def access_request_update(context, data_dict):
user = context.get('user')
request_id = toolkit.get_or_bust(data_dict, "id")
request = model.Session.query(AccessRequest).get(request_id)
if not request:
raise toolkit.ObjectNotFound("Access Request not found")
if request.object_type not in ['organization', 'package', 'user']:
raise toolkit.Invalid("Unknown Object Type")
if request.object_type == 'package':
package = toolkit.get_action('package_show')(context, {
'id': request.object_id
})
org_id = package['owner_org']
return {
'success':
has_user_permission_for_group_or_org(org_id, user, 'admin')
}
elif request.object_type == 'organization':
org_id = request.object_id
return {
'success':
has_user_permission_for_group_or_org(org_id, user, 'admin')
}
elif request.object_type == 'user':
data_dict = {
'id':
request.object_id,
'renew_expiry_date':
request.data.get(
'user_request_type',
USER_REQUEST_TYPE_NEW) == USER_REQUEST_TYPE_RENEWAL
}
return external_user_update_state(context, data_dict)
def user_has_admin_editor_org_access(group_id, user_name):
"""
Return False if the user does not have
admin, editor, or sysadmin access to the datasets organisation.
"""
return authz.has_user_permission_for_group_or_org(group_id, user_name,
'create_dataset')
def page_privacy(context, data_dict):
if db.pages_table is None:
db.init_db(context['model'])
org_id = data_dict.get('org_id')
page = data_dict.get('page')
out = db.Page.get(group_id=org_id, name=page)
if out and out.private == False:
return {'success': True}
# no org_id means it's a universal page
if not org_id:
if out and out.private:
return {'success': False}
return {'success': True}
group = context['model'].Group.get(org_id)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if not authorized:
return {
'success': False,
'msg':
p.toolkit._('User %s not authorized to read this page') % user
}
else:
return {'success': True}
def package_create(context, data_dict=None):
user = context['user']
if authz.auth_is_anon_user(context):
check1 = all(authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def get_packages_for_this_group(group_, just_the_count=False):
# Ask SOLR for the list of packages for this org/group
q = {
'facet': 'false',
'rows': 0,
}
if group_.is_organization:
q['fq'] = 'owner_org:"{0}"'.format(group_.id)
else:
q['fq'] = 'groups:"{0}"'.format(group_.name)
# Allow members of organizations to see private datasets.
if group_.is_organization:
is_group_member = (context.get('user') and
authz.has_user_permission_for_group_or_org(
group_.id, context.get('user'), 'read'))
if is_group_member:
context['ignore_capacity_check'] = True
if not just_the_count:
# Is there a packages limit in the context?
try:
packages_limit = context['limits']['packages']
except KeyError:
q['rows'] = 1000 # Only the first 1000 datasets are returned
else:
q['rows'] = packages_limit
search_context = dict((k, v) for (k, v) in context.items()
if k != 'schema')
search_results = logic.get_action('package_search')(search_context,
q)
return search_results['count'], search_results['results']
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or value is None:
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
user = context['user']
user = model.User.get(user)
if value == '':
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
return
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
if not context.get(u'ignore_auth', False) and not (
user.sysadmin or authz.has_user_permission_for_group_or_org(
group_id, user.name, 'create_dataset')):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def get_packages_for_this_group(group_, just_the_count=False):
# Ask SOLR for the list of packages for this org/group
q = {
'facet': 'false',
'rows': 0,
}
if group_.is_organization:
q['fq'] = 'owner_org:"{0}"'.format(group_.id)
else:
q['fq'] = 'groups:"{0}"'.format(group_.name)
# Allow members of organizations to see private datasets.
if group_.is_organization:
is_group_member = (context.get('user') and
authz.has_user_permission_for_group_or_org(
group_.id, context.get('user'), 'read'))
if is_group_member:
q['include_private'] = True
if not just_the_count:
# Is there a packages limit in the context?
try:
packages_limit = context['limits']['packages']
except KeyError:
q['rows'] = 1000 # Only the first 1000 datasets are returned
else:
q['rows'] = packages_limit
search_context = dict(
(k, v) for (k, v) in context.items() if k != 'schema')
search_results = logic.get_action('package_search')(search_context,
q)
return search_results['count'], search_results['results']
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or value is None:
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
user = context['user']
user = model.User.get(user)
if value == '':
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
return
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
if not context.get(u'ignore_auth', False) and not(user.sysadmin or
authz.has_user_permission_for_group_or_org(
group_id, user.name, 'create_dataset')):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def page_privacy(context, data_dict):
if db.pages_table is None:
db.init_db(context['model'])
org_id = data_dict.get('org_id')
page = data_dict.get('page')
out = db.Page.get(group_id=org_id, name=page)
if out and out.private == False:
return {'success': True}
# CCG change: permit anonymous listing of available pages
if page == '' and out is None:
return {'success': True}
# no org_id means it's a universal page
if not org_id:
if out and out.private:
return {'success': False}
return {'success': True}
group = context['model'].Group.get(org_id)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
'read')
if not authorized:
return {'success': False,
'msg': p.toolkit._(
'User %s not authorized to read this page') % user}
else:
return {'success': True}
def _pages_list(context, data_dict):
search = {}
if db.pages_table is None:
db.init_db(context['model'])
org_id = data_dict.get('org_id')
ordered = data_dict.get('order')
order_publish_date = data_dict.get('order_publish_date')
page_type = data_dict.get('page_type')
private = data_dict.get('private', True)
if ordered:
search['order'] = True
if page_type:
search['page_type'] = page_type
if order_publish_date:
search['order_publish_date'] = True
if not org_id:
search['group_id'] = None
try:
p.toolkit.check_access('ckanext_pages_update', context, data_dict)
if not private:
search['private'] = False
except p.toolkit.NotAuthorized:
search['private'] = False
else:
group = context['model'].Group.get(org_id)
user = context['user']
member = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
search['group_id'] = org_id
if not member:
search['private'] = False
out = db.Page.pages(**search)
out_list = []
for pg in out:
parser = HTMLFirstImage()
parser.feed(pg.content)
img = parser.first_image
pg_row = {
'title': pg.title,
'title_nl': pg.title_nl,
'title_fr': pg.title_fr,
'title_de': pg.title_de,
'content': pg.content,
'content_nl': pg.content_nl,
'content_fr': pg.content_fr,
'content_de': pg.content_de,
'name': pg.name,
'publish_date':
pg.publish_date.isoformat() if pg.publish_date else None,
'group_id': pg.group_id,
'page_type': pg.page_type,
'private': pg.private
}
if img:
pg_row['image'] = img
extras = pg.extras
if extras:
pg_row.update(json.loads(pg.extras))
out_list.append(pg_row)
return out_list
def package_create(context, data_dict=None):
user = context['user']
user_object = context.get('auth_user_obj')
#Sysadmin user has all the previliges
if user_object and user_object.sysadmin :
{'success': True}
#Do not authorize anonymous users
if authz.auth_is_anon_user(context):
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
#Check if the user has the editor or admin role in some org/suborg
check1 = all(authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def get_packages_for_this_group(group_, just_the_count=False):
# Ask SOLR for the list of packages for this org/group
q = {
'facet': 'false',
'rows': 0,
}
if group_.is_organization:
q['fq'] = 'owner_org:"{0}"'.format(group_.id)
else:
q['fq'] = 'groups:"{0}"'.format(group_.name)
# Allow members of organizations to see private datasets.
if group_.is_organization:
is_group_member = (context.get('user') and
authz.has_user_permission_for_group_or_org(
group_.id, context.get('user'), 'read'))
if is_group_member:
q['include_private'] = True
if not just_the_count:
# package_search limits 'rows' anyway, so this is only if you
# want even fewer
try:
packages_limit = context['limits']['packages']
except KeyError:
del q['rows'] # leave it to package_search to limit it
else:
q['rows'] = packages_limit
search_context = dict((k, v) for (k, v) in context.items()
if k != 'schema')
search_results = logic.get_action('package_search')(search_context,
q)
return search_results['count'], search_results['results']
def get_dataset_search_results(self, org_code):
user = c.user or c.author
ignore_capacity_check = False
is_org_member = (user and
new_authz.has_user_permission_for_group_or_org(org_code, user, 'read'))
if is_org_member:
ignore_capacity_check = True
package_type = 'dataset'
suffix = '#datasets-section'
params_nopage = {
k: v for k, v in request.params.items() if k != 'page'}
def pager_url(q=None, page=None):
params = params_nopage
params['page'] = page
return h.url_for('organization_read', id=org_code, **params) + suffix
fq = 'organization:"{}"'.format(org_code)
# facets = {
# 'vocab_Topics': _('Topics')
# }
full_facet_info = self._search(package_type, pager_url, additional_fq=fq,
ignore_capacity_check=ignore_capacity_check)
full_facet_info.get('facets', {}).pop('organization', {})
c.other_links['current_page_url'] = h.url_for('organization_read', id=org_code)
return full_facet_info
def member_create(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, permission)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit group %s') %
(str(user), group.id)
}
else:
if authz.config.get('ckan.gov_theme.is_back'):
return {'success': True}
else:
return {'success': False}
def member_create(context, data_dict):
try:
group = tk.get_action('group_show')(data_dict=data_dict)
except toolkit.ObjectNotFound:
return {'success': False, 'msg': 'Couldn' 't find group'}
if group['name'] == u'local':
return {'success': True}
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group['is_organization'] and data_dict.get(
'object_type') == 'package':
permission = 'manage_group'
authorized = authz.has_user_permission_for_group_or_org(
group['id'], user, permission)
if not authorized:
return {
'success':
False,
'msg':
'User %s not authorized to edit group %s' %
(str(user), group['id'])
}
else:
return {'success': True}
def fetch_dataset_info(self):
self._fetched_dataset_info = True
context = {
'model': model,
'session': model.Session,
'user': self._username,
}
user = self._username
ignore_capacity_check = False
is_org_member = (user and
new_authz.has_user_permission_for_group_or_org(self.id, user, 'read'))
if is_org_member:
ignore_capacity_check = True
context['ignore_capacity_check'] = ignore_capacity_check
data_dict = {
'q': '',
'fq': 'organization:"{}" +dataset_type:dataset'.format(self.org_dict.get('name')),
'rows': 1,
'start': 0,
'include_private': True if ignore_capacity_check else False,
'extras': {}
}
query = logic.get_action('package_search')(context, data_dict)
self.datasets_num = query['count']
def get_packages_for_this_group(group_, just_the_count=False):
# Ask SOLR for the list of packages for this org/group
q = {
'facet': 'false',
'rows': 0,
}
if group_.is_organization:
q['fq'] = '+owner_org:"{0}"'.format(group_.id)
else:
q['fq'] = '+groups:"{0}"'.format(group_.name)
# Allow members of organizations to see private datasets.
if group_.is_organization:
is_group_member = (context.get('user') and
authz.has_user_permission_for_group_or_org(
group_.id, context.get('user'), 'read'))
if is_group_member:
q['include_private'] = True
if not just_the_count:
# package_search limits 'rows' anyway, so this is only if you
# want even fewer
try:
packages_limit = context['limits']['packages']
except KeyError:
del q['rows'] # leave it to package_search to limit it
else:
q['rows'] = packages_limit
search_context = dict((k, v) for (k, v) in context.items()
if k != 'schema')
search_results = logic.get_action('package_search')(search_context,
q)
return search_results['count'], search_results['results']
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is creator, admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
# Package creator is always owner regardless of organizations
pkg = context.get('package', None) or Package.get(data_dict['id'])
user = context.get('user', False)
# If user id can't be resolved, user can't be owner
try:
user_id = convert_user_name_or_id_to_id(user, context)
except:
return {'success': False}
if pkg.creator_user_id == user_id:
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset'):
return {'success': True}
return {'success': False}
def is_owner(context, data_dict):
'''
This is used in "request edit rights" feature.
Checks if the user is creator, admin or editor of the
package in question
:param context: context
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary
'''
# Package creator is always owner regardless of organizations
pkg = context.get('package', None) or Package.get(data_dict['id'])
user = context.get('user', False)
# If user id can't be resolved, user can't be owner
try:
user_id = convert_user_name_or_id_to_id(user, context)
except:
return {'success': False}
if pkg.creator_user_id == user_id:
return {'success': True}
# Check if the user has editor rights to this dataset through an organization
package = get_package_object(context, data_dict)
if authz.has_user_permission_for_group_or_org(package.owner_org, user,
'delete_dataset'):
return {'success': True}
return {'success': False}
def package_show(context, data_dict):
user = context.get('user')
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = authz.is_authorized('package_update', context, data_dict)
authorized = auth.get('success')
elif package.owner_org is None and package.state == 'active':
return {'success': True}
else:
# anyone can see a public package
if not package.private and package.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read package %s') % (user, package.id)
}
else:
return {'success': True}
def package_delete(context, data_dict):
'''
Modified check from CKAN, whether the user has a permission to
delete the package. In addition to privileges given by CKAN's
authorisation, also the package owner has full privileges in Kata.
:param context: context
:type context: dictionary
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary with 'success': True|False
'''
user = context['user']
package = get_package_object(context, data_dict)
if is_owner(context, data_dict)['success'] == True:
# if h.check_access('package_delete', data_dict):
return {'success': True}
else:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'delete_dataset')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to delete package %s') %
(str(user), package.id)
}
else:
return {'success': True}
def member_create(context, data_dict):
"""
This code is largely borrowed from /src/ckan/ckan/logic/auth/create.py
With a modification to allow users to add datasets to any group
:param context:
:param data_dict:
:return:
"""
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
if c.controller in ['package', 'dataset'] and c.action in ['groups']:
authorized = helpers.user_has_admin_access(True)
else:
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, permission)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit group %s') %
(str(user), group.id)
}
else:
return {'success': True}
def package_update(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
package = logic_auth.get_package_object(context, data_dict)
# Only the package creator can update it
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# if the user has rights to update a dataset in the organization or in the group
if package and package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
else:
authorized = False
if not authorized:
return {
'success':
False,
'msg':
_('User %s is not authorized to edit package %s') %
(user, package.id)
}
else:
return {'success': True}
def package_create(context, data_dict=None):
user = context['user']
if authz.auth_is_anon_user(context):
check1 = all(authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def owner_org_validator(key, data, errors, context):
value = data.get(key)
if value is missing or value is None:
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
data.pop(key, None)
raise df.StopOnError
model = context['model']
user = context['user']
user = model.User.get(user)
package = context.get('package')
if value == '':
if not authz.check_config_permission('create_unowned_dataset'):
raise Invalid(_('An organization must be provided'))
return
if (authz.check_config_permission('allow_dataset_collaborators')
and not authz.check_config_permission(
'allow_collaborators_to_change_owner_org')):
if package and user and not user.sysadmin:
is_collaborator = authz.user_is_collaborator_on_dataset(
user.id, package.id, ['admin', 'editor'])
if is_collaborator:
# User is a collaborator, check if it's also a member with
# edit rights of the current organization (redundant, but possible)
user_orgs = logic.get_action('organization_list_for_user')(
{
'ignore_auth': True
}, {
'id': user.id,
'permission': 'update_dataset'
})
user_is_org_member = package.owner_org in [
org['id'] for org in user_orgs
]
if data.get(
key) != package.owner_org and not user_is_org_member:
raise Invalid(
_('You cannot move this dataset to another organization'
))
group = model.Group.get(value)
if not group:
raise Invalid(_('Organization does not exist'))
group_id = group.id
if not package or (package and package.owner_org != group_id):
# This is a new dataset or we are changing the organization
if not context.get(u'ignore_auth', False) and not (
user.sysadmin or authz.has_user_permission_for_group_or_org(
group_id, user.name, 'create_dataset')):
raise Invalid(_('You cannot add a dataset to this organization'))
data[key] = group_id
def bulk_update_public(context: Context, data_dict: DataDict) -> AuthResult:
org_id = data_dict.get('org_id')
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
org_id, user, 'update')
if not authorized:
return {'success': False}
return {'success': True}
def bulk_update_delete(context, data_dict):
org_id = data_dict.get('org_id')
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
org_id, user, 'update')
if not authorized:
return {'success': False}
return {'success': True}
def bulk_update_delete(context, data_dict):
org_id = data_dict.get('org_id')
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
org_id, user, 'update')
if not authorized:
return {'success': False}
return {'success': True}
def csc_auth_organization_activity_list_html(context, data_dict):
user = context.get('user')
organization = logic_auth.get_group_object(context, data_dict)
authorized = authz.has_user_permission_for_group_or_org(
organization.id, user, 'update')
if not authorized:
return {'success': False, 'msg': _('Unauthorized to see this content')}
return {'success': True}
def managing_users_package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
extras = dict([(key, value) for key, value in package.extras.items()])
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
#Managing users have to be specified for datasets within an organization
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(
authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(
authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
#Managing users have to be specified for datasets without owner
#Else only creator can edit the dataset
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
if context['auth_user_obj'].id == package.creator_user_id:
#If user is the creator of the package, he can edit it regardless
check1 = True
if not check1:
return {
'success':
False,
'msg':
_('User %s not authorized to edit package %s') %
(str(user), package.id)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success':
False,
'msg':
_('User %s not authorized to edit these groups') % (str(user))
}
return {'success': True}
def has_user_permission_for_org(context, data_dict):
user = context.get('user', '')
org_id = data_dict.get('org_id', '')
permission = data_dict.get('permission', '')
if authz.has_user_permission_for_group_or_org(org_id, user, permission):
return {'success': True}
else:
return {'success': False,
'msg': _('User {0} is not authorized to {1} for organisation {2}'.format(user, permission, org_id))}
def _group_or_org_member_create(context: Context,
data_dict: DataDict) -> AuthResult:
user = context['user']
group_id = data_dict['id']
if not authz.has_user_permission_for_group_or_org(
group_id, user, 'membership'):
return {'success': False,
'msg': _('User %s not authorized to add members') % user}
return {'success': True}
def resource_show(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
resource = logic_auth.get_resource_object(context, data_dict)
# check authentication against package
package_dict = {'id': resource.package_id}
package = logic_auth.get_package_object(context, package_dict)
if not package:
raise tk.ObjectNotFound(
_('No package found for this resource, cannot check auth.'))
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# active packages can only be seen by its owners
if package.state == 'active':
# anyone can see a public package
if not package.private:
return {'success': True}
# if the user has rights to read in the organization or in the group
if package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
else:
authorized = False
if not authorized:
# Init the model
db.init_db(context['model'])
# Branch not executed if the database return an empty list
if db.AllowedUser.get(package_id=package.id, user_name=user):
authorized = True
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to read resource %s') %
(user, resource.id)
}
else:
return {'success': True}
else:
return {
'success':
False,
'msg':
_('User %s not authorized to read resource %s') %
(user, resource.id)
}
def group_show(context, data_dict):
user = context.get("user")
group = get_group_object(context, data_dict)
if group.state == "active":
return {"success": True}
authorized = authz.has_user_permission_for_group_or_org(group.id, user, "read")
if authorized:
return {"success": True}
else:
return {"success": False, "msg": _("User %s not authorized to read group %s") % (user, group.id)}
def group_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context["user"]
if not authz.check_config_permission("user_delete_groups"):
return {"success": False, "msg": _("User %s not authorized to delete groups") % user}
authorized = authz.has_user_permission_for_group_or_org(group.id, user, "delete")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)}
else:
return {"success": True}
def csc_auth_package_activity_list_html(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
authorized = False
if package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
if not authorized:
return {'success': False, 'msg': _('Unauthorized to see this content')}
return {'success': True}
def package_update(context, data_dict):
model = context['model']
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(
authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(
authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
if not check1:
success = False
if authz.check_config_permission('allow_dataset_collaborators'):
# if org-level auth failed, check dataset-level auth
# (ie if user is a collaborator)
user_obj = model.User.get(user)
if user_obj:
success = authz.user_is_collaborator_on_dataset(
user_obj.id, package.id, ['admin', 'editor'])
if not success:
return {
'success':
False,
'msg':
_('User %s not authorized to edit package %s') %
(str(user), package.id)
}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {
'success':
False,
'msg':
_('User %s not authorized to edit these groups') % (str(user))
}
return {'success': True}
def _pages_list(context, data_dict):
search = {}
if db.pages_table is None:
db.init_db(context['model'])
org_id = data_dict.get('org_id')
ordered = data_dict.get('order')
order_publish_date = data_dict.get('order_publish_date')
page_type = data_dict.get('page_type')
private = data_dict.get('private', True)
if ordered:
search['order'] = True
if page_type:
search['page_type'] = page_type
if order_publish_date:
search['order_publish_date'] = True
if not org_id:
search['group_id'] = None
try:
p.toolkit.check_access('ckanext_pages_update', context, data_dict)
if not private:
search['private'] = False
except p.toolkit.NotAuthorized:
search['private'] = False
else:
group = context['model'].Group.get(org_id)
user = context['user']
member = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
search['group_id'] = org_id
if not member:
search['private'] = False
out = db.Page.pages(**search)
out_list = []
# cdc
for pg in out:
parser = HTMLFirstImage()
parser.feed(pg.content)
img = parser.first_image
pg_row = {'title': pg.title,
'ename': pg.ename,
'cname': pg.cname,
'content': pg.content,
'econtent': pg.econtent,
'name': pg.name,
'publish_date': pg.publish_date.isoformat() if pg.publish_date else None,
'group_id': pg.group_id,
'page_type': pg.page_type,
}
if img:
pg_row['image'] = img
extras = pg.extras
if extras:
pg_row.update(json.loads(pg.extras))
out_list.append(pg_row)
return out_list
def _populate_template_data(org_dict):
user = c.user or c.author
ignore_capacity_check = False
is_org_member = (user and new_authz.has_user_permission_for_group_or_org(org_dict.get('name'), user, 'read'))
if is_org_member:
ignore_capacity_check = True
package_type = 'dataset'
search_logic = OrganizationSearchLogic(id=org_dict.get('name'))
fq = 'organization:"{}"'.format(org_dict.get('name'))
search_logic._search(package_type, additional_fq=fq, ignore_capacity_check=ignore_capacity_check)
org_dict['template_data'] = search_logic.template_data
def organization_update(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit organization %s') %
(user, group.id)}
else:
return {'success': True}
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def organization_update(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit organization %s') %
(user, group.id)}
else:
return {'success': True}
def organization_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not authz.check_config_permission('user_delete_organizations'):
return {'success': False,
'msg': _('User %s not authorized to delete organizations') % user}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)}
else:
return {'success': True}
def package_create(context, data_dict=None):
'''
Modified from CKAN's original check. Any logged in user can add
a dataset to any organisation.
Packages owner check is done when adding a resource.
:param context: context
:param data_dict: data_dict
:return: dictionary with 'success': True|False
'''
user = context['user']
# Needed in metadata supplements
if context.get('package', False):
return is_owner(context, context.get('package').get('id'))
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org', False)
if org_id and not kata_has_user_permission_for_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add a dataset') % user}
elif org_id and kata_has_user_permission_for_org(org_id, user, 'create_dataset'):
return {'success': True}
# Below is copy-pasted from CKAN auth.create.package_create
# to allow dataset creation without explicit organization permissions.
if authz.auth_is_anon_user(context):
check1 = all(authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = True # Registered users may create datasets
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % user}
check2 = _check_group_auth(context, data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % user}
# If an organization is given are we able to add a dataset to it?
data_dict = data_dict or {}
org_id = data_dict.get('owner_org')
if org_id and not authz.has_user_permission_for_group_or_org(
org_id, user, 'create_dataset'):
return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}
return {'success': True}
def can_request_doi(pkg):
''' Users can request a DOI if they are in the same org as the owner of the dataset '''
userobj = toolkit.c.userobj
owner_group_id = pkg['owner_org']
if not userobj:
return False
if userobj.sysadmin:
return True
if pkg['creator_user_id'] == userobj.id:
return True
if owner_group_id is None:
return False
return has_user_permission_for_group_or_org(owner_group_id, userobj.name, 'read')
def managing_users_package_update(context, data_dict):
user = context.get('user')
package = logic_auth.get_package_object(context, data_dict)
extras = dict([(key, value) for key, value in package.extras.items()])
if package.owner_org:
# if there is an owner org then we must have update_dataset
# permission for that organization
check1 = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset'
)
#Managing users have to be specified for datasets within an organization
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
else:
# If dataset is not owned then we can edit if config permissions allow
if authz.auth_is_anon_user(context):
check1 = all(authz.check_config_permission(p) for p in (
'anon_create_dataset',
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
))
else:
check1 = all(authz.check_config_permission(p) for p in (
'create_dataset_if_not_in_organization',
'create_unowned_dataset',
)) or authz.has_user_permission_for_some_org(
user, 'create_dataset')
#Managing users have to be specified for datasets without owner
#Else only creator can edit the dataset
managing_users = extras.get('managing_users', '')
managing_users = managing_users.split(',')
check1 = check1 and context['auth_user_obj'].name in managing_users
if context['auth_user_obj'].id == package.creator_user_id:
#If user is the creator of the package, he can edit it regardless
check1 = True
if not check1:
return {'success': False,
'msg': _('User %s not authorized to edit package %s') %
(str(user), package.id)}
else:
check2 = _check_group_auth(context, data_dict)
if not check2:
return {'success': False,
'msg': _('User %s not authorized to edit these groups') %
(str(user))}
return {'success': True}
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
if asbool(config.get('ckan.auth.public_user_details', True)) or \
(not asbool(data_dict.get('include_users', False)) and
(data_dict.get('object_type', None) != 'user')):
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_edit_permissions(context, data_dict):
user = context['user']
group = logic_auth.get_group_object(context, data_dict)
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit permissions of group %s') %
(str(user), group.id)}
else:
return {'success': True}
def _check_group_auth(context, data_dict):
'''Has this user got update permission for all of the given groups?
If there is a package in the context then ignore that package's groups.
(owner_org is checked elsewhere.)
:returns: False if not allowed to update one (or more) of the given groups.
True otherwise. i.e. True is the default. A blank data_dict
mentions no groups, so it returns True.
'''
# FIXME This code is shared amoung other logic.auth files and should be
# somewhere better
if not data_dict:
return True
model = context['model']
user = context['user']
pkg = context.get("package")
api_version = context.get('api_version') or '1'
group_blobs = data_dict.get('groups', [])
groups = set()
for group_blob in group_blobs:
# group_blob might be a dict or a group_ref
if isinstance(group_blob, dict):
if api_version == '1':
id = group_blob.get('name')
else:
id = group_blob.get('id')
if not id:
continue
else:
id = group_blob
grp = model.Group.get(id)
if grp is None:
raise logic.NotFound(_('Group was not found.'))
groups.add(grp)
if pkg:
pkg_groups = pkg.get_groups()
groups = groups - set(pkg_groups)
for group in groups:
if not authz.has_user_permission_for_group_or_org(group.id, user, 'update'):
return False
return True
def member_list(context, data_dict):
'''
Limits group/organization member listing to editors and administrators
of the organization.
:param context:
:param data_dict:
:return:
'''
user_name = context.get('user')
organization_id = data_dict.get('id')
if authz.has_user_permission_for_group_or_org(organization_id, user_name, 'editor'):
return {'success': True}
else:
return {'success': False}
def package_show(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
package = logic_auth.get_package_object(context, data_dict)
# datasets can be read by its creator
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# Not active packages can only be seen by its owners
if package.state == 'active':
# anyone can see a public package
if package.private:
acquired = False
if package.owner_org:
acquired = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
if not acquired:
# Init the model
db.init_db(context['model'])
# Branch not executed if the database return an empty list
if db.AllowedUser.get(package_id=package.id, user_name=user):
acquired = True
if not acquired:
# Show a flash message with the URL to acquire the dataset
# This message only can be shown when the user tries to access the dataset via its URL (/dataset/...)
# The message cannot be displayed in other pages that uses the package_show function such as
# the user profile page
if hasattr(package, 'extras') and 'acquire_url' in package.extras and request.path.startswith(
'/dataset/') \
and package.extras['acquire_url'] != '':
helpers.flash_notice(_('This private dataset can be acquired. To do so, please click ' +
'<a target="_blank" href="%s">here</a>') % package.extras['acquire_url'],
allow_html=True)
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
def has_permission_for_project(context, data_dict, permission,
project_id_parameter):
try:
project = get_package_object(context,
{'id': data_dict[project_id_parameter]})
except KeyError:
raise toolkit.ValidationError(
{project_id_parameter: 'missing parameter'}
)
user = context['user']
if has_user_permission_for_group_or_org(project.owner_org, user,
permission):
return {'success': True}
return {
'success': False,
'msg': _('User {0} not authorized to {1}').format(
user, permission.replace('_', ' '))
}
def resource_show(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
resource = logic_auth.get_resource_object(context, data_dict)
# check authentication against package
package_dict = {'id': resource.package_id}
package = logic_auth.get_package_object(context, package_dict)
if not package:
raise tk.ObjectNotFound(_('No package found for this resource, cannot check auth.'))
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# active packages can only be seen by its owners
if package.state == 'active':
# anyone can see a public package
if not package.private:
return {'success': True}
# if the user has rights to read in the organization or in the group
if package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
else:
authorized = False
if not authorized:
# Init the model
db.init_db(context['model'])
# Branch not executed if the database return an empty list
if db.AllowedUser.get(package_id=package.id, user_name=user):
authorized = True
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
else:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
def package_show(context, data_dict):
user = context.get("user")
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith("draft"):
auth = authz.is_authorized("package_update", context, data_dict)
authorized = auth.get("success")
elif package.owner_org is None and package.state == "active":
return {"success": True}
else:
# anyone can see a public package
if not package.private and package.state == "active":
return {"success": True}
authorized = authz.has_user_permission_for_group_or_org(package.owner_org, user, "read")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to read package %s") % (user, package.id)}
else:
return {"success": True}
def member_create(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
permission)
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit group %s') %
(str(user), group.id)}
else:
return {'success': True}
def check_access_account_requests(context, data_dict=None):
"""
:param context:
:return: True if user is sysadmin or admin in top level org
"""
user = context.get('user')
orgs = model.Group.get_top_level_groups(type='organization')
user_is_admin_in_top_org = None
if orgs:
for org in orgs:
if authz.has_user_permission_for_group_or_org(
org.id, user, 'admin'
):
user_is_admin_in_top_org = True
break
return {
'success': True
if user_is_admin_in_top_org or h.check_access('sysadmin') else False
}
def package_update(context, data_dict):
user = context.get('user')
user_obj = context.get('auth_user_obj')
package = logic_auth.get_package_object(context, data_dict)
# Only the package creator can update it
if package and user_obj and package.creator_user_id == user_obj.id:
return {'success': True}
# if the user has rights to update a dataset in the organization or in the group
if package and package.owner_org:
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'update_dataset')
else:
authorized = False
if not authorized:
return {'success': False, 'msg': _('User %s is not authorized to edit package %s') % (user, package.id)}
else:
return {'success': True}
def package_show(context, data_dict):
user = context.get('user')
package = get_package_object(context, data_dict)
# draft state indicates package is still in the creation process
# so we need to check we have creation rights.
if package.state.startswith('draft'):
auth = authz.is_authorized('package_update',
context, data_dict)
authorized = auth.get('success')
elif package.owner_org is None and package.state == 'active':
return {'success': True}
else:
# anyone can see a public package
if not package.private and package.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
package.owner_org, user, 'read')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
else:
return {'success': True}
def package_delete(context, data_dict):
'''
Modified check from CKAN, whether the user has a permission to
delete the package. In addition to privileges given by CKAN's
authorisation, also the package owner has full privileges in Kata.
:param context: context
:type context: dictionary
:param data_dict: package data
:type data_dict: dictionary
:rtype: dictionary with 'success': True|False
'''
user = context['user']
package = get_package_object(context, data_dict)
if is_owner(context, data_dict)['success'] == True:
# if h.check_access('package_delete', data_dict):
return {'success': True}
else:
authorized = authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user), package.id)}
else:
return {'success': True}
