def package_create(context, data_dict=None): import ckan.new_authz as new_authz from ckan.logic.auth.create import _check_group_auth user = context['user'] if new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission('anon_create_dataset') else: # CKAN default options that grant any user rights to create datasets removed here. check1 = new_authz.has_user_permission_for_some_org(user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} # Note the default value True except when we're actually trying to create a new dataset... if data_dict: org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org(org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} elif not org_id: return {'success': False} return {'success': True}
def package_membership_list_save(group_dicts, package, context): allow_partial_update = context.get("allow_partial_update", False) if group_dicts is None and allow_partial_update: return capacity = 'public' model = context["model"] session = context["session"] pending = context.get('pending') user = context.get('user') members = session.query(model.Member) \ .filter(model.Member.table_id == package.id) \ .filter(model.Member.capacity != 'organization') group_member = dict((member.group, member) for member in members) groups = set() for group_dict in group_dicts or []: id = group_dict.get("id") name = group_dict.get("name") capacity = group_dict.get("capacity", "public") if capacity == 'organization': continue if id: group = session.query(model.Group).get(id) else: group = session.query(model.Group).filter_by(name=name).first() groups.add(group) ## need to flush so we can get out the package id model.Session.flush() for group in groups - set(group_member.keys()): if group: member_obj = model.Member(table_id = package.id, table_name = 'package', group = group, capacity = capacity, group_id=group.id, state = 'active') session.add(member_obj) for group in set(group_member.keys()) - groups: member_obj = group_member[group] if new_authz.has_user_permission_for_group_or_org( member_obj.group_id, user, 'read'): member_obj.capacity = capacity member_obj.state = 'deleted' session.add(member_obj) for group in set(group_member.keys()) & groups: member_obj = group_member[group] if new_authz.has_user_permission_for_group_or_org( member_obj.group_id, user, 'read'): member_obj.capacity = capacity member_obj.state = 'active' session.add(member_obj)
def organization_update(context, data_dict): """ This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """ group = logic_auth.get_group_object(context, data_dict) user = context['user'] # Check that user has admin permissions in selected parent organizations if data_dict and data_dict.get('groups'): admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \ .filter(model.Member.capacity == 'admin').filter(model.Member.table_id == new_authz.get_user_id_for_username(user, allow_none=True)) for parent_org in data_dict['groups']: if any(parent_org['name'] == admin_org.group.name for admin_org in admin_in_orgs): break else: return {'success': False, 'msg': _('User %s is not administrator in the selected parent organization') % user} if (data_dict and 'save' in data_dict and data_dict.get('public_adminstration_organization', None) != group.extras.get('public_adminstration_organization', None)): return {'success': False, 'msg': _('User %s is not allowed to change the public organization option') % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def get_packages_for_this_group(group_): # Ask SOLR for the list of packages for this org/group q = { 'facet': 'false', 'rows': 0, } if group_.is_organization: q['fq'] = 'owner_org:"{0}"'.format(group_.id) else: q['fq'] = 'groups:"{0}"'.format(group_.name) # Allow members of organizations to see private datasets. if group_.is_organization: is_group_member = (context.get('user') and new_authz.has_user_permission_for_group_or_org( group_.id, context.get('user'), 'read')) if is_group_member: context['ignore_capacity_check'] = True if not context.get('for_view'): q['rows'] = 1000 # Only the first 1000 datasets are returned search_context = dict((k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(search_context, q) return search_results['count'], search_results['results']
def _pages_list(context, data_dict): search = {} if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') ordered = data_dict.get('order') private = data_dict.get('private', True) if ordered: search['order'] = True if not org_id: search['group_id'] = None try: p.toolkit.check_access('ckanext_pages_update', context, data_dict) if not private: search['private'] = False except p.toolkit.NotAuthorized: search['private'] = False else: group = context['model'].Group.get(org_id) user = context['user'] member = new_authz.has_user_permission_for_group_or_org( group.id, user, 'read') search['group_id'] = org_id if not member: search['private'] = False out = db.Page.pages(**search) return [{'title': pg.title, 'content': pg.content, 'name': pg.name, 'group_id': pg.group_id, } for pg in out]
def is_owner(context, data_dict): ''' This is used in "request edit rights" feature. Checks if the user is admin or editor of the package in question :param context: context :param data_dict: package data :type data_dict: dictionary :rtype: dictionary ''' pkg = context.get('package', None) roles = pkg.roles if pkg else Package.get(data_dict['id']).roles user = context.get('user', False) if user: for role in roles: ruser = User.get(role.user.id) if user == ruser.name and role.role in ('admin', 'editor'): return {'success': True} # Check if the user has editor rights to this dataset through an organization package = get_package_object(context, data_dict) if new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'): return {'success': True} return {'success': False}
def owner_org_validator(key, data, errors, context): value = data.get(key) if value is missing or value is None: if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) data.pop(key, None) raise df.StopOnError model = context['model'] user = context['user'] user = model.User.get(user) if value == '' : if not new_authz.check_config_permission('create_unowned_dataset'): raise Invalid(_('A organization must be supplied')) package = context.get('package') # only sysadmins can remove datasets from org if package and package.owner_org and not user.sysadmin: raise Invalid(_('You cannot remove a dataset from an existing organization')) return group = model.Group.get(value) if not group: raise Invalid(_('Organization does not exist')) group_id = group.id if not(user.sysadmin or new_authz.has_user_permission_for_group_or_org( group_id, user.name, 'create_dataset')): raise Invalid(_('You cannot add a dataset to this organization')) data[key] = group_id
def package_update(context, data_dict): user = context.get('user') package = logic_auth.get_package_object(context, data_dict) if package.owner_org: # if there is an owner org then we must have update_dataset # premission for that organization check1 = new_authz.has_user_permission_for_group_or_org( package.owner_org, user, 'update_dataset' ) else: # If dataset is not owned then we can edit if config permissions allow if not new_authz.auth_is_anon_user(context): check1 = new_authz.check_config_permission( 'create_dataset_if_not_in_organization') else: check1 = new_authz.check_config_permission('anon_create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % (str(user))} return {'success': True}
def datahub_package_create(context, data_dict): from ckan.logic.auth.create import _check_group_auth if authz.is_sysadmin(context.get('user')): return {'success': True} user = context['user'] if not authz.auth_is_registered_user(): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return {'success': False, 'msg': _('You must login to create a dataset')} check1 = authz.check_config_permission('create_dataset_if_not_in_organization') \ or authz.check_config_permission('create_unowned_dataset') #if not authorized and not a part of any org, redirect to help page on how to join one if not check1 and not authz.has_user_permission_for_some_org(user, 'create_dataset'): if '/new' in c.environ['PATH_INFO']: h.redirect_to(CREATE_DATASET_HELP_PAGE) else: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2 and not check1: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def datahub_package_create(context, data_dict): from ckan.logic.auth.create import _check_group_auth if new_authz.is_sysadmin(context.get('user')): return {'success': True} user = context['user'] if not new_authz.auth_is_registered_user(): return {'success': False, 'msg': _('You must login to create a dataset')} else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') \ or new_authz.check_config_permission('create_unowned_dataset') if not check1 and not new_authz.has_user_permission_for_some_org(user, 'create_dataset'): h.redirect_to('/pages/requesting-an-organization') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('organization_id') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def bulk_update_delete(context, data_dict): org_id = data_dict.get("org_id") user = context["user"] authorized = new_authz.has_user_permission_for_group_or_org(org_id, user, "update") if not authorized: return {"success": False} return {"success": True}
def hri_package_update(context, data_dict): if is_harvester(context, data_dict): return {'success': False, 'msg': _('Harvesters are not authorized to update packages')} else: user = context['model'].User.get(context['user']) # Check that we have a logged in user. if not user: return {'success': False, 'msg': _('Not authorized to update datasets without a valid login')} # Is the user an admin? if user.sysadmin: return {'success': True} # Does the user have global update rights through WordPress? if hri_auth('ckan_update_datasets'): return {'success': True} # Finally check if the user has update rights through the dataset's organization. # Modified version of /ckan/logic/auth/update.py:package_update from core to suit our needs. package = get_package_object(context, data_dict) if package.owner_org: import ckan.new_authz as new_authz check1 = new_authz.has_user_permission_for_group_or_org( package.owner_org, user.name, 'update_dataset' ) if check1: return {'success': True} return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
def package_create(context, data_dict=None): user = context['user'] user_roles = user_custom_roles(context, data_dict) if 'datovy-kurator' in user_roles: return {'success': True} if new_authz.auth_is_anon_user(context): check1 = all(new_authz.check_config_permission(p) for p in ( 'anon_create_dataset', 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) else: check1 = all(new_authz.check_config_permission(p) for p in ( 'create_dataset_if_not_in_organization', 'create_unowned_dataset', )) or new_authz.has_user_permission_for_some_org( user, 'create_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % user} check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user} # If an organization is given are we able to add a dataset to it? data_dict = data_dict or {} org_id = data_dict.get('owner_org') if org_id and not new_authz.has_user_permission_for_group_or_org( org_id, user, 'create_dataset'): return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user} return {'success': True}
def organization_update(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "update") if not authorized: return {"success": False, "msg": _("User %s not authorized to edit organization %s") % (user, group.id)} else: return {"success": True}
def bulk_update_delete(context, data_dict): org_id = data_dict.get('org_id') user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( org_id, user, 'update') if not authorized: return {'success': False} return {'success': True}
def group_edit_permissions(context, data_dict): user = context['user'] group = get_group_object(context, data_dict) if not new_authz.has_user_permission_for_group_or_org(group.id, user, 'update'): return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)} else: return {'success': True}
def package_delete(context, data_dict): user = context['user'] package = get_package_object(context, data_dict) authorized = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (user, package.id)} else: return {'success': True}
def organization_update(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'update') if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)} else: return {'success': True}
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] if not new_authz.check_config_permission("user_delete_groups"): return {"success": False, "msg": _("User %s not authorized to delete groups") % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete") if not authorized: return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)} else: return {"success": True}
def _group_or_org_member_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete_member') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s members') % (str(user),group.id)} else: return {'success': True} return {'success': True}
def group_show(context, data_dict): user = context.get('user') group = get_group_object(context, data_dict) if group.state == 'active': return {'success': True} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'read') if authorized: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_edit_permissions(context, data_dict): user = context["user"] group = get_group_object(context, data_dict) if not new_authz.has_user_permission_for_group_or_org(group.id, user, "update"): return { "success": False, "msg": _("User %s not authorized to edit permissions of group %s") % (str(user), group.id), } else: return {"success": True}
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not new_authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def _pages_list(context, data_dict): search = {} if db.pages_table is None: db.init_db(context['model']) org_id = data_dict.get('org_id') ordered = data_dict.get('order') order_publish_date = data_dict.get('order_publish_date') page_type = data_dict.get('page_type') private = data_dict.get('private', True) if ordered: search['order'] = True if page_type: search['page_type'] = page_type if order_publish_date: search['order_publish_date'] = True if not org_id: search['group_id'] = None try: p.toolkit.check_access('ckanext_pages_update', context, data_dict) if not private: search['private'] = False except p.toolkit.NotAuthorized: search['private'] = False else: group = context['model'].Group.get(org_id) user = context['user'] member = new_authz.has_user_permission_for_group_or_org( group.id, user, 'read') search['group_id'] = org_id if not member: search['private'] = False out = db.Page.pages(**search) out_list = [] for pg in out: parser = HTMLFirstImage() parser.feed(pg.content) img = parser.first_image pg_row = {'title': pg.title, 'content': pg.content, 'name': pg.name, 'publish_date': pg.publish_date.isoformat() if pg.publish_date else None, 'group_id': pg.group_id, 'page_type': pg.page_type, 'lang': pg.lang } if img: pg_row['image'] = img extras = pg.extras if extras: pg_row.update(json.loads(pg.extras)) out_list.append(pg_row) return out_list
def publish_dataset(context, data_dict): """ This method got to check whether user has access to publish dataset based on his role. """ model = context['model'] user = context.get('user','') print "User Logged: ",user #Change the group to be coming from global setting... check1 = new_authz.has_user_permission_for_group_or_org(helpers.get_default_group(), user, 'publish_dataset') if not check1: return {'success': False, 'msg': _('User %s not authorized to publish dataset') % (str(user))} return {'success': True}
def package_show(context, data_dict): user = context.get('user') user_obj = context.get('auth_user_obj') package = logic_auth.get_package_object(context, data_dict) # datasets can be read by its creator if package and user_obj and package.creator_user_id == user_obj.id: return {'success': True} # Not active packages can only be seen by its owners if package.state == 'active': # anyone can see a public package if not package.private: return {'success': True} # if the user has rights to read in the organization or in the group if package.owner_org: authorized = new_authz.has_user_permission_for_group_or_org( package.owner_org, user, 'read') else: authorized = False # if the user is not authorized yet, we should check if the # user is in the allowed_users object if not authorized: # Init the model db.init_db(context['model']) # Branch not executed if the database return an empty list if db.AllowedUser.get(package_id=package.id, user_name=user): authorized = True if not authorized: # Show a flash message with the URL to acquire the dataset # This message only can be shown when the user tries to access the dataset via its URL (/dataset/...) # The message cannot be displayed in other pages that uses the package_show function such as # the user profile page if hasattr(package, 'extras') and 'acquire_url' in package.extras and request.path.startswith('/dataset/')\ and package.extras['acquire_url'] != '': helpers.flash_notice(_('This private dataset can be acquired. To do so, please click ' + '<a target="_blank" href="%s">here</a>') % package.extras['acquire_url'], allow_html=True) return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)} else: return {'success': True} else: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
def _check_group_auth(context, data_dict): '''Has this user got update permission for all of the given groups? If there is a package in the context then ignore that package's groups. (owner_org is checked elsewhere.) :returns: False if not allowed to update one (or more) of the given groups. True otherwise. i.e. True is the default. A blank data_dict mentions no groups, so it returns True. ''' # FIXME This code is shared amoung other logic.auth files and should be # somewhere better if not data_dict: return True model = context['model'] user = context['user'] pkg = context.get("package") api_version = context.get('api_version') or '1' group_blobs = data_dict.get('groups', []) groups = set() for group_blob in group_blobs: # group_blob might be a dict or a group_ref if isinstance(group_blob, dict): if api_version == '1': id = group_blob.get('name') else: id = group_blob.get('id') if not id: continue else: id = group_blob grp = model.Group.get(id) if grp is None: raise logic.NotFound(_('Group was not found.')) groups.add(grp) if pkg: pkg_groups = pkg.get_groups() groups = groups - set(pkg_groups) for group in groups: if not new_authz.has_user_permission_for_group_or_org(group.id, user, 'update'): return False return True
def package_update(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) if package.owner_org: check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset') else: check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization') if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}
def package_show(context, data_dict): user = context.get("user") package = get_package_object(context, data_dict) # draft state indicates package is still in the creation process # so we need to check we have creation rights. if package.state.startswith("draft"): auth = new_authz.is_authorized("package_update", context, data_dict) authorized = auth.get("success") else: # anyone can see a public package if not package.private and package.state == "active": return {"success": True} authorized = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, "read") if not authorized: return {"success": False, "msg": _("User %s not authorized to read package %s") % (user, package.id)} else: return {"success": True}
def member_list(context, data_dict): ''' Limits group/organization member listing to editors and administrators of the organization. :param context: :param data_dict: :return: ''' user_name = context.get('user') organization_id = data_dict.get('id') if new_authz.has_user_permission_for_group_or_org(organization_id, user_name, 'editor'): return {'success': True} else: return {'success': False}
def package_membership_list_save(group_dicts, package, context): allow_partial_update = context.get("allow_partial_update", False) if group_dicts is None and allow_partial_update: return capacity = 'public' model = context["model"] session = context["session"] user = context.get('user') members = session.query(model.Member) \ .filter(model.Member.table_id == package.id) \ .filter(model.Member.capacity != 'organization') group_member = dict((member.group, member) for member in members) groups = set() for group_dict in group_dicts or []: id = group_dict.get("id") name = group_dict.get("name") capacity = group_dict.get("capacity", "public") if capacity == 'organization': continue if id: group = session.query(model.Group).get(id) else: group = session.query(model.Group).filter_by(name=name).first() if group: groups.add(group) ## need to flush so we can get out the package id model.Session.flush() # Remove any groups we are no longer in for group in set(group_member.keys()) - groups: member_obj = group_member[group] if member_obj and member_obj.state == 'deleted': continue if new_authz.has_user_permission_for_group_or_org( member_obj.group_id, user, 'read'): member_obj.capacity = capacity member_obj.state = 'deleted' session.add(member_obj) # Add any new groups for group in groups: member_obj = group_member.get(group) if member_obj and member_obj.state == 'active': continue if new_authz.has_user_permission_for_group_or_org( group.id, user, 'read'): member_obj = group_member.get(group) if member_obj: member_obj.capacity = capacity member_obj.state = 'active' else: member_obj = model.Member(table_id=package.id, table_name='package', group=group, capacity=capacity, group_id=group.id, state = 'active') session.add(member_obj)
def group_dictize(group, context): result_dict = d.table_dictize(group, context) result_dict['display_name'] = group.display_name result_dict['extras'] = extras_dict_dictize(group._extras, context) include_datasets = context.get('include_datasets', True) q = { 'facet': 'false', 'rows': 0, } if group.is_organization: q['fq'] = 'owner_org:"{0}"'.format(group.id) else: q['fq'] = 'groups:"{0}"'.format(group.name) is_group_member = (context.get('user') and new_authz.has_user_permission_for_group_or_org( group.id, context.get('user'), 'read')) if is_group_member: context['ignore_capacity_check'] = True if include_datasets: q['rows'] = 1000 # Only the first 1000 datasets are returned context_ = dict((k, v) for (k, v) in context.items() if k != 'schema') search_results = logic.get_action('package_search')(context_, q) if include_datasets: result_dict['packages'] = search_results['results'] result_dict['package_count'] = search_results['count'] context['with_capacity'] = True result_dict['tags'] = tag_list_dictize( _get_members(context, group, 'tags'), context) result_dict['groups'] = group_list_dictize( _get_members(context, group, 'groups'), context) result_dict['users'] = user_list_dictize( _get_members(context, group, 'users'), context) context['with_capacity'] = False if context.get('for_view'): if result_dict['is_organization']: plugin = plugins.IOrganizationController else: plugin = plugins.IGroupController for item in plugins.PluginImplementations(plugin): result_dict = item.before_view(result_dict) image_url = result_dict.get('image_url') result_dict['image_display_url'] = image_url if image_url and not image_url.startswith('http'): #munge here should not have an effect only doing it incase #of potential vulnerability of dodgy api input image_url = munge.munge_filename(image_url) result_dict['image_display_url'] = h.url_for_static( 'uploads/group/%s' % result_dict.get('image_url'), qualified=True) return result_dict