def user_update(next_auth, context, data_dict):
'''Ensure LDAP users cannot be edited, and name clash with ldap users
:param next_auth: the next auth function in the chain
:param context:
:param data_dict:
'''
user_obj = None
try:
user_obj = auth.get_user_object(context, data_dict)
except toolkit.ObjectNotFound:
pass
# Prevent edition of LDAP users (if so configured)
if toolkit.config[
u'ckanext.ldap.prevent_edits'] and user_obj and LdapUser.by_user_id(
user_obj.id):
return {
u'success': False,
u'msg': toolkit._(u'Cannot edit LDAP users')
}
# Prevent name clashes!
if u'name' in data_dict and user_obj and user_obj.name != data_dict[
u'name']:
ldap_user_dict = find_ldap_user(data_dict[u'name'])
if ldap_user_dict:
if len(user_obj.ldap_user) == 0 or user_obj.ldap_user[0].ldap_id != \
ldap_user_dict[u'ldap_id']:
return {
u'success': False,
u'msg':
toolkit._(u'An LDAP user by that name already exists')
}
return next_auth(context, data_dict)
def user_update(context, data_dict):
user = context['user']
# FIXME: We shouldn't have to do a try ... except here, validation should
# have ensured that the data_dict contains a valid user id before we get to
# authorization.
try:
user_obj = logic_auth.get_user_object(context, data_dict)
except logic.NotFound:
return {'success': False, 'msg': _('User not found')}
# If the user has a valid reset_key in the db, and that same reset key
# has been posted in the data_dict, we allow the user to update
# her account without using her password or API key.
if user_obj.reset_key and 'reset_key' in data_dict:
if user_obj.reset_key == data_dict['reset_key']:
return {'success': True}
if not user:
return {'success': False,
'msg': _('Have to be logged in to edit user')}
if user == user_obj.name:
# Allow users to update their own user accounts.
return {'success': True}
else:
# Don't allow users to update other users' accounts.
return {'success': False,
'msg': _('User %s not authorized to edit user %s') %
(user, user_obj.id)}
def package_update(context, data_dict):
"""Overrides CKAN auth function to support personal datasets setting in organizations"""
result = _auth_update.package_update(context, data_dict)
if result['success']:
user = logic_auth.get_user_object(context, {'id': context.get('user')})
package = logic_auth.get_package_object(context, data_dict)
# Showcases don't have organizations
if package.type != "showcase":
org = logic_auth.get_group_object(context,
{'id': package.owner_org})
personal_datasets = 'personal_datasets' in org.extras.get(
'features', [])
if personal_datasets and package.creator_user_id != user.id:
result = {
'success':
False,
'msg':
_('Cannot modify dataset because of organization policy')
}
return result
def user_generate_apikey(context, data_dict):
user = context['user']
user_obj = logic_auth.get_user_object(context, data_dict)
if user == user_obj.name:
# Allow users to update only their own user accounts.
return {'success': True}
return {'success': False, 'msg': _('User {0} not authorized to update user'
' {1}'.format(user, user_obj.id))}
def user_generate_apikey(context, data_dict):
user = context['user']
user_obj = logic_auth.get_user_object(context, data_dict)
if user == user_obj.name:
# Allow users to update only their own user accounts.
return {'success': True}
return {'success': False, 'msg': _('User {0} not authorized to update user'
' {1}'.format(user, user_obj.id))}
def user_update(context, data_dict):
user = context['user']
user_obj = get_user_object(context, data_dict)
if not (Authorizer().is_sysadmin(unicode(user)) or user == user_obj.name) and \
not ('reset_key' in data_dict and data_dict['reset_key'] == user_obj.reset_key):
return {'success': False, 'msg': _('User %s not authorized to edit user %s') % (str(user), user_obj.id)}
return {'success': True}
def user_update(context, data_dict):
model = context["model"]
user = context["user"]
user_obj = get_user_object(context, data_dict)
if not (Authorizer().is_sysadmin(unicode(user)) or user == user_obj.name) and not (
"reset_key" in data_dict and data_dict["reset_key"] == user_obj.reset_key
):
return {"success": False, "msg": _("User %s not authorized to edit user %s") % (str(user), user_obj.id)}
return {"success": True}
def user_update(context, data_dict):
user = context['user']
user_obj = logic_auth.get_user_object(context, data_dict)
user_reset = ('reset_key' in data_dict and
data_dict['reset_key'] == user_obj.reset_key)
if not (user == user_obj.name) and not user_reset:
return {'success': False,
'msg': _('User %s not authorized to edit user %s') %
(str(user), user_obj.id)}
return {'success': True}
def test_get_user_object_with_id(self):
user_name = helpers.call_action('get_site_user')['name']
user = helpers.call_action('user_create',
context={'user': user_name},
name='test_user',
email='*****@*****.**',
password='******')
context = {'model': core_model}
obj = logic_auth.get_user_object(context, {'id': user['id']})
assert obj.id == user['id']
assert context['user_obj'] == obj
def test_get_user_object_with_id(self):
user_name = helpers.call_action('get_site_user')['name']
user = helpers.call_action('user_create',
context={'user': user_name},
name='test_user',
email='*****@*****.**',
password='******')
context = {'model': core_model}
obj = logic_auth.get_user_object(context, {'id': user['id']})
assert obj.id == user['id']
assert context['user_obj'] == obj
def test_get_user_object_with_id(self):
user_name = helpers.call_action("get_site_user")["name"]
user = helpers.call_action(
"user_create",
context={"user": user_name},
name="test_user",
email="*****@*****.**",
password="******",
)
context = {"model": core_model}
obj = logic_auth.get_user_object(context, {"id": user["id"]})
assert obj.id == user["id"]
assert context["user_obj"] == obj
def test_get_user_object_with_id(self):
user_name = helpers.call_action("get_site_user")["name"]
stub = factories.User.stub()
user = helpers.call_action(
"user_create",
context={"user": user_name},
name=stub.name,
email=stub.email,
password="******",
)
context = {"model": core_model}
obj = logic_auth.get_user_object(context, {"id": user["id"]})
assert obj.id == user["id"]
assert context["user_obj"] == obj
def user_update(context, data_dict):
user = context['user']
user_obj = logic_auth.get_user_object(context, data_dict)
user_reset = ('reset_key' in data_dict
and data_dict['reset_key'] == user_obj.reset_key)
if not (user == user_obj.name) and not user_reset:
return {
'success':
False,
'msg':
_('User %s not authorized to edit user %s') %
(str(user), user_obj.id)
}
return {'success': True}
def package_update(context, data_dict):
"""Overrides CKAN auth function to support personal datasets setting in organizations"""
result = _auth_update.package_update(context, data_dict)
if result['success']:
user = logic_auth.get_user_object(context, {'id': context.get('user')})
package = logic_auth.get_package_object(context, data_dict)
# Showcases don't have organizations
if package.type != "showcase":
org = logic_auth.get_group_object(context, {'id': package.owner_org})
personal_datasets = 'personal_datasets' in org.extras.get('features', [])
if personal_datasets and package.creator_user_id != user.id:
result = {
'success': False,
'msg': _('Cannot modify dataset because of organization policy')
}
return result
def user_update(context, data_dict):
user = context["user"]
user_obj = get_user_object(context, data_dict)
# If the user has a valid reset_key in the db, and that same reset key
# has been posted in the data_dict, we allow the user to update
# her account without using her password or API key.
if user_obj.reset_key and "reset_key" in data_dict:
if user_obj.reset_key == data_dict["reset_key"]:
return {"success": True}
if not user:
return {"success": False, "msg": _("Have to be logged in to edit user")}
if user == user_obj.name:
# Allow users to update their own user accounts.
return {"success": True}
else:
# Don't allow users to update other users' accounts.
return {"success": False, "msg": _("User %s not authorized to edit user %s") % (user, user_obj.id)}