContext) -> Optional[str] """Get the current user's role in a group / organization """ user = _get_username(context) if not user: return None return users_role_for_group_or_org(group_id, user)
def package_show(context, data_dict=None): # Identify the current package package = get_package_object(context, data_dict) # If the package isn't private, allow anyone to view the dataset if (package.private): # Check the currently logged in user user = context.get('user') # If the user is part of the organization that # owns this dataset, allow access as normal. if (authz.users_role_for_group_or_org(package.owner_org, user) != None): return {'success': True} # Modify the context to allow for all datasets to be searched context['ignore_capacity_check'] = True # Get all groups in the CKAN instance all_groups = get.group_list(context, data_dict) # Iterate through all of the groups for group in all_groups: # Use the group ID to collect all packages owned by a group current_group = get.group_package_show(context, {'id': group}) # Skip if the current group has no packages if (len(current_group) > 0): # Iterate through all packages in a group for i in range(len(current_group)): # Get the title of the package group_package_title = str(current_group[i]['name']) # If the user has any affiliation with the group that # contains this package, allow access to the package. if ((group_package_title == str(package.name)) and (authz.users_role_for_group_or_org( group, user) != None)): return {'success': True} # Otherwise deny access to the package. return {'success': False} # If the package isn't private, allow access to the package. return {'success': True}
def member_new(self, id): context = { 'model': model, 'session': model.Session, 'user': c.user or c.author } #self._check_access('group_delete', context, {'id': id}) try: data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) group_type = 'organization' if c.group_dict[ 'is_organization'] else 'group' c.roles = self._action('member_roles_list')( context, { 'group_type': group_type }) if request.method == 'POST': data_dict = clean_dict( dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id email = data_dict.get('email') if email: user_data_dict = { 'email': email, 'group_id': data_dict['id'], 'role': data_dict['role'] } del data_dict['email'] user_dict = self._action('user_invite')(context, user_data_dict) data_dict['username'] = user_dict['name'] c.group_dict = self._action('group_member_create')(context, data_dict) self._redirect_to(controller='group', action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = get_action('user_show')(context, { 'id': user }) c.user_role = authz.users_role_for_group_or_org( id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(401, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: h.flash_error(e.error_summary)
def owner_org_validator(key, data, errors, context): owner_org = data.get(key) user = context['auth_user_obj'] if owner_org is not missing and owner_org is not None and owner_org != '': role = users_role_for_group_or_org(owner_org, user.name) if role == 'member': return default_oov(key, data, errors, context)
def member_new(self, id): group_type = self._ensure_controller_matches_group_type(id) context = {'model': model, 'session': model.Session, 'user': c.user} try: self._check_access('group_member_create', context, {'id': id}) except NotAuthorized: abort(403, _('Unauthorized to create group %s members') % '') try: data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) c.roles = self._action('member_roles_list')( context, { 'group_type': group_type }) if request.method == 'POST': data_dict = clean_dict( dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id email = data_dict.get('email') if email: user_data_dict = { 'email': email, 'group_id': data_dict['id'], 'role': data_dict['role'] } del data_dict['email'] user_dict = self._action('user_invite')(context, user_data_dict) data_dict['username'] = user_dict['name'] c.group_dict = self._action('group_member_create')(context, data_dict) self._redirect_to_this_controller(action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = \ get_action('user_show')(context, {'id': user}) c.user_role = \ authz.users_role_for_group_or_org(id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(403, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError as e: h.flash_error(e.error_summary) return self._render_template('group/member_new.html', group_type)
def member_new(self, id): group_type = self._ensure_controller_matches_group_type(id) context = {'model': model, 'session': model.Session, 'user': c.user} try: self._check_access('group_member_create', context, {'id': id}) except NotAuthorized: abort(403, _('Unauthorized to create group %s members') % '') try: data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) c.roles = self._action('member_roles_list')( context, {'group_type': group_type} ) if request.method == 'POST': data_dict = clean_dict(dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id email = data_dict.get('email') if email: user_data_dict = { 'email': email, 'group_id': data_dict['id'], 'role': data_dict['role'] } del data_dict['email'] user_dict = self._action('user_invite')( context, user_data_dict) data_dict['username'] = user_dict['name'] c.group_dict = self._action('group_member_create')( context, data_dict) h.redirect_to(group_type + '_members', id=id) else: user = request.params.get('user') if user: c.user_dict = \ get_action('user_show')(context, {'id': user}) c.user_role = \ authz.users_role_for_group_or_org(id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(403, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError as e: h.flash_error(e.error_summary) return self._render_template('group/member_new.html', group_type)
def user_is_member_of_package_org(user, package): """Return True if the package is in an organization and the user has the member role in that organization @param user: A user object @param package: A package object @return: True if the user has the 'member' role in the organization that owns the package, False otherwise """ if package.owner_org: role_in_org = users_role_for_group_or_org(package.owner_org, user.name) if role_in_org == 'member': return True return False
def member_new(self, id): context = {'model': model, 'session': model.Session, 'user': c.user or c.author} #self._check_access('group_delete', context, {'id': id}) try: data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) group_type = 'organization' if c.group_dict['is_organization'] else 'group' c.roles = self._action('member_roles_list')( context, {'group_type': group_type} ) if request.method == 'POST': data_dict = clean_dict(dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id email = data_dict.get('email') if email: user_data_dict = { 'email': email, 'group_id': data_dict['id'], 'role': data_dict['role'] } del data_dict['email'] user_dict = self._action('user_invite')(context, user_data_dict) data_dict['username'] = user_dict['name'] c.group_dict = self._action('group_member_create')(context, data_dict) self._redirect_to(controller='group', action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = get_action('user_show')(context, {'id': user}) c.user_role = authz.users_role_for_group_or_org(id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(401, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: h.flash_error(e.error_summary)
def package_create(context, data_dict): user = context['auth_user_obj'] if data_dict and 'owner_org' in data_dict: role = users_role_for_group_or_org(data_dict['owner_org'], user.name) if role == 'member': return {'success': True} else: # If there is no organization, then this should return success if the user can create datasets for *some* # organisation (see the ckan implementation), so either if anonymous packages are allowed or if we have # member status in any organization. if has_user_permission_for_some_org(user.name, 'read'): return {'success': True} fallback = get_default_auth('create', 'package_create') return fallback(context, data_dict)
def create(self, entity): user = toolkit.g.userobj if authz.is_sysadmin(user.name): return parents = entity.get_parent_group_hierarchy('organization') if parents: parent = parents[-1] role = authz.users_role_for_group_or_org(parent.id, user.name) if not role or role != 'admin': raise ValidationError({ 'parent': [ 'You do not belong to the selected parent organisation' ] })
def owner_org_validator(key, data, errors, context): ''' :param key: :param data: :param errors: :param context: ''' owner_org = data.get(key) if owner_org is not toolkit.missing and owner_org is not None and owner_org != '': if context.get('auth_user_obj', None) is not None: username = context['auth_user_obj'].name else: username = context['user'] role = users_role_for_group_or_org(owner_org, username) if role == 'member': return default_owner_org_validator(key, data, errors, context)
def member_new(self, id): group_type = self._ensure_controller_matches_group_type(id) context = {"model": model, "session": model.Session, "user": c.user} # self._check_access('group_delete', context, {'id': id}) try: data_dict = {"id": id} data_dict["include_datasets"] = False c.group_dict = self._action("group_show")(context, data_dict) c.roles = self._action("member_roles_list")(context, {"group_type": group_type}) if request.method == "POST": data_dict = clean_dict(dict_fns.unflatten(tuplize_dict(parse_params(request.params)))) data_dict["id"] = id email = data_dict.get("email") if email: user_data_dict = {"email": email, "group_id": data_dict["id"], "role": data_dict["role"]} del data_dict["email"] user_dict = self._action("user_invite")(context, user_data_dict) data_dict["username"] = user_dict["name"] c.group_dict = self._action("group_member_create")(context, data_dict) self._redirect_to_this_controller(action="members", id=id) else: user = request.params.get("user") if user: c.user_dict = get_action("user_show")(context, {"id": user}) c.user_role = authz.users_role_for_group_or_org(id, user) or "member" else: c.user_role = "member" except NotAuthorized: abort(403, _("Unauthorized to add member to group %s") % "") except NotFound: abort(404, _("Group not found")) except ValidationError, e: h.flash_error(e.error_summary)
def can_request_doi(user, data): ''' Determine whether the user can request a doi for a package. ''' # If we can request doi outside of orgs, allow everyone to request. if toolkit.asbool(config.get('ckanext.doi.doi_request_only_in_orgs')) \ is False: return True if user: user_obj = toolkit.get_action('user_show')( data_dict={'id': user}) # Sysadmins can do anything if user_obj['sysadmin']: return True org_id = data.get('owner_org') or data.get('group_id') \ or data.get(('owner_org',), None) # ckanext.doi.doi_request_only_in_orgs must be True, so we need a user and # an org if not user or not org_id: return False # Roles authorized if ckanext.doi.doi_request_roles_in_orgs if not defined # in config. default_roles = "admin editor" # Is the user's role in the allowed roles list? user_role = authz.users_role_for_group_or_org(org_id, user) if user_role in config.get("ckanext.doi.doi_request_roles_in_orgs", default_roles).split(): return True return False
def member_new(self, id): # FIXME: heavily customized version of GroupController.member_new # that is tied to our particular auth mechanism and permissions # This would be better in the idir extension import ckan.lib.navl.dictization_functions as dict_fns import ckan.authz as authz context = {'model': model, 'session': model.Session, 'user': c.user or c.author} errors = {} try: group_type = 'organization' data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('organization_show')(context, {'id' : data_dict['id']}) c.roles = self._action('member_roles_list')(context, {'group_type': group_type}) if request.method == 'POST': data_dict = clean_dict(dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id idir_account = data_dict.get('idir') if idir_account: ''' Check if the account has only alphanumeric characters ''' import re name_match = re.compile('[a-z0-9_\-]*$') if not name_match.match(idir_account) : errors['idir'] = _('must be purely lower case alphanumeric (ascii) characters and these symbols: -_') vars = {'data': data_dict, 'errors': errors} return render('organization/member_new.html', extra_vars=vars) try: user_dict = get_action('user_show')(context, {'id': idir_account.lower(), 'include_datasets': False}) except NotFound: user_dict = {} if not user_dict : user_data_dict = { 'name': idir_account.lower(), 'email': '*****@*****.**', 'password' : 't35tu53r' } del data_dict['idir'] user_dict = self._action('user_create')(context, user_data_dict) data_dict['username'] = user_dict['name'] data_dict['role'] = data_dict.get('role', 'editor') c.group_dict = self._action('group_member_create')(context, data_dict) self._redirect_to_this_controller(action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = get_action('user_show')(context, {'id': user}) c.user_role = authz.users_role_for_group_or_org(id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(401, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: h.flash_error(e.error_summary)
def member_new(self, id): # FIXME: heavily customized version of GroupController.member_new # that is tied to our particular auth mechanism and permissions # This would be better in the idir extension import ckan.lib.navl.dictization_functions as dict_fns import ckan.authz as authz context = { 'model': model, 'session': model.Session, 'user': c.user or c.author } errors = {} try: group_type = 'organization' data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('organization_show')( context, { 'id': data_dict['id'] }) c.roles = self._action('member_roles_list')( context, { 'group_type': group_type }) if request.method == 'POST': data_dict = clean_dict( dict_fns.unflatten( tuplize_dict(parse_params(request.params)))) data_dict['id'] = id idir_account = data_dict.get('idir') if idir_account: ''' Check if the account has only alphanumeric characters ''' import re name_match = re.compile('[a-z0-9_\-]*$') if not name_match.match(idir_account): errors['idir'] = _( 'must be purely lower case alphanumeric (ascii) characters and these symbols: -_' ) vars = {'data': data_dict, 'errors': errors} return render('organization/member_new.html', extra_vars=vars) try: user_dict = get_action('user_show')( context, { 'id': idir_account.lower(), 'include_datasets': False }) except NotFound: user_dict = {} if not user_dict: user_data_dict = { 'name': idir_account.lower(), 'email': '*****@*****.**', 'password': '******' } del data_dict['idir'] user_dict = self._action('user_create')(context, user_data_dict) data_dict['username'] = user_dict['name'] data_dict['role'] = data_dict.get('role', 'editor') c.group_dict = self._action('group_member_create')(context, data_dict) self._redirect_to_this_controller(action='members', id=id) else: user = request.params.get('user') if user: c.user_dict = get_action('user_show')(context, { 'id': user }) c.user_role = authz.users_role_for_group_or_org( id, user) or 'member' else: c.user_role = 'member' except NotAuthorized: abort(401, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: h.flash_error(e.error_summary)
def role_in_org(organization_id, user_name): return authz.users_role_for_group_or_org(organization_id, user_name)