def package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
if package.owner_org:
# if there is an owner org then we must have update_dataset
# premission for that organization
check1 = new_authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset'
)
else:
# If dataset is not owned then we can edit if config permissions allow
if not new_authz.auth_is_anon_user(context):
check1 = new_authz.check_config_permission(
'create_dataset_if_not_in_organization')
else:
check1 = new_authz.check_config_permission('anon_create_dataset')
if not check1:
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {'success': False,
'msg': _('User %s not authorized to edit these groups') %
(str(user))}
return {'success': True}
def hri_package_update(context, data_dict):
if is_harvester(context, data_dict):
return {'success': False, 'msg': _('Harvesters are not authorized to update packages')}
else:
user = context['model'].User.get(context['user'])
# Check that we have a logged in user.
if not user:
return {'success': False, 'msg': _('Not authorized to update datasets without a valid login')}
# Is the user an admin?
if user.sysadmin:
return {'success': True}
# Does the user have global update rights through WordPress?
if hri_auth('ckan_update_datasets'):
return {'success': True}
# Finally check if the user has update rights through the dataset's organization.
# Modified version of /ckan/logic/auth/update.py:package_update from core to suit our needs.
package = get_package_object(context, data_dict)
if package.owner_org:
import ckan.new_authz as new_authz
check1 = new_authz.has_user_permission_for_group_or_org(
package.owner_org, user.name, 'update_dataset'
)
if check1:
return {'success': True}
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
def package_show(context, data_dict):
user = context.get('user')
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = new_authz.is_authorized('package_update', context, data_dict)
authorized = auth.get('success')
elif package.owner_org is None and package.state == 'active':
return {'success': True}
else:
# anyone can see a public package
if not package.private and package.state == 'active':
return {'success': True}
authorized = new_authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read package %s') % (user, package.id)
}
else:
return {'success': True}
def datapackage_show(context, data_dict):
"""
Generate the data required for a datapackage for the specified package.
"""
model = context["model"]
try:
p.toolkit.check_access("package_show", context, data_dict)
pkg = get_package_object(context, data_dict).as_dict()
except logic.NotFound:
p.toolkit.abort(404)
datapackage = {
"id": pkg["id"],
"name": pkg["name"],
"title": pkg["title"],
"license": LICENSE_LOOKUP.get(pkg["license_id"], ""),
"resources": [],
}
if pkg["notes"]:
datapackage["description"] = pkg["notes"]
try:
package_zip = PackageZip.get_for_package(pkg["id"])
datapackage["filepath"] = package_zip.filepath
except Exception, ex:
pass
def donl_package_update(context, data_dict):
model = context['model']
user = context.get('user')
user_obj = model.User.get(user)
package = get_package_object(context, data_dict)
# Allow sysadmins to edit anything
if user_obj.sysadmin:
return {'success': True}
# Leave the core CKAN auth to work out the hierarchy stuff
result = ckan.logic.auth.update.package_update(context, data_dict)
# Check extras for donl_data_eigenaar
# When extras contains a value for donl_data_eigenaar, don't authorize when package maintainer does not match extras value
# TODO Should we authorize the user anyway if he is the owner of this dataset?
extras = UserExtra.get_extra(user_obj.id)
if extras and extras.get('donl_data_eigenaar'):
result['success'] = result['success'] and (
extras.get('donl_data_eigenaar') == package.maintainer)
log.debug(
'Allow donl_package_update? %s (pkg: %s - pkg.mnt: %s - user.mnt: %s',
result['success'], package.name, package.maintainer,
extras.get('donl_data_eigenaar'))
return result
def dgu_package_update(context, data_dict):
model = context['model']
user = context.get('user')
user_obj = model.User.get( user )
package = get_package_object(context, data_dict)
# Allow sysadmins to edit anything
# This includes UKLP harvested datasets.
# Note: the harvest user *is* a sysadmin
# Note: if changing this, check the code and comments in
# ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options()
# Sysadmins can edit ONS packages.
# Note: the dgu user *is* a sysadmin
if user_obj.sysadmin:
return {'success': True}
fail = {'success': False,
'msg': _('User %s not authorized to edit packages in these groups') % str(user)}
# UKLP datasets cannot be edited by the average admin/editor because they
# are harvested
if package.extras.get('UKLP', '') == 'True':
return fail
# ONSHUB datasets cannot be edited by the average admin/editor because they
# are automatically updated
if package.extras.get('external_reference') == 'ONSHUB':
return fail
# Leave the core CKAN auth to work out the hierarchy stuff
return ckan.logic.auth.update.package_update(context, data_dict)
def package_update(context, data_dict):
"""Overrides CKAN auth function to support personal datasets setting in organizations"""
result = _auth_update.package_update(context, data_dict)
if result['success']:
user = logic_auth.get_user_object(context, {'id': context.get('user')})
package = logic_auth.get_package_object(context, data_dict)
# Showcases don't have organizations
if package.type != "showcase":
org = logic_auth.get_group_object(context,
{'id': package.owner_org})
personal_datasets = 'personal_datasets' in org.extras.get(
'features', [])
if personal_datasets and package.creator_user_id != user.id:
result = {
'success':
False,
'msg':
_('Cannot modify dataset because of organization policy')
}
return result
def _get_owner_org(self, context, data_dict, action):
owner_org = None
# Check the context so we find the relevant org
if 'resource' in context and 'resource' in action:
resource = context['resource']
owner_org = resource.extras.get('owner_org', None)
if owner_org is None:
owner_org = resource.package.owner_org
elif 'group' in context:
owner_org = logic_auth.get_group_object(context, data_dict).id
elif 'owner_org' in data_dict:
owner_org = data_dict.get('owner_org')
elif 'package' in context and 'package' in action:
package = context['package']
owner_org = package.owner_org
elif 'org_data' in data_dict:
org_data = data_dict['org_data']
owner_org = org_data.get('id', None)
else:
try:
package = logic_auth.get_package_object(context, data_dict)
except (ValidationError, NotFound):
package = None
if package is None:
try:
owner_org = logic_auth.get_group_object(
context, data_dict).id
except (ValidationError, NotFound):
owner_org = None
else:
owner_org = package.owner_org
return owner_org
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is creator, admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
# Package creator is always owner regardless of organizations
pkg = context.get('package', None) or Package.get(data_dict['id'])
user = context.get('user', False)
# If user id can't be resolved, user can't be owner
try:
user_id = convert_user_name_or_id_to_id(user, context)
except:
return {'success': False}
if pkg.creator_user_id == user_id:
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'):
return {'success': True}
return {'success': False}
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is creator, admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
# Package creator is always owner regardless of organizations
pkg = context.get('package', None) or Package.get(data_dict['id'])
user = context.get('user', False)
# If user id can't be resolved, user can't be owner
try:
user_id = convert_user_name_or_id_to_id(user, context)
except:
return {'success': False}
if pkg.creator_user_id == user_id:
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if authz.has_user_permission_for_group_or_org(package.owner_org, user,
'delete_dataset'):
return {'success': True}
return {'success': False}
def journal_package_update(context, data_dict):
"""override ckan package_update. allow creator to update package if
package is private and not in review. 'create_dataset' permission must be
set in CKAN """
user = context.get('auth_user_obj')
pkg_obj = get_package_object(context, data_dict)
review_state_map = {
'true': True,
'false': False,
'reauthor': False,
'reviewed': False
}
def inreview():
if pkg_obj.state == 'draft':
return False
pkg_dict = tk.get_action('package_show')(None, {'id': pkg_obj.id})
return review_state_map.get(helpers.in_review(pkg_dict))
if user.id == getattr(pkg_obj, 'creator_user_id', False):
private = getattr(pkg_obj, 'private', False)
return {'success': private and not inreview()}
return ckan_pkgupdate(context, data_dict)
def package_delete(context, data_dict):
'''
Modified check from CKAN, whether the user has a permission to
delete the package. In addition to privileges given by CKAN's
authorisation, also the package owner has full privileges in Kata.
:param context: context
:type context: dictionary
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary with 'success': True|False
'''
user = context['user']
package = get_package_object(context, data_dict)
if is_owner(context, data_dict)['success'] == True:
# if h.check_access('package_delete', data_dict):
return {'success': True}
else:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'delete_dataset')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to delete package %s') %
(str(user), package.id)
}
else:
return {'success': True}
def dgu_dataset_delete(context, data_dict):
"""
Determines whether a dataset's state can be set to "deleted".
Currently only sysadmin users can do this, apart from UKLP.
"""
model = context['model']
user = context.get('user')
if not user:
return {'success': False}
user_obj = model.User.get(user)
package = get_package_object(context, data_dict)
# Sysadmin can delete any package, including UKLP
if user_obj.sysadmin:
return {'success': True}
# Don't allow admin/editor to delete
# * apart from UKLP datasets which CAN be withdrawn by the appropriate
# admin/editor because they are all live services, so can't be cached to
# preserve them without the service provider's help
if package.extras.get('UKLP', '') != 'True':
return {'success': False}
# Leave the core CKAN auth to work out the hierarchy stuff
return ckan.logic.auth.delete.package_delete(context, data_dict)
def dgu_package_update(context, data_dict):
model = context['model']
user = context.get('user')
user_obj = model.User.get(user)
package = get_package_object(context, data_dict)
# Allow sysadmins to edit anything
# This includes UKLP harvested and organogram datasets.
# Note: the harvest user *is* a sysadmin
# Note: if changing this, check the code and comments in
# ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options()
if user_obj.sysadmin:
return {'success': True}
# UKLP datasets and other harvested datasets cannot be edited by the
# average admin/editor because changes will be overwritten on next harvest.
if dgu_helpers.was_dataset_harvested(package.extras):
return {'success': False,
'msg': _('User %s not authorized to edit harvested datasets')
% str(user)}
# Organogram datasets are managed by Drupal via the API
if dgu_helpers.is_dataset_organogram(package.extras):
return {'success': False,
'msg': _('User %s not authorized to edit organogram datasets')
% str(user)}
# Leave the core CKAN auth to work out the hierarchy stuff
return ckan.logic.auth.update.package_update(context, data_dict)
def package_update(fb, context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
return fb(context, data_dict)
def dgu_dataset_delete(context, data_dict):
"""
Determines whether a dataset's state can be set to "deleted".
Currently only sysadmin users can do this, apart from UKLP.
"""
model = context['model']
user = context.get('user')
if not user:
return {'success': False}
user_obj = model.User.get(user)
package = get_package_object(context, data_dict)
# Sysadmin can delete any package, including UKLP
if user_obj.sysadmin:
return {'success': True}
# Don't allow admin/editor to delete
# * apart from UKLP datasets which CAN be withdrawn by the appropriate
# admin/editor because they are all live services, so can't be cached to
# preserve them without the service provider's help
if package.extras.get('UKLP', '') != 'True':
return {'success': False}
# Leave the core CKAN auth to work out the hierarchy stuff
return ckan.logic.auth.delete.package_delete(context, data_dict)
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
pkg = context.get('package', None)
roles = pkg.roles if pkg else Package.get(data_dict['id']).roles
user = context.get('user', False)
if user:
for role in roles:
ruser = User.get(role.user.id)
if user == ruser.name and role.role in ('admin', 'editor'):
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'):
return {'success': True}
return {'success': False}
def datapackage_show(context, data_dict):
"""
Generate the data required for a datapackage for the specified package.
"""
model = context['model']
try:
p.toolkit.check_access('package_show', context, data_dict)
pkg = get_package_object(context, data_dict).as_dict()
except logic.NotFound:
p.toolkit.abort(404)
datapackage = {
'id': pkg['id'],
'name': pkg['name'],
'title': pkg['title'],
'license': LICENSE_LOOKUP.get(pkg['license_id'], ''),
'resources': [],
}
if pkg['notes']:
datapackage['description'] = pkg['notes']
try:
package_zip = PackageZip.get_for_package(pkg['id'])
datapackage['filepath'] = package_zip.filepath
except Exception, ex:
pass
def package_update(context, data_dict):
'''
Customised package_update auth overrides default ckan behaviour.
Packages that have been imported by the RDF importer should not be edited
via the web interface. But obviously, they need to be updateable via the
API.
RDF-imported packages are identified by having an 'rdf' field.
'''
authorised_by_core = publisher_auth.update.package_update(
context, data_dict)
if authorised_by_core['success'] is False:
return authorised_by_core
elif 'api_version' in context:
return authorised_by_core
else:
package = ckan_auth.get_package_object(context, data_dict)
if 'rdf' in package.extras:
return {
'success': False,
'msg': 'Not authorized to edit RDF-imported datasets by hand. '
'Please re-import this dataset instead.'
}
else:
return authorised_by_core
def dgu_package_update(context, data_dict):
model = context['model']
user = context.get('user')
user_obj = model.User.get(user)
package = get_package_object(context, data_dict)
if Authorizer().is_sysadmin(user_obj):
return {'success': True}
# Only sysadmins can edit UKLP packages.
# Note: the harvest user *is* a sysadmin
# Note: if changing this, check the code and comments in
# ckanext/forms/dataset_form.py:DatasetForm.form_to_db_schema_options()
if package.extras.get('UKLP', '') == 'True':
return {
'success':
False,
'msg':
_('User %s not authorized to edit packages in these groups') %
str(user)
}
if not user_obj or \
not _groups_intersect( user_obj.get_groups('publisher'), package.get_groups('publisher') ):
return {
'success':
False,
'msg':
_('User %s not authorized to edit packages of this publisher') %
str(user)
}
return {'success': True}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.READ, context)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read package %s') %
(str(user), package.id)
}
else:
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = ckan.new_authz.is_authorized('package_update', context,
data_dict)
if not auth.get('success'):
msg = _('User %s not authorized to read package %s') \
% (str(user),package.id)
return {'success': False, 'msg': msg}
return {'success': True}
def resource_show(context, data_dict):
'''Override ckan's auth function
'''
resource_id = data_dict.get('id')
acls = model.Session.query(ResourceAcl).filter(
ResourceAcl.resource_id == resource_id).all()
resource_obj = get_resource_object(context, data_dict)
package_obj = get_package_object(context, {'id': resource_obj.package_id})
# user = context.get('user')
# userobj = model.User.get(user)
user_obj = model.User.get(context.get('user'))
if user_obj:
user_id = user_obj.id
org_ids = user_obj.get_group_ids('organization')
for acl in acls:
if acl.auth_id == user_id and acl.auth_type == 'user':
return {'success': acl.permission == 'read'}
for acl in acls:
if acl.auth_id in org_ids and acl.auth_type == 'org' and acl.permission == 'read':
return {'success': True}
if package_obj.owner_org in org_ids:
return {'success': True}
# If there was an ACL and didn't get a match block access
if acls:
return {'success': False}
# Otherwise default to package permissions
return ckan_package_show(context, {'id': resource_obj.package_id})
def package_show(context, data_dict):
""" Package show permission checks the user group if the state is deleted """
model = context['model']
package = get_package_object(context, data_dict)
if package.state == 'deleted':
if 'ignore_auth' in context and context['ignore_auth']:
return {'success': True}
user = context.get('user')
if not user:
return {'success': False, 'msg': _('User not authorized to read package %s') % (package.id)}
userobj = model.User.get( user )
if Authorizer().is_sysadmin(unicode(user)):
return {'success': True}
if not userobj:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
if not _groups_intersect( userobj.get_groups('publisher'), package.get_groups('publisher') ):
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
return {'success': True}
def package_update(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
package = logic_auth.get_package_object(context, data_dict)
# Only the package creator can update it
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# if the user has rights to update a dataset in the organization or in the group
if package and package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
else:
authorized = False
if not authorized:
return {
'success':
False,
'msg':
_('User %s is not authorized to edit package %s') %
(user, package.id)
}
else:
return {'success': True}
def package_update(context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
fallback = get_default_auth('update', 'package_update')
return fallback(context, data_dict)
def package_update(context, data_dict):
package = logic_auth.get_package_object(context, data_dict)
workflow, _ = workflow_helpers.get_workflow_from_package(package)
stage = workflow_helpers.get_stage_from_package(package)
if stage != workflow.finish:
return auth_update.package_update(context, data_dict)
return _success(False, 'Cannot edit published dataset')
def _package_update(context, data_dict=None):
user = context["user"]
package = auth.get_package_object(context, data_dict)
if package and package.type == "article":
return {"success": False, "msg": _("User %s not authorized to update articles") % user}
return auth.update.package_update(context, data_dict)
def package_update(context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
fallback = get_default_auth('update', 'package_update')
return fallback(context, data_dict)
def managing_users_package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
extras = dict([(key, value) for key, value in package.extras.items()])
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
#Managing users have to be specified for datasets within an organization
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(
authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(
authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
#Managing users have to be specified for datasets without owner
#Else only creator can edit the dataset
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
if context['auth_user_obj'].id == package.creator_user_id:
#If user is the creator of the package, he can edit it regardless
check1 = True
if not check1:
return {
'success':
False,
'msg':
_('User %s not authorized to edit package %s') %
(str(user), package.id)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success':
False,
'msg':
_('User %s not authorized to edit these groups') % (str(user))
}
return {'success': True}
def resource_show(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
resource = logic_auth.get_resource_object(context, data_dict)
# check authentication against package
package_dict = {'id': resource.package_id}
package = logic_auth.get_package_object(context, package_dict)
if not package:
raise tk.ObjectNotFound(
_('No package found for this resource, cannot check auth.'))
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# active packages can only be seen by its owners
if package.state == 'active':
# anyone can see a public package
if not package.private:
return {'success': True}
# if the user has rights to read in the organization or in the group
if package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
else:
authorized = False
if not authorized:
# Init the model
db.init_db(context['model'])
# Branch not executed if the database return an empty list
if db.AllowedUser.get(package_id=package.id, user_name=user):
authorized = True
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read resource %s') %
(user, resource.id)
}
else:
return {'success': True}
else:
return {
'success':
False,
'msg':
_('User %s not authorized to read resource %s') %
(user, resource.id)
}
def package_delete(context, data_dict):
user = context['user']
package = get_package_object(context, data_dict)
authorized = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (user, package.id)}
else:
return {'success': True}
def resource_create(fb, context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
elif user_is_member_of_package_org(user, package):
return {'success': False}
return fb(context, data_dict)
def package_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of package %s') % (str(user),package.id)}
else:
return {'success': True}
def resource_create(context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
elif user_is_member_of_package_org(user, package):
return {'success': False}
fallback = get_default_auth('create', 'resource_create')
return fallback(context, data_dict)
def package_change_state(context, data_dict):
user = context['user']
package = get_package_object(context, data_dict)
# use the logic for package_update
authorized = new_authz.is_authorized_boolean('package_update', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def _package_review(context, data_dict=None):
can_update = tk.check_access('package_update', context, data_dict)
if can_update:
package = logic_auth.get_package_object(context, data_dict)
creator_user_id = converters.convert_user_name_or_id_to_id(tk.c.user, context)
if package and (package.maintainer == tk.c.user or package.creator_user_id == creator_user_id):
return {'success': True }
return {'success': False, 'msg': 'Not allowed to update suspended packages'}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
return {'success': True}
def resource_create(context, data_dict):
user = context['auth_user_obj']
package = get_package_object(context, data_dict)
if user_owns_package_as_member(user, package):
return {'success': True}
elif user_is_member_of_package_org(user, package):
return {'success': False}
fallback = get_default_auth('create', 'resource_create')
return fallback(context, data_dict)
def package_delete(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user),package.id)}
else:
return {'success': True}
def package_change_state(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def csc_auth_package_activity_list_html(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
authorized = False
if package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
if not authorized:
return {'success': False, 'msg': _('Unauthorized to see this content')}
return {'success': True}
def package_change_state(context, data_dict):
model = context['model']
user = context['user']
package = get_package_object(context, data_dict)
authorized = logic.check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
else:
return {'success': True}
def package_show(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
return {'success': True}
def package_update(context, data_dict):
model = context['model']
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(
authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(
authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
success = False
if authz.check_config_permission('allow_dataset_collaborators'):
# if org-level auth failed, check dataset-level auth
# (ie if user is a collaborator)
user_obj = model.User.get(user)
if user_obj:
success = authz.user_is_collaborator_on_dataset(
user_obj.id, package.id, ['admin', 'editor'])
if not success:
return {
'success':
False,
'msg':
_('User %s not authorized to edit package %s') %
(str(user), package.id)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success':
False,
'msg':
_('User %s not authorized to edit these groups') % (str(user))
}
return {'success': True}
def test_get_package_object_with_id(self):
user_name = helpers.call_action('get_site_user')['name']
dataset = helpers.call_action('package_create',
context={'user': user_name},
name='test_dataset')
context = {'model': core_model}
obj = logic_auth.get_package_object(context, {'id': dataset['id']})
assert obj.id == dataset['id']
assert context['package'] == obj
def package_update(context, data_dict):
'''Only allow creator of a package to update it '''
user = context.get('user')
user_obj = model.User.get(user)
package = logic_auth.get_package_object(context, data_dict)
if package.creator_user_id == user_obj.id:
return {'success': True }
else:
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
def package_delete(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
can_package_update = new_authz.is_authorized(
'package_update', context, {'id': package.id})
if can_package_update.get('success'):
return can_package_update
else:
return {'success': False,
'msg': _('User %s not authorized to delete package %s') %
(str(user), package.id)}
def package_change_state(context, data_dict):
user = context["user"]
package = get_package_object(context, data_dict)
# use the logic for package_update
authorized = new_authz.is_authorized_boolean("package_update", context, data_dict)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def package_change_state(context, data_dict):
model = context["model"]
user = context["user"]
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.CHANGE_STATE, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def package_edit_permissions(context, data_dict):
model = context["model"]
user = context["user"]
package = get_package_object(context, data_dict)
authorized = check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to edit permissions of package %s") % (str(user), package.id),
}
else:
return {"success": True}
def managing_users_package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
extras = dict([(key, value) for key, value in package.extras.items()])
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset'
)
#Managing users have to be specified for datasets within an organization
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
#Managing users have to be specified for datasets without owner
#Else only creator can edit the dataset
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
if context['auth_user_obj'].id == package.creator_user_id:
#If user is the creator of the package, he can edit it regardless
check1 = True
if not check1:
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {'success': False,
'msg': _('User %s not authorized to edit these groups') %
(str(user))}
return {'success': True}
def package_update(context, data_dict):
model = context['model']
user = context.get('user')
package = get_package_object(context, data_dict)
check1 = logic.check_access_old(package, model.Action.EDIT, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
else:
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
return {'success': True}
