def member_delete(context, data_dict=None):
'''
Remove an object (e.g. a user, dataset or group) from a group.
Custom organization permission handling added on top of CKAN's own member_create action.
'''
_log_action('Member', 'delete', context['user'], data_dict.get('id'))
# NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS
authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS
user = context['user']
user_id = authz.get_user_id_for_username(user, allow_none=True)
group_id, target_name, obj_type = _get_or_bust(data_dict, ['id', 'object', 'object_type'])
if obj_type == 'user':
# get user's role for this group
user_role = utils.get_member_role(group_id, user_id)
target_id = authz.get_user_id_for_username(target_name, allow_none=True)
# get target's role for this group
target_role = utils.get_member_role(group_id, target_id)
if authz.is_sysadmin(user):
# Sysadmin can do anything.
pass
elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, 'member', user_id == target_id), False):
raise ckan.logic.NotAuthorized(_("You don't have permission to remove this user."))
return ckan.logic.action.delete.member_delete(context, data_dict)
def member_create(context, data_dict=None):
'''
Make an object (e.g. a user, dataset or group) a member of a group.
Custom organization permission handling added on top of CKAN's own member_create action.
'''
_log_action('Member', 'create', context['user'], data_dict.get('id'))
# NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS
authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS
user = context['user']
user_id = authz.get_user_id_for_username(user, allow_none=True)
group_id, obj_id, obj_type, capacity = _get_or_bust(data_dict, ['id', 'object', 'object_type', 'capacity'])
# get role the user has for the group
user_role = utils.get_member_role(group_id, user_id)
if obj_type == 'user':
# get role for the target of this role change
target_role = utils.get_member_role(group_id, obj_id)
if target_role is None:
target_role = capacity
if authz.is_sysadmin(user):
# Sysadmin can do anything
pass
elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, capacity, user_id == obj_id), False):
raise ckan.logic.NotAuthorized(_("You don't have permission to modify roles for this organization."))
return ckan.logic.action.create.member_create(context, data_dict)
def member_delete(context, data_dict=None):
'''
Remove an object (e.g. a user, dataset or group) from a group.
Custom organization permission handling added on top of CKAN's own member_create action.
'''
_log_action('Member', 'delete', context['user'], data_dict.get('id'))
# NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS
authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS
user = context['user']
user_id = authz.get_user_id_for_username(user, allow_none=True)
group_id, target_name, obj_type = _get_or_bust(data_dict, ['id', 'object', 'object_type'])
if obj_type == 'user':
# get user's role for this group
user_role = utils.get_member_role(group_id, user_id)
target_id = authz.get_user_id_for_username(target_name, allow_none=True)
# get target's role for this group
target_role = utils.get_member_role(group_id, target_id)
if authz.is_sysadmin(user):
# Sysadmin can do anything.
pass
elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, 'member', user_id == target_id), False):
raise ckan.logic.NotAuthorized(_("You don't have permission to remove this user."))
return ckan.logic.action.delete.member_delete(context, data_dict)
def member_create(context, data_dict=None):
'''
Make an object (e.g. a user, dataset or group) a member of a group.
Custom organization permission handling added on top of CKAN's own member_create action.
'''
_log_action('Member', 'create', context['user'], data_dict.get('id'))
# NOTE! CHANGING CKAN ORGANIZATION PERMISSIONS
authz.ROLE_PERMISSIONS = settings.ROLE_PERMISSIONS
user = context['user']
user_id = authz.get_user_id_for_username(user, allow_none=True)
group_id, obj_id, obj_type, capacity = _get_or_bust(data_dict, ['id', 'object', 'object_type', 'capacity'])
# get role the user has for the group
user_role = utils.get_member_role(group_id, user_id)
if obj_type == 'user':
# get role for the target of this role change
target_role = utils.get_member_role(group_id, obj_id)
if target_role is None:
target_role = capacity
if authz.is_sysadmin(user):
# Sysadmin can do anything
pass
elif not settings.ORGANIZATION_MEMBER_PERMISSIONS.get((user_role, target_role, capacity, user_id == obj_id), False):
raise ckan.logic.NotAuthorized(_("You don't have permission to modify roles for this organization."))
return ckan.logic.action.create.member_create(context, data_dict)
def package_owner_org_update(context, data_dict):
'''
Update the owning organization of a dataset
Used by both package_create and package_update
'''
user_id = model.User.by_name(context.get('user')).id
org_id = data_dict.get('organization_id')
# get role the user has for the group
user_role = utils.get_member_role(org_id, user_id)
pkg = model.Package.get(data_dict['id'])
return ckan.logic.action.update.package_owner_org_update(context, data_dict)
def check_private(key, data, errors, context):
'''
Changes to owner_org_validator requires checking of private value.
:param key: key
:param data: data
:param errors: errors
:param context: context
:return: nothing. Raise invalid if not organisation editor and private == False
'''
value = data.get(key)
is_editor = False
if not value or value == u'False':
user = context.get('user', False)
if user:
if utils.get_member_role(data.get((u'owner_org',)), User.get(user).id) in ('admin', 'editor'):
is_editor = True
if not is_editor:
raise Invalid(_('Only organization\'s editors and admins can create a public dataset'))
