def restricted_check_access(context, data_dict): package_id = data_dict.get('package_id', False) resource_id = data_dict.get('resource_id', False) user_name = logic.restricted_get_username_from_context(context) if not package_id: raise ckan.logic.ValidationError('Missing package_id') if not resource_id: raise ckan.logic.ValidationError('Missing resource_id') log.debug("action.restricted_check_access: user_name = " + str(user_name)) log.debug("checking package " + str(package_id)) package_dict = ckan.logic.get_action('package_show')(dict( context, return_type='dict'), { 'id': package_id }) log.debug("checking resource") resource_dict = ckan.logic.get_action('resource_show')(dict( context, return_type='dict'), { 'id': resource_id }) return logic.restricted_check_user_resource_access(user_name, resource_dict, package_dict)
def _restricted_resource_list_hide_fields(context, resource_list): restricted_resources_list = [] for resource in resource_list: # copy original resource restricted_resource = dict(resource) # get the restricted fields restricted_dict = logic.restricted_get_restricted_dict( restricted_resource) # hide field URL to unauthorized users authorized = auth.restricted_resource_show(context, { 'id': resource.get('id'), 'resource': resource }).get('success', False) if not authorized: restricted_resource['url'] = 'Not Authorized' # hide other fields in restricted to everyone but dataset owner(s) if not authz.is_authorized('package_update', context, { 'id': resource.get('package_id') }).get('success'): user_name = logic.restricted_get_username_from_context(context) # hide partially other allowed user_names (keep own) allowed_users = [] for user in restricted_dict.get("allowed_users"): if len(user.strip()) > 0: if user_name == user: allowed_users += [user_name] else: allowed_users += [user[0:3] + '*****' + user[-2:]] new_restricted = json.dumps({ "level": restricted_dict.get("level"), "allowed_users": ','.join(allowed_users) }) extras_restricted = resource.get('extras', {}).get('restricted', {}) if (extras_restricted): restricted_resource['extras']['restricted'] = new_restricted field_restricted_field = resource.get('restricted', {}) if (field_restricted_field): restricted_resource['restricted'] = new_restricted restricted_resources_list += [restricted_resource] return restricted_resources_list
def _restricted_resource_list_hide_fields(context, resource_list): restricted_resources_list = [] for resource in resource_list: # copy original resource restricted_resource = dict(resource) # get the restricted fields restricted_dict = logic.restricted_get_restricted_dict( restricted_resource) # hide fields to unauthorized users authorized = auth.restricted_resource_show( context, {'id': resource.get('id'), 'resource': resource} ).get('success', False) # hide other fields in restricted to everyone but dataset owner(s) if not authz.is_authorized( 'package_update', context, {'id': resource.get('package_id')} ).get('success'): user_name = logic.restricted_get_username_from_context(context) # hide partially other allowed user_names (keep own) allowed_users = [] # convert to list if only 1 string list_allowed_users = restricted_dict.get('allowed_users') for user in list_allowed_users: if len(user.strip()) > 0: if user_name == user: allowed_users.append(user_name) else: allowed_users.append(user[0:3] + '*****' + user[-2:]) # hide usernames from custom allowed users field restricted_resource['allowed_users'] = allowed_users new_restricted = json.dumps({ 'level': restricted_dict.get("level"), 'allowed_users': ','.join(allowed_users)}) extras_restricted = resource.get( 'extras', {}).get('restricted', {}) if (extras_restricted): restricted_resource['extras']['restricted'] = new_restricted field_restricted_field = resource.get('restricted', {}) if (field_restricted_field): restricted_resource['restricted'] = new_restricted restricted_resources_list += [restricted_resource] return restricted_resources_list
def _restricted_resource_list_hide_fields(context, resource_list): restricted_resources_list = [] for resource in resource_list: # copy original resource restricted_resource = dict(resource) # get the restricted fields restricted_dict = logic.restricted_get_restricted_dict(restricted_resource) # hide other fields in restricted to everyone but dataset owner(s) if not authz.is_authorized( 'package_update', context, {'id': resource.get('package_id')} ).get('success'): user_name = logic.restricted_get_username_from_context(context) # hide partially other allowed user_names (keep own) allowed_users = [] for user in restricted_dict.get('allowed_users'): if len(user.strip()) > 0: if user_name == user: allowed_users.append(user_name) else: allowed_users.append(user[0:3] + '*****' + user[-2:]) allowed_orgs = [] for org in restricted_dict.get('allowed_organizations', []): if len(org.strip()) > 0: allowed_orgs.append(org) new_restricted = json.dumps({ 'level': restricted_dict.get("level"), 'allowed_users': ','.join(allowed_users), 'allowed_organizations': ','.join(allowed_orgs) }) extras_restricted = resource.get('extras', {}).get('restricted', {}) if (extras_restricted): restricted_resource['extras']['restricted'] = new_restricted field_restricted_field = resource.get('restricted', {}) if (field_restricted_field): restricted_resource['restricted'] = new_restricted restricted_resources_list += [restricted_resource] return restricted_resources_list
def _restricted_resource_list_accessible_by_user(context, resource_list, package_dict=None): restricted_resources_list = [] user_name = logic.restricted_get_username_from_context(context) user_obj = context.get('auth_user_obj') for resource in resource_list: resource_dict = dict(resource) if not package_dict: package_dict = package_show(context, {'id': resource_dict['package_id']}) user_has_resource_access = logic.restricted_check_user_resource_access( user_name, resource_dict, package_dict, user_obj=user_obj, check_access_package_show=False, user_organization_dict=logic.get_organization_dict(user_name) ).get('success', False) if user_has_resource_access: restricted_resources_list.append(resource_dict) return restricted_resources_list
def _restricted_resource_list_hide_fields(context, resource_list, package=None): restricted_resources_list = [] # username = context.get('user') user_name = logic.restricted_get_username_from_context(context) # If first resource does not pass auth, treat all other resources the same. for i, resource in enumerate(resource_list): # copy original resource restricted_resource = dict(resource) # get the restricted fields restricted_dict = logic.restricted_get_restricted_dict( restricted_resource) logger.debug('restricted_resource: %s' % restricted_resource) logger.debug('restricted_dict: %s' % restricted_dict) restricted_field = restricted_resource.get('restricted') logger.debug('User: %s, Restricted: %s' % (user_name, restricted_field)) if i == 0: # We only need to check if the user is authorized for the first resource # This function calls model.Package.get() which is redundant, # we already have the package in the code that calls this. authorized = auth.restricted_resource_show(context, { 'id': resource.get('id'), 'resource': resource, 'package': package }).get('success', False) if authorized: # If user is authorized, nothing to hide, immediately return original resource list return resource_list else: # If user is NOT authorized, continue from here and hide sensitive info in ALL resources logger.warning('User %s: Not authorized for ALL resources' % user_name) # If we get to this point, user is not authorized for ALL resources in the dataset logger.debug('Not authorized for resource: %s' % resource.get('title')) # Hide contents of sensitive fields sensitive = [ 'locale', 'attribute', 'layer_description', 'change_description_resource', 'map_preview_link', 'layer_name', 'disclaimer_url', 'filepath', 'spatial', 'attr_data', 'description', 'bbox', 'spatial_type', 'projection_wkt', 'url' ] for s in sensitive: if s in restricted_resource: restricted_resource[s] = '' # This is not needed, I don't think we care about hiding the list of users who have access # if not authz.is_authorized( # 'package_update', context, {'id': resource.get('package_id')} # ).get('success'): # # # hide partially other allowed user_names (keep own) # allowed_users = [] # for user in restricted_dict.get('allowed_users'): # if len(user.strip()) > 0: # if user_name == user: # allowed_users.append(user_name) # else: # allowed_users.append(user[0:3] + '*****' + user[-2:]) # # new_restricted = json.dumps({ # 'level': restricted_dict.get("level"), # 'allowed_users': ','.join(allowed_users)}) # # # Resource extras may be stored in an 'extras' subdict, or at the root # # level of the resource dict. This block handles both cases. # extras_restricted = resource.get('extras', {}).get('restricted', {}) # if (extras_restricted): # restricted_resource['extras']['restricted'] = new_restricted # # field_restricted_field = resource.get('restricted', {}) # if (field_restricted_field): # restricted_resource['restricted'] = new_restricted restricted_resources_list += [restricted_resource] return restricted_resources_list