def restricted_resource_view_list(context, data_dict):
model = context['model']
id = _get_or_bust(data_dict, 'id')
resource = model.Resource.get(id)
if not resource:
raise NotFound
authorized = auth.restricted_resource_show(
context, {'id': resource.get('id'), 'resource': resource}).get('success', False)
if not authorized:
return []
else:
return resource_view_list(context, data_dict)
def _restricted_resource_list_url(context, resource_list):
restricted_resources_list = []
for resource in resource_list:
authorized = auth.restricted_resource_show(context, {
'id': resource.get('id'),
'resource': resource
}).get('success', False)
restricted_resource = dict(resource)
if not authorized:
restricted_resource['url'] = _('Not Authorized')
restricted_resources_list += [restricted_resource]
return restricted_resources_list
def _restricted_resource_list_hide_fields(context, resource_list):
restricted_resources_list = []
for resource in resource_list:
# copy original resource
restricted_resource = dict(resource)
# get the restricted fields
restricted_dict = logic.restricted_get_restricted_dict(
restricted_resource)
# hide field URL to unauthorized users
authorized = auth.restricted_resource_show(context, {
'id': resource.get('id'),
'resource': resource
}).get('success', False)
if not authorized:
restricted_resource['url'] = 'Not Authorized'
# hide other fields in restricted to everyone but dataset owner(s)
if not authz.is_authorized('package_update', context, {
'id': resource.get('package_id')
}).get('success'):
user_name = logic.restricted_get_username_from_context(context)
# hide partially other allowed user_names (keep own)
allowed_users = []
for user in restricted_dict.get("allowed_users"):
if len(user.strip()) > 0:
if user_name == user:
allowed_users += [user_name]
else:
allowed_users += [user[0:3] + '*****' + user[-2:]]
new_restricted = json.dumps({
"level":
restricted_dict.get("level"),
"allowed_users":
','.join(allowed_users)
})
extras_restricted = resource.get('extras',
{}).get('restricted', {})
if (extras_restricted):
restricted_resource['extras']['restricted'] = new_restricted
field_restricted_field = resource.get('restricted', {})
if (field_restricted_field):
restricted_resource['restricted'] = new_restricted
restricted_resources_list += [restricted_resource]
return restricted_resources_list
def _restricted_resource_list_hide_fields(context, resource_list):
restricted_resources_list = []
for resource in resource_list:
# copy original resource
restricted_resource = dict(resource)
# get the restricted fields
restricted_dict = logic.restricted_get_restricted_dict(
restricted_resource)
# hide fields to unauthorized users
authorized = auth.restricted_resource_show(
context, {'id': resource.get('id'), 'resource': resource}
).get('success', False)
# hide other fields in restricted to everyone but dataset owner(s)
if not authz.is_authorized(
'package_update', context, {'id': resource.get('package_id')}
).get('success'):
user_name = logic.restricted_get_username_from_context(context)
# hide partially other allowed user_names (keep own)
allowed_users = []
# convert to list if only 1 string
list_allowed_users = restricted_dict.get('allowed_users')
for user in list_allowed_users:
if len(user.strip()) > 0:
if user_name == user:
allowed_users.append(user_name)
else:
allowed_users.append(user[0:3] + '*****' + user[-2:])
# hide usernames from custom allowed users field
restricted_resource['allowed_users'] = allowed_users
new_restricted = json.dumps({
'level': restricted_dict.get("level"),
'allowed_users': ','.join(allowed_users)})
extras_restricted = resource.get(
'extras', {}).get('restricted', {})
if (extras_restricted):
restricted_resource['extras']['restricted'] = new_restricted
field_restricted_field = resource.get('restricted', {})
if (field_restricted_field):
restricted_resource['restricted'] = new_restricted
restricted_resources_list += [restricted_resource]
return restricted_resources_list
def restricted_resource_view_list(context, data_dict):
package = data_dict.get('package')
logger.warning('restricted_resource_view_list was called. Package: %s' %
package)
model = context['model']
id = _get_or_bust(data_dict, 'id')
resource = model.Resource.get(id)
if not resource:
raise NotFound
authorized = auth.restricted_resource_show(context, {
'id': resource.get('id'),
'resource': resource
}).get('success', False)
if not authorized:
return []
else:
return resource_view_list(context, data_dict)
def _restricted_resource_list_hide_fields(context,
resource_list,
package=None):
restricted_resources_list = []
# username = context.get('user')
user_name = logic.restricted_get_username_from_context(context)
# If first resource does not pass auth, treat all other resources the same.
for i, resource in enumerate(resource_list):
# copy original resource
restricted_resource = dict(resource)
# get the restricted fields
restricted_dict = logic.restricted_get_restricted_dict(
restricted_resource)
logger.debug('restricted_resource: %s' % restricted_resource)
logger.debug('restricted_dict: %s' % restricted_dict)
restricted_field = restricted_resource.get('restricted')
logger.debug('User: %s, Restricted: %s' %
(user_name, restricted_field))
if i == 0:
# We only need to check if the user is authorized for the first resource
# This function calls model.Package.get() which is redundant,
# we already have the package in the code that calls this.
authorized = auth.restricted_resource_show(context, {
'id': resource.get('id'),
'resource': resource,
'package': package
}).get('success', False)
if authorized:
# If user is authorized, nothing to hide, immediately return original resource list
return resource_list
else:
# If user is NOT authorized, continue from here and hide sensitive info in ALL resources
logger.warning('User %s: Not authorized for ALL resources' %
user_name)
# If we get to this point, user is not authorized for ALL resources in the dataset
logger.debug('Not authorized for resource: %s' % resource.get('title'))
# Hide contents of sensitive fields
sensitive = [
'locale', 'attribute', 'layer_description',
'change_description_resource', 'map_preview_link', 'layer_name',
'disclaimer_url', 'filepath', 'spatial', 'attr_data',
'description', 'bbox', 'spatial_type', 'projection_wkt', 'url'
]
for s in sensitive:
if s in restricted_resource:
restricted_resource[s] = ''
# This is not needed, I don't think we care about hiding the list of users who have access
# if not authz.is_authorized(
# 'package_update', context, {'id': resource.get('package_id')}
# ).get('success'):
#
# # hide partially other allowed user_names (keep own)
# allowed_users = []
# for user in restricted_dict.get('allowed_users'):
# if len(user.strip()) > 0:
# if user_name == user:
# allowed_users.append(user_name)
# else:
# allowed_users.append(user[0:3] + '*****' + user[-2:])
#
# new_restricted = json.dumps({
# 'level': restricted_dict.get("level"),
# 'allowed_users': ','.join(allowed_users)})
#
# # Resource extras may be stored in an 'extras' subdict, or at the root
# # level of the resource dict. This block handles both cases.
# extras_restricted = resource.get('extras', {}).get('restricted', {})
# if (extras_restricted):
# restricted_resource['extras']['restricted'] = new_restricted
#
# field_restricted_field = resource.get('restricted', {})
# if (field_restricted_field):
# restricted_resource['restricted'] = new_restricted
restricted_resources_list += [restricted_resource]
return restricted_resources_list