def list(self, id): """ List all related items for a specific dataset """ context = { "model": model, "session": model.Session, "user": c.user or c.author, "extras_as_string": True, "for_view": True, } data_dict = {"id": id} try: logic.check_access("package_show", context, data_dict) except logic.NotFound: base.abort(404, base._("Dataset not found")) except logic.NotAuthorized: base.abort(401, base._("Not authorized to see this page")) try: c.pkg_dict = logic.get_action("package_show")(context, data_dict) c.pkg = context["package"] c.resources_json = h.json.dumps(c.pkg_dict.get("resources", [])) except logic.NotFound: base.abort(404, base._("Dataset not found")) except logic.NotAuthorized: base.abort(401, base._("Unauthorized to read package %s") % id) c.action = "related" c.related_count = c.pkg.related_count c.num_followers = _get_action("dataset_follower_count")(context, {"id": c.pkg.id}) return base.render("related/related_list.html")
def package_relationship_create(context, data_dict): """ Permission for users to create a new package relationship requires that the user share a group with both packages. """ model = context['model'] user = context['user'] id = data_dict.get('id', '') id2 = data_dict.get('id2', '') pkg1 = model.Package.get(id) pkg2 = model.Package.get(id2) if not pkg1 or not pkg2: return {'success': False, 'msg': _('Two package IDs are required')} pkg1grps = pkg1.get_groups('organization') pkg2grps = pkg2.get_groups('organization') usergrps = model.User.get( user ).get_groups('organization') authorized = _groups_intersect( usergrps, pkg1grps ) and _groups_intersect( usergrps, pkg2grps ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to edit these packages') % str(user)} else: return {'success': True}
def resource_update(context, data_dict): model = context["model"] session = context["session"] user = context["user"] id = data_dict["id"] schema = context.get("schema") or default_update_resource_schema() model.Session.remove() resource = model.Resource.get(id) context["resource"] = resource if not resource: logging.error("Could not find resource " + id) raise NotFound(_("Resource was not found.")) check_access("resource_update", context, data_dict) data, errors = validate(data_dict, schema, context) if errors: model.Session.rollback() raise ValidationError(errors, resource_error_summary(errors)) rev = model.repo.new_revision() rev.author = user if "message" in context: rev.message = context["message"] else: rev.message = _(u"REST API: Update object %s") % data.get("name", "") resource = resource_dict_save(data, context) if not context.get("defer_commit"): model.repo.commit() return resource_dictize(resource, context)
def report_list(self, id): # Setup dataset information package_type = self._get_package_type(id.split("@")[0]) context = { "model": model, "session": model.Session, "user": c.user or c.author, "extras_as_string": True, "schema": self._form_to_db_schema(package_type=package_type), } data_dict = {"id": id} # check if package exists try: c.pkg_dict = get_action("package_show")(context, data_dict) c.pkg = context["package"] c.pkg_json = json.dumps(c.pkg_dict) except NotFound: abort(404, _("Dataset not found")) except NotAuthorized: abort(401, _("Unauthorized to read package %s") % id) # Only package admins can see this page try: check_access("package_update", context) except NotAuthorized, e: abort(401, _("User %r not authorized to edit %s") % (c.user, id))
def package_show(context, data_dict): """ Package show permission checks the user group if the state is deleted """ model = context['model'] package = get_package_object(context, data_dict) if package.state == 'deleted': if 'ignore_auth' in context and context['ignore_auth']: return {'success': True} user = context.get('user') if not user: return {'success': False, 'msg': _('User not authorized to read package %s') % (package.id)} userobj = model.User.get( user ) if Authorizer().is_sysadmin(unicode(user)): return {'success': True} if not userobj: return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} if not _groups_intersect( userobj.get_groups('publisher'), package.get_groups('publisher') ): return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)} return {'success': True}
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not model.User.get(user): return {'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object( context ) except logic.NotFound: return { 'success' : True } userobj = model.User.get( user ) if not userobj: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} authorized = _groups_intersect( userobj.get_groups('organization'), [group] ) if not authorized: return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)} else: return {'success': True}
def rating_create(context, data_dict): model = context['model'] user = context.get("user") package_ref = data_dict.get('package') rating = data_dict.get('rating') opts_err = None if not package_ref: opts_err = _('You must supply a package id or name (parameter "package").') elif not rating: opts_err = _('You must supply a rating (parameter "rating").') else: try: rating_int = int(rating) except ValueError: opts_err = _('Rating must be an integer value.') else: package = model.Package.get(package_ref) if rating < ratings.MIN_RATING or rating > ratings.MAX_RATING: opts_err = _('Rating must be between %i and %i.') % (ratings.MIN_RATING, ratings.MAX_RATING) elif not package: opts_err = _('Package with name %r does not exist.') % package_ref if opts_err: raise ValidationError(opts_err) user = model.User.by_name(user) ratings.set_rating(user, package, rating_int) package = model.Package.get(package_ref) ret_dict = {'rating average':package.get_average_rating(), 'rating count': len(package.ratings)} return ret_dict
def group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user','') group = get_group_object(context, data_dict) if not user: return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')} # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return { 'success': True } # Only allow package update if the user and package groups intersect userobj = model.User.get( user ) if not userobj: return { 'success' : False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect( userobj.get_groups( 'organization', 'admin' ), [group] ): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return { 'success': True }
def package_relationship_create(context, data_dict): """ Permission for users to create a new package relationship requires that the user share a group with both packages. """ model = context["model"] user = context["user"] id = data_dict.get("id", "") id2 = data_dict.get("id2", "") pkg1 = model.Package.get(id) pkg2 = model.Package.get(id2) if not pkg1 or not pkg2: return {"success": False, "msg": _("Two package IDs are required")} pkg1grps = pkg1.get_groups("publisher") pkg2grps = pkg2.get_groups("publisher") usergrps = model.User.get(user).get_groups("publisher") authorized = _groups_intersect(usergrps, pkg1grps) and _groups_intersect(usergrps, pkg2grps) if not authorized: return {"success": False, "msg": _("User %s not authorized to edit these packages") % str(user)} else: return {"success": True}
def list(self, id): """ List all related items for a specific dataset """ context = {'model': model, 'session': model.Session, 'user': c.user or c.author, 'auth_user_obj': c.userobj, 'for_view': True} data_dict = {'id': id} try: logic.check_access('package_show', context, data_dict) except logic.NotFound: base.abort(404, base._('Dataset not found')) except logic.NotAuthorized: base.abort(401, base._('Not authorized to see this page')) try: c.pkg_dict = logic.get_action('package_show')(context, data_dict) c.related_list = logic.get_action('related_list')(context, data_dict) c.pkg = context['package'] c.resources_json = h.json.dumps(c.pkg_dict.get('resources', [])) except logic.NotFound: base.abort(404, base._('Dataset not found')) except logic.NotAuthorized: base.abort(401, base._('Unauthorized to read package %s') % id) return base.render("package/related_list.html")
def harvest_jobs_run(context,data_dict): model = context['model'] user = context.get('user') # Check user is logged in if not user: return {'success': False, 'msg': _('Only logged users are authorized to run harvest jobs')} user_obj = User.get(user) # Checks for non sysadmin users if not Authorizer().is_sysadmin(user): if not user_obj or len(user_obj.get_groups(u'publisher')) == 0: return {'success': False, 'msg': _('User %s must belong to a publisher to run harvest jobs') % str(user)} source_id = data_dict.get('source_id',False) if not source_id: return {'success': False, 'msg': _('Only sysadmins can run all harvest jobs') % str(user)} source = HarvestSource.get(source_id) if not source: raise NotFound if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]: return {'success': False, 'msg': _('User %s not authorized to run jobs from source %s') % (str(user),source.id)} return {'success': True}
def resource_update(context, data_dict): model = context['model'] session = context['session'] user = context['user'] id = data_dict["id"] schema = context.get('schema') or default_update_resource_schema() model.Session.remove() resource = model.Resource.get(id) context["resource"] = resource if not resource: raise NotFound(_('Resource was not found.')) check_access('resource_update', context, data_dict) data, errors = validate(data_dict, schema, context) if errors: model.Session.rollback() raise ValidationError(errors, resource_error_summary(errors)) rev = model.repo.new_revision() rev.author = user if 'message' in context: rev.message = context['message'] else: rev.message = _(u'REST API: Update object %s') % data.get("name") resource = resource_dict_save(data, context) if not context.get('defer_commit'): model.repo.commit() return resource_dictize(resource, context)
def read(self, id): group_type = self._get_group_type(id.split('@')[0]) context = {'model': model, 'session': model.Session, 'user': c.user or c.author, 'schema': self._form_to_db_schema(group_type=type)} data_dict = {'id': id} q = c.q = request.params.get('q', '') # unicode format (decoded from utf8) try: c.group_dict = get_action('group_show')(context, data_dict) c.group = context['group'] except NotFound: abort(404, _('Group not found')) except NotAuthorized: abort(401, _('Unauthorized to read group %s') % id) # Search within group q += ' groups: "%s"' % c.group_dict.get('name') try: description_formatted = ckan.misc.MarkdownFormat().to_html(c.group_dict.get('description','')) c.description_formatted = genshi.HTML(description_formatted) except Exception, e: error_msg = "<span class='inline-warning'>%s</span>" % _("Cannot render description") c.description_formatted = genshi.HTML(error_msg)
def list(self, id): context = {'model': model, 'session': model.Session, 'user': c.user or c.author, 'extras_as_string': True, 'for_view': True} data_dict = {'id': id} try: logic.check_access('package_show', context, data_dict) except logic.NotFound: base.abort(404, base._('Dataset not found')) except logic.NotAuthorized: base.abort(401, base._('Not authorized to see this page')) try: c.pkg_dict = logic.get_action('package_show')(context, data_dict) c.pkg = context['package'] c.resources_json = h.json.dumps(c.pkg_dict.get('resources',[])) except logic.NotFound: base.abort(404, base._('Dataset not found')) except logic.NotAuthorized: base.abort(401, base._('Unauthorized to read package %s') % id) c.related_count = len(c.pkg.related) c.num_followers = logic.get_action('dataset_follower_count')(context, {'id': c.pkg_dict['id']}) # If the user is logged in set the am_following variable. if c.user: c.pkg_dict['am_following'] = logic.get_action('am_following_dataset')( context, {'id': c.pkg.id}) return base.render( "package/related_list.html")
def vocabulary_update(context, data_dict): model = context["model"] vocab_id = data_dict.get("id") if not vocab_id: raise ValidationError({"id": _("id not in data")}) vocab = model.vocabulary.Vocabulary.get(vocab_id) if vocab is None: raise NotFound(_('Could not find vocabulary "%s"') % vocab_id) data_dict["id"] = vocab.id if data_dict.has_key("name"): if data_dict["name"] == vocab.name: del data_dict["name"] check_access("vocabulary_update", context, data_dict) schema = context.get("schema") or default_update_vocabulary_schema() data, errors = validate(data_dict, schema, context) if errors: model.Session.rollback() raise ValidationError(errors) updated_vocab = vocabulary_dict_update(data, context) if not context.get("defer_commit"): model.repo.commit() return vocabulary_dictize(updated_vocab, context)
def index(self): group_type = None context = {'model': model, 'session': model.Session, 'user': c.user or c.author, 'for_view': True, 'with_private': False} q = c.q = request.params.get('q', '') data_dict = {'all_fields': True, 'q': q} sort_by = c.sort_by_selected = request.params.get('sort') if sort_by: data_dict['sort'] = sort_by try: self._check_access('site_read', context) except NotAuthorized: abort(401, _('Not authorized to see this page')) if c.userobj: context['user_id'] = c.userobj.id context['user_is_admin'] = c.userobj.sysadmin c.group_package_stuff = caching.cached_get_group_package_stuff() ##Removing groups without geojson for the map c.group_map = [] for gp in c.group_package_stuff: ''' Removed check for geojson data because in the new version this information does not come from the group_list action and for now we are not using the map. If we'll need this we should implement some caching functionality for this too. ''' c.group_map.append(gp) #print c.group_package_stuff if c.userobj is not None: msg = None url = h.url_for(controller='user', action='edit') is_google_id = \ c.userobj.name.startswith('https://www.google.com/accounts/o8/id') if not c.userobj.email and (is_google_id and not c.userobj.fullname): msg = _(u'Please <a href="{link}">update your profile</a>' u' and add your email address and your full name. ' u'{site} uses your email address' u' if you need to reset your password.'.format( link=url, site=g.site_title)) elif not c.userobj.email: msg = _('Please <a href="%s">update your profile</a>' ' and add your email address. ') % url + \ _('%s uses your email address' ' if you need to reset your password.') \ % g.site_title elif is_google_id and not c.userobj.fullname: msg = _('Please <a href="%s">update your profile</a>' ' and add your full name.') % (url) if msg: h.flash_notice(msg, allow_html=True) return base.render('home/index.html', cache_force=True)
def resource_read(self, id, resource_id): context = {'model': model, 'session': model.Session, 'user': c.user or c.author} try: c.resource = get_action('resource_show')(context, {'id': resource_id}) c.package = get_action('package_show')(context, {'id': id}) # required for nav menu c.pkg = context['package'] c.resource_json = json.dumps(c.resource) c.pkg_dict = c.package except NotFound: abort(404, _('Resource not found')) except NotAuthorized: abort(401, _('Unauthorized to read resource %s') % id) # get package license info license_id = c.package.get('license_id') try: c.package['isopen'] = model.Package.get_license_register()[license_id].isopen() except KeyError: c.package['isopen'] = False # TODO: Find another way to get this action action_name = 'resource_read' # Get fields list for this action report = model.Session.query(lightbaseDatasetReports).\ filter(lightbaseDatasetReports.dataset_action_id == lightbaseDatasetActions.dataset_action_id).\ filter(lightbaseDatasetReports.dataset_id == c.pkg_dict.get('id')).\ filter(lightbaseDatasetActions.action_name == action_name).all() # Add fields to dict report_dict = dict() if len(report) > 0: report_dict = report[0].fields_list # Add it to page identifier = report_dict.pop('identifier') vars = {'report_dict': report_dict, 'identifier': identifier} # Add results from elastic search c.resource['elastic_search'] = self.before_view_resource(c.pkg_dict['name'], c.resource['name']) # Get item name from description item c.resource['description'] = c.resource['elastic_search'].get(report_dict.pop('description')) # Get content from content item in dict conteudo = plaintext2html(c.resource['elastic_search'].get(report_dict.pop('content'))) # Check if conteudo is nil if not conteudo: c.resource['conteudo'] = unicode('Nao disponivel') else: conteudo_html = fromstring(conteudo) conteudo = tostring(conteudo_html) c.resource['conteudo'] = unicode(conteudo) return render('package/resource_read.html', extra_vars=vars)
def group_delete(context, data_dict): group = get_group_object(context, data_dict) user = context["user"] if not new_authz.check_config_permission("user_delete_groups"): return {"success": False, "msg": _("User %s not authorized to delete groups") % user} authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete") if not authorized: return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)} else: return {"success": True}
def group_error_summary(error_dict): error_summary = {} for key, error in error_dict.iteritems(): if key == 'extras': error_summary[_('Extras')] = _('Missing Value') elif key == 'extras_validation': error_summary[_('Extras')] = error[0] else: error_summary[_(prettify(key))] = error[0] return error_summary
def group_error_summary(error_dict): error_summary = {} for key, error in error_dict.iteritems(): if key == "extras": error_summary[_("Extras")] = _("Missing Value") elif key == "extras_validation": error_summary[_("Extras")] = error[0] else: error_summary[_(prettify(key))] = error[0] return error_summary
def organization_delete(context, data_dict): group = get_group_object(context, data_dict) user = context['user'] if not new_authz.check_config_permission('user_delete_organizations'): return {'success': False, 'msg': _('User %s not authorized to delete organizations') % user} authorized = new_authz.has_user_permission_for_group_or_org( group.id, user, 'delete') if not authorized: return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)} else: return {'success': True}
def create(self): if not self._check_access(model.System(), model.Action.PACKAGE_CREATE): return json.dumps(_('Access denied')) # Create a Package. fs = self._get_standard_package_fieldset() try: request_data = self._get_request_data() request_fa_dict = ckan.forms.edit_package_dict(ckan.forms.get_package_dict(fs=fs), request_data) fs = fs.bind(model.Package, data=request_fa_dict, session=model.Session) log.debug('Created object %s' % str(fs.name.value)) obj = fs.model # Validate the fieldset. validation = fs.validate() if not validation: # Complain about validation errors. log.error('Validation error: %r' % repr(fs.errors)) response.write(self._finish(409, repr(fs.errors), content_type='json')) else: try: # Construct new revision. rev = model.repo.new_revision() rev.author = self.rest_api_user rev.message = _(u'REST API: Create object %s') % str(fs.name.value) # Construct catalogue entity. fs.sync() # Construct access control entities. if self.rest_api_user: admins = [model.User.by_name(self.rest_api_user.decode('utf8'))] else: admins = [] model.setup_default_user_roles(fs.model, admins) for item in self.extensions: item.create(fs.model) # Commit model.repo.commit() # Set location header with new ID. location = str('%s/%s' % (request.path, obj.id)) response.headers['Location'] = location log.debug('Response headers: %r' % (response.headers)) response.write(self._finish_ok( obj.as_dict(), newly_created_resource_location=location)) except Exception, inst: log.exception(inst) model.Session.rollback() log.error('Exception creating object %s: %r' % (str(fs.name.value), inst)) raise except ValueError, inst: response.status_int = 400 response.write(_(u'JSON Error: %s') % str(inst))
def read(self, id, url=''): context = {'model': model, 'session': model.Session, 'user': c.user or c.author} try: resource = get_action('resource_show')(context, {'id': id}) self._make_redirect(id, url) return '' except NotFound: abort(404, _('Resource not found')) except NotAuthorized: abort(401, _('Unauthorized to read resource %s') % id)
def related_update(context, data_dict): model = context['model'] user = context['user'] if not user: return {'success': False, 'msg': _('Only the owner can update a related item')} related = get_related_object(context, data_dict) userobj = model.User.get( user ) if not userobj or userobj.id != related.owner_id: return {'success': False, 'msg': _('Only the owner can update a related item')} return {'success': True}
def package_update(context, data_dict): model = context["model"] user = context.get("user") package = get_package_object(context, data_dict) check1 = check_access_old(package, model.Action.EDIT, context) if not check1: return {"success": False, "msg": _("User %s not authorized to edit package %s") % (str(user), package.id)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)} return {"success": True}
def package_update(context, data_dict): model = context['model'] user = context.get('user') package = get_package_object(context, data_dict) check1 = logic.check_access_old(package, model.Action.EDIT, context) if not check1: return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}
def package_create(context, data_dict=None): model = context["model"] user = context["user"] check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context) if not check1: return {"success": False, "msg": _("User %s not authorized to create packages") % str(user)} else: check2 = _check_group_auth(context, data_dict) if not check2: return {"success": False, "msg": _("User %s not authorized to edit these groups") % str(user)} return {"success": True}
def package_create(context, data_dict=None): model = context['model'] user = context['user'] check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context) if not check1: return {'success': False, 'msg': _('User %s not authorized to create packages') % str(user)} else: check2 = _check_group_auth(context,data_dict) if not check2: return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)} return {'success': True}
def report_action(self, id, data=None, errors=None, error_summary=None): """ Reports action page """ # Setup dataset information package_type = self._get_package_type(id.split("@")[0]) # context = {'model': model, 'session': model.Session, # 'user': c.user or c.author, 'extras_as_string': True, # 'schema': self._form_to_db_schema(package_type=package_type)} context = { "model": model, "session": model.Session, "save": "save" in request.params, "user": c.user or c.author, "extras_as_string": True, } data_dict = {"id": id} # check if package exists try: c.pkg_dict = get_action("package_update")(context, data_dict) c.pkg = context["package"] c.pkg_json = json.dumps(c.pkg_dict) except NotFound: abort(404, _("Dataset not found")) except NotAuthorized: abort(401, _("Unauthorized to edit package %s") % id) data = data or clean_dict(unflatten(tuplize_dict(parse_params(request.params, ignore_keys=[CACHE_PARAMETER])))) errors = errors or {} error_summary = error_summary or {} vars = {"data": data, "errors": errors, "error_summary": error_summary} # Save data if requested if context.get("save") and data: result = self._save_report_action_new(data) # Return error message if not result: errors["name"] = "Insertion error" error_summary[_(u"Ação")] = _(u"Erro inserindo elemento na base de dados") # Add actual reports actions information data["actions"] = model.Session.query(lightbaseDatasetActions).all() self._setup_template_variables(context, {"id": id}) c.form = render("package/reports/actions_new_form.html", extra_vars=vars) return render("package/reports/actions_new.html")
def harvest_source_create(context,data_dict): model = context['model'] user = context.get('user','') # Non-logged users can not create sources if not user: return {'success': False, 'msg': _('Non-logged in users are not authorized to create harvest sources')} # Sysadmins and the rest of logged users can create sources, # as long as they belong to a publisher user_obj = User.get(user) if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0: return {'success': False, 'msg': _('User %s must belong to a publisher to create harvest sources') % str(user)} else: return {'success': True}
def read(self, id, format='html'): if not format == 'html': ctype, extension, loader = \ self._content_type_from_extension(format) if not ctype: # An unknown format, we'll carry on in case it is a # revision specifier and re-constitute the original id id = "%s.%s" % (id, format) ctype, format, loader = "text/html; charset=utf-8", "html", \ MarkupTemplate else: ctype, format, loader = self._content_type_from_accept() response.headers['Content-Type'] = ctype package_type = self._get_package_type(id.split('@')[0]) context = { 'model': model, 'session': model.Session, 'user': c.user or c.author, 'for_view': True, 'auth_user_obj': c.userobj } data_dict = {'id': id} # interpret @<revision_id> or @<date> suffix split = id.split('@') if len(split) == 2: data_dict['id'], revision_ref = split if model.is_id(revision_ref): context['revision_id'] = revision_ref else: try: date = h.date_str_to_datetime(revision_ref) context['revision_date'] = date except TypeError, e: abort(400, _('Invalid revision format: %r') % e.args) except ValueError, e: abort(400, _('Invalid revision format: %r') % e.args)
def group_create(context, data_dict=None): """ Group create permission. If a group is provided, within which we want to create a group then we check that the user is within that group. If not then we just say Yes for now although there may be some approval issues elsewhere. """ model = context['model'] user = context['user'] if not user: return { 'success': False, 'msg': _('User is not authorized to create groups') } if Authorizer.is_sysadmin(user): return {'success': True} try: # If the user is doing this within another group then we need to make sure that # the user has permissions for this group. group = get_group_object(context) except NotFound: return {'success': True} userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } authorized = _groups_intersect(userobj.get_groups('publisher'), [group]) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to create groups') % str(user) } else: return {'success': True}
def site_read(context, data_dict): """\ This function should be deprecated. It is only here because we couldn't get hold of Friedrich to ask what it was for. ./ckan/controllers/api.py """ model = context['model'] user = context.get('user') if not Authorizer().is_authorized(user, model.Action.SITE_READ, model.System): return {'success': False, 'msg': _('Not authorized to see this page')} return {'success': True}
def task_status_delete(context, data_dict): model = context['model'] user = context['user'] authorized = Authorizer().is_sysadmin(unicode(user)) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to delete task_status') % str(user) } else: return {'success': True}
def package_create(context, data_dict=None): model = context['model'] user = context['user'] check1 = logic.check_access_old(model.System(), model.Action.PACKAGE_CREATE, context) if not check1: return { 'success': False, 'msg': _('User %s not authorized to create packages') % str(user) } else: check2 = _check_group_auth(context, data_dict) if not check2: return { 'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user) } return {'success': True}
def fao_m49_regions(key, flattened_data, errors, context): # we use extended api to update data dict in-place # this way we avoid various errors in harvesters, # which don't populate extras properly value = flattened_data[key] if isinstance(value, Missing) or value is None: flattened_data[key] = [] else: value = _deserialize_from_array(value) validated = [] try: v = Vocabulary.get(Vocabulary.VOCABULARY_M49_REGIONS) for term in value: if not v.valid_term(term): errors[key].append( ValueError(_("Term not valid: {}").format(term))) break validated.append(term) flattened_data[key] = validated except Exception, err: errors[key].append( Invalid(_("Invalid m49 regions: {} {}").format(value, err)))
def harvest_source_create(context, data_dict): model = context['model'] user = context.get('user') if not Authorizer().is_sysadmin(user): return { 'success': False, 'msg': _('User %s not authorized to create harvest sources') % str(user) } else: return {'success': True}
def user_create(context, data_dict=None): model = context['model'] user = context['user'] authorized = check_access_old(model.System(), model.Action.USER_CREATE, context) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to create users') % str(user) } else: return {'success': True}
def hdx_send_mail_contributor(context, data_dict): ''' Only a logged in user has access. ''' user_obj = context.get('auth_user_obj') or context.get('user_obj') if user_obj: return {'success': True} return { 'success': False, 'msg': _('Not authorized to perform this request') }
def group_show(context, data_dict): """ Group show permission checks the user group if the state is deleted """ model = context['model'] user = context.get('user') group = get_group_object(context, data_dict) userobj = model.User.get( user ) if group.state == 'deleted': if not user or \ not _groups_intersect( userobj.get_groups('organization'), group.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to show group %s') % (str(user),group.id)} return {'success': True}
def term_translation_update(context, data_dict): model = context['model'] user = context['user'] if 'ignore_auth' in context and context['ignore_auth']: return {'success': True} authorized = Authorizer().is_sysadmin(unicode(user)) if not authorized: return {'success': False, 'msg': _('User %s not authorized to update term_translation table') % str(user)} else: return {'success': True}
def resource_create(context, data_dict): # resource_create runs through package_update, no need to # check users eligibility to add resource to package here. model = context['model'] user = context['user'] userobj = model.User.get(user) if userobj: return {'success': True} return { 'success': False, 'msg': _('You must be logged in to create a resource') }
def related_delete(context, data_dict): model = context['model'] user = context['user'] userobj = model.User.get( user ) if not user or not userobj: return {'success': False, 'msg': _('Only the owner can delete a related item')} if Authorizer().is_sysadmin(unicode(user)): return {'success': True} related = get_related_object(context, data_dict) if related.datasets: package = related.datasets[0] if _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': True} if not userobj or userobj.id != related.owner_id: return {'success': False, 'msg': _('Only the owner can delete a related item')} return {'success': True}
def user_extra_create(context, data_dict): ''' A user has access only to his own metainformation (user_extra). ''' user_obj = context.get('auth_user_obj') or context.get('user_obj') if user_obj and user_obj.id == data_dict.get('user_id', ''): return {'success': True} return { 'success': False, 'msg': _('Not authorized to perform this request') }
def package_update(context, data_dict): model = context['model'] user = context['user'] id = data_dict["id"] schema = context.get('schema') or default_update_package_schema() model.Session.remove() model.Session()._context = context pkg = model.Package.get(id) context["package"] = pkg if pkg is None: raise NotFound(_('Package was not found.')) data_dict["id"] = pkg.id check_access('package_update', context, data_dict) data, errors = validate(data_dict, schema, context) if errors: model.Session.rollback() raise ValidationError(errors, package_error_summary(errors)) rev = model.repo.new_revision() rev.author = user if 'message' in context: rev.message = context['message'] else: rev.message = _(u'REST API: Update object %s') % data.get("name") pkg = package_dict_save(data, context) for item in PluginImplementations(IPackageController): item.edit(pkg) if not context.get('defer_commit'): model.repo.commit() return package_dictize(pkg, context)
def new(self): record = model.Group c.error = '' try: context = {'model': model, 'user': c.user or c.author} check_access('group_create', context) except NotAuthorized: abort(401, _('Unauthorized to create a group')) is_admin = self.authorizer.is_sysadmin(c.user) fs = ckan.forms.get_group_fieldset(is_admin=is_admin) if request.params.has_key('save'): rev = model.repo.new_revision() rev.author = c.author # needed because request is nested # multidict which is read only params = dict(request.params) c.fs = fs.bind(record, data=params or None, session=model.Session) try: self._update(c.fs, id, record.id) except ValidationException, error: fs = error.args[0] c.form = self._render_edit_form(fs) return render('group/edit.html') # do not use groupname from id as may have changed c.groupname = c.fs.name.value c.grouptitle = c.fs.title.value group = model.Group.get(c.groupname) assert group admins = [] user = model.User.by_name(c.user) admins = [user] model.setup_default_user_roles(group, admins) group = model.Group.get(c.groupname) pkgs = [ model.Package.by_name(name) for name in request.params.getall('Group-packages-current') ] group.packages = pkgs pkgnames = request.params.getall('PackageGroup--package_name') for pkgname in pkgnames: if pkgname: package = model.Package.by_name(pkgname) if package and package not in group.packages: group.packages.append(package) for extension in self.extensions: extension.create(group) model.repo.commit_and_remove() h.redirect_to(controller='group', action='read', id=c.groupname)
def group_update(context, data_dict): """ Group edit permission. Checks that a valid user is supplied and that the user is a member of the group currently with any capacity. """ model = context['model'] user = context.get('user', '') group = get_group_object(context, data_dict) if not user: return { 'success': False, 'msg': _('Only members of this group are authorized to edit this group') } # Sys admins should be allowed to update groups if Authorizer().is_sysadmin(unicode(user)): return {'success': True} # Only allow package update if the user and package groups intersect userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('Could not find user %s') % str(user) } # Only admins of this group should be able to update this group if not _groups_intersect(userobj.get_groups('organization', 'admin'), [group]): return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) } return {'success': True}
def group_delete(context, data_dict): """ Group delete permission. Checks that the user specified is within the group to be deleted and also have 'admin' capacity. """ model = context['model'] user = context['user'] if not user: return { 'success': False, 'msg': _('Only members of this group are authorized to delete this group') } group = get_group_object(context, data_dict) userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('Only members of this group are authorized to delete this group') } authorized = _groups_intersect(userobj.get_groups('organization', 'admin'), [group]) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user), group.id) } else: return {'success': True}
def rating_create(context, data_dict): model = context['model'] user = context.get("user") package_ref = data_dict.get('package') rating = data_dict.get('rating') opts_err = None if not package_ref: opts_err = _( 'You must supply a package id or name (parameter "package").') elif not rating: opts_err = _('You must supply a rating (parameter "rating").') else: try: rating_int = int(rating) except ValueError: opts_err = _('Rating must be an integer value.') else: package = model.Package.get(package_ref) if rating < ratings.MIN_RATING or rating > ratings.MAX_RATING: opts_err = _('Rating must be between %i and %i.') % ( ratings.MIN_RATING, ratings.MAX_RATING) elif not package: opts_err = _( 'Package with name %r does not exist.') % package_ref if opts_err: raise ValidationError(opts_err) user = model.User.by_name(user) ratings.set_rating(user, package, rating_int) package = model.Package.get(package_ref) ret_dict = { 'rating average': package.get_average_rating(), 'rating count': len(package.ratings) } return ret_dict
def related_create(context, data_dict=None): model = context['model'] user = context['user'] userobj = model.User.get(user) if not userobj: return { 'success': False, 'msg': _('You must be logged in to add a related item') } if 'dataset_id' in data_dict: # If this is to be associated with a dataset then we need to make sure that # the user doing so is a member of that group dataset = model.Package.get(data_dict['dataset_id']) if dataset and not _groups_intersect(userobj.get_groups(), dataset.get_groups()): return { 'success': False, 'msg': _('You do not have permission to create an item') } return {'success': True}
def edit(self, id=None): # allow id=None to allow posting c.error = '' group = model.Group.get(id) if group is None: abort(404, '404 Not Found') am_authz = self.authorizer.am_authorized(c, model.Action.EDIT, group) if not am_authz: abort(401, _('User %r not authorized to edit %r') % (c.user, id)) auth_for_change_state = self.authorizer.am_authorized(c, model.Action.CHANGE_STATE, group) if not 'save' in request.params: c.group = group c.groupname = group.name c.grouptitle = group.title fs = forms.get_group_fieldset(is_admin=auth_for_change_state).bind(c.group) c.form = self._render_edit_form(fs) return render('group/edit.html') else: rev = model.repo.new_revision() rev.author = c.author # id is the name (pre-edited state) c.groupname = id # needed because request is nested # multidict which is read only params = dict(request.params) fs = ckan.forms.get_group_fieldset(is_admin=auth_for_change_state) c.fs = fs.bind(group, data=params or None) try: self._update(c.fs, id, group.id) # do not use groupname from id as may have changed c.groupname = c.fs.name.value c.grouptitle = c.fs.title.value except ValidationException, error: fs = error.args[0] c.form = self._render_edit_form(fs) return render('group/edit.html') pkgs = [model.Package.by_name(name) for name in request.params.getall('Group-packages-current')] group.packages = pkgs pkgnames = request.params.getall('PackageGroup--package_name') for pkgname in pkgnames: if pkgname: package = model.Package.by_name(pkgname) if package and package not in group.packages: group.packages.append(package) for extension in self.extensions: extension.edit(group) model.repo.commit_and_remove() h.redirect_to(controller='group', action='read', id=c.groupname)
def revision_change_state(context, data_dict): model = context['model'] user = context['user'] authorized = Authorizer().is_sysadmin(unicode(user)) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to change state of revision') % str(user) } else: return {'success': True}
def package_show(context, data_dict): user = context.get('user') package = get_package_object(context, data_dict) labels = get_permission_labels() user_labels = labels.get_user_dataset_labels(context['auth_user_obj']) authorized = any( dl in user_labels for dl in labels.get_dataset_labels(package)) if not authorized: return { 'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)} else: return {'success': True}
def group_member_create(context, data_dict): try: group_dict = tk.get_action('organization_show')(context, { 'id': data_dict['id'] }) # if the above call returns we already know it is an organization # otherwise a NotFound is raised return create.group_member_create(context, data_dict) except logic.NotFound: # means the specific group is surely not an org or doesn't exist at all return { 'success': False, 'msg': _('Nobody can add a member to a country in HDX') }
def harvest_job_create_all(context, data_dict): model = context['model'] user = context.get('user') if not ckan.new_authz.is_sysadmin(user): return { 'success': False, 'msg': _('Only sysadmins can create harvest jobs for all sources') % str(user) } else: return {'success': True}
def _post_feedback(self): ''' Redirects the user to the home page and flashes a message, acknowledging the feedback. ''' context = { 'name': request.params['name'], 'email': request.params['email'], 'feedback': request.params['feedback'] } feedback.send_feedback(context) h.flash_notice(_('Thank you for your feedback')) h.redirect_to(controller='home', action='index') return
def report_delete(self, id, report_id, data=None, errors=None, error_summary=None): """ Controller to delete a report """ # Setup dataset information package_type = self._get_package_type(id.split('@')[0]) context = { 'model': model, 'session': model.Session, 'user': c.user or c.author, 'extras_as_string': True, 'schema': self._form_to_db_schema(package_type=package_type), 'save': 'save' in request.params } data_dict = {'id': id, 'report_id': report_id} #check if package exists try: c.pkg_dict = get_action('package_show')(context, data_dict) c.pkg = context['package'] c.pkg_json = json.dumps(c.pkg_dict) except NotFound: abort(404, _('Dataset not found')) except NotAuthorized: abort(401, _('Unauthorized to read package %s') % id) # Only package admins can see this page try: check_access('package_update', context) except NotAuthorized, e: abort(401, _('User %r not authorized to edit %s') % (c.user, id))
def package_delete(context, data_dict): """ Delete a package permission. User must be in at least one group that that package is also in. """ model = context['model'] user = context['user'] package = get_package_object(context, data_dict) userobj = model.User.get( user ) if not userobj or \ not _groups_intersect( userobj.get_groups('organization'), package.get_groups('organization') ): return {'success': False, 'msg': _('User %s not authorized to delete packages in these group') % str(user)} return {'success': True}
def resource_delete(context, data_dict): model = context['model'] user = context.get('user') resource = get_resource_object(context, data_dict) # check authentication against package pkg = model.Package.get(resource.package_id) if not pkg: raise logic.NotFound( _('No package found for this resource, cannot check auth.')) pkg_dict = {'id': pkg.id} authorized = package_delete(context, pkg_dict).get('success') if not authorized: return { 'success': False, 'msg': _('User %s not authorized to delete resource %s') % (user, resource.id) } else: return {'success': True}
def _followee_list(context, data_dict): model = context['model'] # Visitors cannot see what users are following. authorized_user = model.User.get(context.get('user')) if not authorized_user: return {'success': False, 'msg': _('Not authorized')} # Any user is authorized to see what she herself is following. requested_user = model.User.get(data_dict.get('id')) if authorized_user == requested_user: return {'success': True} # Sysadmins are authorized to see what anyone is following. return sysadmin(context, data_dict)