def _get_owner_org(self, context, data_dict, action):
owner_org = None
# Check the context so we find the relevant org
if 'resource' in context and 'resource' in action:
resource = context['resource']
owner_org = resource.extras.get('owner_org', None)
if owner_org is None:
owner_org = resource.package.owner_org
elif 'group' in context:
owner_org = logic_auth.get_group_object(context, data_dict).id
elif 'owner_org' in data_dict:
owner_org = data_dict.get('owner_org')
elif 'package' in context and 'package' in action:
package = context['package']
owner_org = package.owner_org
elif 'org_data' in data_dict:
org_data = data_dict['org_data']
owner_org = org_data.get('id', None)
else:
try:
package = logic_auth.get_package_object(context, data_dict)
except (ValidationError, NotFound):
package = None
if package is None:
try:
owner_org = logic_auth.get_group_object(
context, data_dict).id
except (ValidationError, NotFound):
owner_org = None
else:
owner_org = package.owner_org
return owner_org
def group_create(context, data_dict=None):
"""
Group create permission. If a group is provided, within which we want to create a group
then we check that the user is within that group. If not then we just say Yes for now
although there may be some approval issues elsewhere.
"""
model = context['model']
user = context['user']
if not model.User.get(user):
return {'success': False, 'msg': _('User is not authorized to create groups') }
if Authorizer.is_sysadmin(user):
return {'success': True}
try:
# If the user is doing this within another group then we need to make sure that
# the user has permissions for this group.
group = get_group_object( context )
except logic.NotFound:
return { 'success' : True }
userobj = model.User.get( user )
if not userobj:
return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)}
authorized = _groups_intersect( userobj.get_groups('organization'), [group] )
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)}
else:
return {'success': True}
def group_update(context, data_dict):
"""
Group edit permission. Checks that a valid user is supplied and that the user is
a member of the group currently with any capacity.
"""
model = context['model']
user = context.get('user','')
group = get_group_object(context, data_dict)
if not user:
return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')}
# Sys admins should be allowed to update groups
if Authorizer().is_sysadmin(unicode(user)):
return { 'success': True }
# Only allow package update if the user and package groups intersect
userobj = model.User.get( user )
if not userobj:
return { 'success' : False, 'msg': _('Could not find user %s') % str(user) }
# Only admins of this group should be able to update this group
if not _groups_intersect( userobj.get_groups( 'organization', 'admin' ), [group] ):
return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) }
return { 'success': True }
def organization_update(context, data_dict):
""" This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# Check that user has admin permissions in selected parent organizations
if data_dict and data_dict.get('groups'):
admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \
.filter(model.Member.capacity == 'admin').filter(model.Member.table_id == new_authz.get_user_id_for_username(user, allow_none=True))
for parent_org in data_dict['groups']:
if any(parent_org['name'] == admin_org.group.name for admin_org in admin_in_orgs):
break
else:
return {'success': False, 'msg': _('User %s is not administrator in the selected parent organization') % user}
if (data_dict and 'save' in data_dict and
data_dict.get('public_adminstration_organization', None) != group.extras.get('public_adminstration_organization', None)):
return {'success': False, 'msg': _('User %s is not allowed to change the public organization option') % user}
authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, 'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit organization %s') %
(user, group.id)}
else:
return {'success': True}
def dgu_group_update(context, data_dict):
"""
Group edit permission. Checks that a valid user is supplied and that the user is
a member of the group with a capacity of admin.
"""
model = context['model']
user = context.get('user','')
group = get_group_object(context, data_dict)
if not user:
return {'success': False, 'msg': _('Only members of this group are authorized to edit this group')}
# Sys admins should be allowed to update groups
if Authorizer().is_sysadmin(unicode(user)):
return { 'success': True }
# Only allow package update if the user and package groups intersect
user_obj = model.User.get( user )
if not user_obj:
return { 'success' : False, 'msg': _('Could not find user %s') % str(user) }
parent_groups = list(publib.go_up_tree(group))
# Check if user is an admin of a parent group, and if so allow them to edit.
if _groups_intersect( user_obj.get_groups('publisher', 'admin'), parent_groups ):
return {'success': True}
# Check admin of just this group
if _groups_intersect( user_obj.get_groups('publisher', 'admin'), [group] ):
return {'success': True}
return { 'success': False, 'msg': _('User %s not authorized to edit this group') % str(user) }
def has_user_access_to_update_members_for_organsation(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context.get('user')
# If the group is a organization it means we are trying to add a user as a member to the organisation
# We want to lock this down to only allowing sysadmin user access:
return group.is_organization and not authz.is_sysadmin(user)
def member_create(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, permission)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit group %s') %
(str(user), group.id)
}
else:
if authz.config.get('ckan.gov_theme.is_back'):
return {'success': True}
else:
return {'success': False}
def member_create(context, data_dict):
"""
This code is largely borrowed from /src/ckan/ckan/logic/auth/create.py
With a modification to allow users to add datasets to any group
:param context:
:param data_dict:
:return:
"""
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
if c.controller in ['package', 'dataset'] and c.action in ['groups']:
authorized = helpers.user_has_admin_access(True)
else:
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, permission)
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit group %s') %
(str(user), group.id)
}
else:
return {'success': True}
def package_update(context, data_dict):
"""Overrides CKAN auth function to support personal datasets setting in organizations"""
result = _auth_update.package_update(context, data_dict)
if result['success']:
user = logic_auth.get_user_object(context, {'id': context.get('user')})
package = logic_auth.get_package_object(context, data_dict)
# Showcases don't have organizations
if package.type != "showcase":
org = logic_auth.get_group_object(context,
{'id': package.owner_org})
personal_datasets = 'personal_datasets' in org.extras.get(
'features', [])
if personal_datasets and package.creator_user_id != user.id:
result = {
'success':
False,
'msg':
_('Cannot modify dataset because of organization policy')
}
return result
def member_create(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
if group.type == 'topics':
return {'success': True}
else:
return create.member_create(context, data_dict)
def organization_update(context, data_dict):
group = get_group_object(context, data_dict)
user = context["user"]
authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "update")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to edit organization %s") % (user, group.id)}
else:
return {"success": True}
def csc_auth_organization_activity_list_html(context, data_dict):
user = context.get('user')
organization = logic_auth.get_group_object(context, data_dict)
authorized = authz.has_user_permission_for_group_or_org(
organization.id, user, 'update')
if not authorized:
return {'success': False, 'msg': _('Unauthorized to see this content')}
return {'success': True}
def group_edit_permissions(context, data_dict):
user = context['user']
group = get_group_object(context, data_dict)
if not new_authz.has_user_permission_for_group_or_org(group.id, user, 'update'):
return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)}
else:
return {'success': True}
def organization_update(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit organization %s') % (user, group.id)}
else:
return {'success': True}
def group_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context["user"]
if not new_authz.check_config_permission("user_delete_groups"):
return {"success": False, "msg": _("User %s not authorized to delete groups") % user}
authorized = new_authz.has_user_permission_for_group_or_org(group.id, user, "delete")
if not authorized:
return {"success": False, "msg": _("User %s not authorized to delete group %s") % (user, group.id)}
else:
return {"success": True}
def group_change_state(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_edit_permissions(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit permissions of group %s') % (str(user),group.id)}
else:
return {'success': True}
def _group_or_org_member_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'delete_member')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s members') % (str(user),group.id)}
else:
return {'success': True}
return {'success': True}
def group_show(context, data_dict):
model = context['model']
user = context.get('user')
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_show(context, data_dict):
user = context.get("user")
group = get_group_object(context, data_dict)
if group.state == "active":
return {"success": True}
authorized = authz.has_user_permission_for_group_or_org(group.id, user, "read")
if authorized:
return {"success": True}
else:
return {"success": False, "msg": _("User %s not authorized to read group %s") % (user, group.id)}
def group_update(context, data_dict):
model = context["model"]
user = context["user"]
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.EDIT, context)
if not authorized:
return {"success": False, "msg": _("User %s not authorized to edit group %s") % (str(user), group.id)}
else:
return {"success": True}
def group_show(context, data_dict):
model = context['model']
user = context.get('user')
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_update(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.EDIT, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
user = context['user']
group = get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean('group_update', context, data_dict)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to change state of group %s') % (str(user),group.id)}
else:
return {'success': True}
def group_delete(context, data_dict):
model = context['model']
user = context['user']
group = get_group_object(context, data_dict)
authorized = logic.check_access_old(group, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)}
else:
return {'success': True}
def _group_or_org_member_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'delete_member')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s members') % (user, group.id)}
else:
return {'success': True}
return {'success': True}
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def organization_update(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit organization %s') %
(user, group.id)}
else:
return {'success': True}
def group_edit_permissions(context, data_dict):
user = context["user"]
group = get_group_object(context, data_dict)
if not new_authz.has_user_permission_for_group_or_org(group.id, user, "update"):
return {
"success": False,
"msg": _("User %s not authorized to edit permissions of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def test_get_group_object_with_id(self):
user_name = helpers.call_action('get_site_user')['name']
group = helpers.call_action('group_create',
context={'user': user_name},
name='test_group')
context = {'model': core_model}
obj = logic_auth.get_group_object(context, {'id': group['id']})
assert obj.id == group['id']
assert context['group'] == obj
def test_get_group_object_with_id(self):
user_name = helpers.call_action('get_site_user')['name']
group = helpers.call_action('group_create',
context={'user': user_name},
name='test_group')
context = {'model': core_model}
obj = logic_auth.get_group_object(context, {'id': group['id']})
assert obj.id == group['id']
assert context['group'] == obj
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def test_get_group_object_with_id(self):
user_name = helpers.call_action("get_site_user")["name"]
group = helpers.call_action("group_create",
context={"user": user_name},
name="test_group")
context = {"model": core_model}
obj = logic_auth.get_group_object(context, {"id": group["id"]})
assert obj.id == group["id"]
assert context["group"] == obj
def organization_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not authz.check_config_permission('user_delete_organizations'):
return {'success': False,
'msg': _('User %s not authorized to delete organizations') % user}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)}
else:
return {'success': True}
def organization_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not new_authz.check_config_permission('user_delete_organizations'):
return {'success': False,
'msg': _('User %s not authorized to delete organizations') % user}
authorized = new_authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)}
else:
return {'success': True}
def group_update(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit group %s') %
(str(user), group.id)}
else:
return {'success': True}
def group_change_state(context, data_dict):
model = context["model"]
user = context["user"]
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.CHANGE_STATE, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def group_change_state(context, data_dict):
user = context["user"]
group = get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean("group_update", context, data_dict)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to change state of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def group_show(context, data_dict):
""" Group show permission checks the user group if the state is deleted """
model = context['model']
user = context.get('user')
group = get_group_object(context, data_dict)
userobj = model.User.get( user )
if group.state == 'deleted':
if not user or \
not _groups_intersect( userobj.get_groups('organization'), group.get_groups('organization') ):
return {'success': False, 'msg': _('User %s not authorized to show group %s') % (str(user),group.id)}
return {'success': True}
def group_edit_permissions(context, data_dict):
model = context["model"]
user = context["user"]
group = get_group_object(context, data_dict)
authorized = check_access_old(group, model.Action.EDIT_PERMISSIONS, context)
if not authorized:
return {
"success": False,
"msg": _("User %s not authorized to edit permissions of group %s") % (str(user), group.id),
}
else:
return {"success": True}
def group_delete(context: Context, data_dict: DataDict) -> AuthResult:
group = get_group_object(context, data_dict)
user = context['user']
if not authz.check_config_permission('user_delete_groups'):
return {'success': False,
'msg': _('User %s not authorized to delete groups') % user}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _(
'User %s not authorized to delete group %s') % (user ,group.id)}
else:
return {'success': True}
def group_edit_permissions(context, data_dict):
user = context['user']
group = logic_auth.get_group_object(context, data_dict)
authorized = new_authz.has_user_permission_for_group_or_org(group.id,
user,
'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit permissions of group %s') %
(str(user), group.id)}
else:
return {'success': True}
def group_show(context, data_dict):
user = context.get('user')
group = get_group_object(context, data_dict)
if group.state == 'active':
if asbool(config.get('ckan.auth.public_user_details', True)) or \
(not asbool(data_dict.get('include_users', False)) and
(data_dict.get('object_type', None) != 'user')):
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'read')
if authorized:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def group_update(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
'update')
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit group %s') %
(str(user), group.id)}
else:
if authz.config.get('ckan.gov_theme.is_back'):
return {'success': True}
else:
return {'success': False}
def group_delete(context, data_dict):
group = get_group_object(context, data_dict)
user = context['user']
if not authz.check_config_permission('user_delete_groups'):
return {'success': False,
'msg': _('User %s not authorized to delete groups') % user}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'delete')
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (user ,group.id)}
else:
if authz.config.get('ckan.gov_theme.is_back'):
return {'success': True}
else:
return {'success': False}
def group_update(context: Context, data_dict: DataDict) -> AuthResult:
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit group %s') %
(str(user), group.id)
}
else:
return {'success': True}
def organization_update(context, data_dict):
""" This overrides CKAN's auth function to make sure that user has permission to use a specific parent organization. """
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# Check that user has admin permissions in selected parent organizations
if data_dict and data_dict.get('groups'):
admin_in_orgs = model.Session.query(model.Member).filter(model.Member.state == 'active').filter(model.Member.table_name == 'user') \
.filter(model.Member.capacity == 'admin').filter(model.Member.table_id == authz.get_user_id_for_username(user, allow_none=True))
for parent_org in data_dict['groups']:
if any(parent_org['name'] == admin_org.group.name
for admin_org in admin_in_orgs):
break
else:
return {
'success':
False,
'msg':
_('User %s is not administrator in the selected parent organization'
) % user
}
if (data_dict and 'save' in data_dict
and data_dict.get('public_adminstration_organization', None) !=
group.extras.get('public_adminstration_organization', None)):
return {
'success':
False,
'msg':
_('User %s is not allowed to change the public organization option'
) % user
}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if not authorized:
return {
'success':
False,
'msg':
_('User %s not authorized to edit organization %s') %
(user, group.id)
}
else:
return {'success': True}
def group_change_state(context, data_dict):
user = context['user']
group = logic_auth.get_group_object(context, data_dict)
# use logic for group_update
authorized = new_authz.is_authorized_boolean('group_update',
context,
data_dict)
if not authorized:
return {
'success': False,
'msg': _('User %s not authorized to change state of group %s') %
(str(user), group.id)
}
else:
return {'success': True}
def group_show(context, data_dict):
"""Check whether access to a group is authorised.
If it's just the group metadata, this requires no privileges,
but if user details have been requested, it requires a group admin.
"""
user = context.get('user')
group = logic_auth.get_group_object(context, data_dict)
if group.state == 'active' and \
not asbool(data_dict.get('include_users', False)) and \
data_dict.get('object_type', None) != 'user':
return {'success': True}
authorized = authz.has_user_permission_for_group_or_org(
group.id, user, 'update')
if authorized:
return {'success': True}
else:
return {'success': False,
'msg': _('User %s not authorized to read group %s') % (user, group.id)}
def member_create(context, data_dict):
group = logic_auth.get_group_object(context, data_dict)
user = context['user']
# User must be able to update the group to add a member to it
permission = 'update'
# However if the user is member of group then they can add/remove datasets
if not group.is_organization and data_dict.get('object_type') == 'package':
permission = 'manage_group'
authorized = authz.has_user_permission_for_group_or_org(group.id,
user,
permission)
if not authorized:
return {'success': False,
'msg': _('User %s not authorized to edit group %s') %
(str(user), group.id)}
else:
return {'success': True}
def group_delete(context, data_dict):
"""
Group delete permission. Checks that the user specified is within the group to be deleted
and also have 'admin' capacity.
"""
model = context['model']
user = context['user']
if not user:
return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')}
group = get_group_object(context, data_dict)
userobj = model.User.get( user )
if not userobj:
return {'success': False, 'msg': _('Only members of this group are authorized to delete this group')}
authorized = _groups_intersect( userobj.get_groups('organization', 'admin'), [group] )
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)}
else:
return {'success': True}
def package_update(context, data_dict):
"""Overrides CKAN auth function to support personal datasets setting in organizations"""
result = _auth_update.package_update(context, data_dict)
if result['success']:
user = logic_auth.get_user_object(context, {'id': context.get('user')})
package = logic_auth.get_package_object(context, data_dict)
# Showcases don't have organizations
if package.type != "showcase":
org = logic_auth.get_group_object(context, {'id': package.owner_org})
personal_datasets = 'personal_datasets' in org.extras.get('features', [])
if personal_datasets and package.creator_user_id != user.id:
result = {
'success': False,
'msg': _('Cannot modify dataset because of organization policy')
}
return result
def group_create(context, data_dict=None):
"""
Group create permission. If a group is provided, within which we want to create a group
then we check that the user is within that group. If not then we just say Yes for now
although there may be some approval issues elsewhere.
"""
model = context['model']
user = context['user']
if not user:
return {
'success': False,
'msg': _('User is not authorized to create groups')
}
if Authorizer.is_sysadmin(user):
return {'success': True}
try:
# If the user is doing this within another group then we need to make sure that
# the user has permissions for this group.
group = get_group_object(context)
except logic.NotFound:
return {'success': True}
userobj = model.User.get(user)
if not userobj:
return {
'success': False,
'msg': _('User %s not authorized to create groups') % str(user)
}
authorized = _groups_intersect(userobj.get_groups('organization'), [group])
if not authorized:
return {
'success': False,
'msg': _('User %s not authorized to create groups') % str(user)
}
else:
return {'success': True}
def dgu_group_update(context, data_dict):
"""
Group edit permission. Checks that a valid user is supplied and that the user is
a member of the group currently with any capacity.
"""
model = context['model']
user = context.get('user', '')
group = get_group_object(context, data_dict)
if not user:
return {
'success':
False,
'msg':
_('Only members of this group are authorized to edit this group')
}
# Sys admins should be allowed to update groups
if Authorizer().is_sysadmin(unicode(user)):
return {'success': True}
# Only allow package update if the user and package groups intersect
user_obj = model.User.get(user)
if not user_obj:
return {
'success': False,
'msg': _('Could not find user %s') % str(user)
}
# Only admins of this group should be able to update this group
if not _groups_intersect(user_obj.get_groups('publisher', 'admin'),
[group]):
return {
'success': False,
'msg': _('User %s not authorized to edit this group') % str(user)
}
return {'success': True}
