[ckan-changes] commit/ckan: 4 new changesets
Bitbucket
commits-noreply at bitbucket.org
Wed Aug 10 12:34:10 UTC 2011
4 new changesets in ckan:
http://bitbucket.org/okfn/ckan/changeset/d002796882fe/
changeset: d002796882fe
branch: feature-1253-authz-refactor
user: amercader
date: 2011-08-09 11:40:05
summary: [auth] Rename check_access functions. check_access is now the supported call
affected #: 9 files (621 bytes)
--- a/ckan/logic/__init__.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/__init__.py Tue Aug 09 10:40:05 2011 +0100
@@ -88,7 +88,7 @@
flattented = flatten_dict(dict)
return untuplize_dict(flattented)
-def check_access_new(action, context, data_dict=None):
+def check_access(action, context, data_dict=None):
model = context['model']
user = context.get('user')
@@ -103,19 +103,16 @@
if not logic_authorization['success']:
msg = logic_authorization.get('msg','')
raise NotAuthorized(msg)
- #TODO: Is this really necessary?
elif not user:
msg = _('No valid API key provided.')
log.debug(msg)
raise NotAuthorized(msg)
- #return AttributeDict(success=False, msg='No valid API key provided.')
log.debug('Access OK.')
return True
- #return AttributeDict(success=True)
-def check_access(entity, action, context):
+def check_access_old(entity, action, context):
model = context['model']
user = context.get('user')
--- a/ckan/logic/action/create.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/action/create.py Tue Aug 09 10:40:05 2011 +0100
@@ -5,8 +5,7 @@
IGroupController,
IPackageController)
from ckan.logic import NotFound, ValidationError
-# check_access will be renamed to check_access_old
-from ckan.logic import check_access_new, check_access
+from ckan.logic import check_access
from ckan.lib.base import _
from ckan.lib.dictization.model_dictize import (package_to_api1,
package_to_api2,
@@ -42,7 +41,7 @@
model.Session.remove()
model.Session()._context = context
- check_access_new('package_create',context,data_dict)
+ check_access('package_create',context,data_dict)
data, errors = validate(data_dict, schema, context)
@@ -87,7 +86,7 @@
model.Session.remove()
model.Session()._context = context
- check_access_new('package_create',context,data_dict)
+ check_access('package_create',context,data_dict)
data, errors = validate(data_dict, schema, context)
@@ -125,7 +124,7 @@
if not pkg2:
return NotFound('Second package named in address was not found.')
- check_access_new('package_relationship_create', context, data_dict)
+ check_access('package_relationship_create', context, data_dict)
##FIXME should have schema
comment = data_dict.get('comment', u'')
@@ -147,7 +146,7 @@
user = context['user']
schema = context.get('schema') or default_group_schema()
- check_access_new('group_create',context,data_dict)
+ check_access('group_create',context,data_dict)
data, errors = validate(data_dict, schema, context)
@@ -219,7 +218,7 @@
user = context['user']
schema = context.get('schema') or default_user_schema()
- check_access_new('user_create', context, data_dict)
+ check_access('user_create', context, data_dict)
data, errors = validate(data_dict, schema, context)
@@ -249,7 +248,7 @@
api = context.get('api_version') or '1'
- check_access_new('package_create_rest', context, data_dict)
+ check_access('package_create_rest', context, data_dict)
dictized_package = package_api_to_dict(data_dict, context)
dictized_after = package_create(context, dictized_package)
@@ -269,7 +268,7 @@
api = context.get('api_version') or '1'
- check_access_new('group_create_rest', context, data_dict)
+ check_access('group_create_rest', context, data_dict)
dictized_group = group_api_to_dict(data_dict, context)
dictized_after = group_create(context, dictized_group)
--- a/ckan/logic/action/delete.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/action/delete.py Tue Aug 09 10:40:05 2011 +0100
@@ -1,7 +1,6 @@
from ckan.logic import NotFound
from ckan.lib.base import _
-# check_access will be renamed to check_access_old
-from ckan.logic import check_access_new, check_access
+from ckan.logic import check_access
from ckan.plugins import PluginImplementations, IGroupController, IPackageController
@@ -17,7 +16,7 @@
if entity is None:
raise NotFound
- check_access_new('package_delete',context, data_dict)
+ check_access('package_delete',context, data_dict)
rev = model.repo.new_revision()
rev.author = user
@@ -44,7 +43,7 @@
if not pkg2:
return NotFound('Second package named in address was not found.')
- check_access_new('package_relationship_delete', context, data_dict)
+ check_access('package_relationship_delete', context, data_dict)
existing_rels = pkg1.get_relationships_with(pkg2, rel)
if not existing_rels:
@@ -54,7 +53,7 @@
revisioned_details = 'Package Relationship: %s %s %s' % (id, rel, id2)
context['relationship'] = relationship
- check_access_new('relationship_delete', context, data_dict)
+ check_access('relationship_delete', context, data_dict)
rev = model.repo.new_revision()
rev.author = user
@@ -76,7 +75,7 @@
revisioned_details = 'Group: %s' % group.name
- check_access_new('group_delete', context, data_dict)
+ check_access('group_delete', context, data_dict)
rev = model.repo.new_revision()
rev.author = user
--- a/ckan/logic/action/get.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/action/get.py Tue Aug 09 10:40:05 2011 +0100
@@ -2,7 +2,7 @@
from sqlalchemy import or_, and_, func, desc
from ckan.logic import NotFound
-from ckan.logic import check_access_new, check_access
+from ckan.logic import check_access
from ckan.plugins import (PluginImplementations,
IGroupController,
IPackageController)
@@ -31,7 +31,7 @@
api = context.get("api_version", '1')
ref_package_by = 'id' if api == '2' else 'name'
- check_access_new('package_list', context, data_dict)
+ check_access('package_list', context, data_dict)
query = model.Session.query(model.PackageRevision)
query = query.filter(model.PackageRevision.state=='active')
@@ -45,7 +45,7 @@
user = context["user"]
limit = data_dict.get("limit")
- check_access_new('current_package_list_with_resources', context, data_dict)
+ check_access('current_package_list_with_resources', context, data_dict)
query = model.Session.query(model.PackageRevision)
query = query.filter(model.PackageRevision.state=='active')
@@ -82,7 +82,7 @@
model = context['model']
- check_access_new('revision_list', context, data_dict)
+ check_access('revision_list', context, data_dict)
revs = model.Session.query(model.Revision).all()
return [rev.id for rev in revs]
@@ -94,7 +94,7 @@
if pkg is None:
raise NotFound
- check_access_new('package_revision_list',context, data_dict)
+ check_access('package_revision_list',context, data_dict)
revision_dicts = []
for revision, object_revisions in pkg.all_related_revisions:
@@ -113,7 +113,7 @@
all_fields = data_dict.get('all_fields',None)
- check_access_new('group_list',context, data_dict)
+ check_access('group_list',context, data_dict)
# We need Groups for group_list_dictize
query = model.Session.query(model.Group).join(model.GroupRevision)
@@ -136,7 +136,7 @@
model = context['model']
user = context['user']
- check_access_new('group_list_authz',context, data_dict)
+ check_access('group_list_authz',context, data_dict)
query = model.Session.query(model.GroupRevision)
query = query.filter(model.GroupRevision.state=='active')
@@ -150,7 +150,7 @@
user = context['user']
pkg = context.get('package')
- check_access_new('group_list_available',context, data_dict)
+ check_access('group_list_available',context, data_dict)
query = model.Session.query(model.GroupRevision)
query = query.filter(model.GroupRevision.state=='active')
@@ -170,7 +170,7 @@
if group is None:
raise NotFound
- check_access_new('group_revision_list',context, data_dict)
+ check_access('group_revision_list',context, data_dict)
revision_dicts = []
for revision, object_revisions in group.all_related_revisions:
@@ -182,7 +182,7 @@
def licence_list(context, data_dict):
model = context["model"]
- check_access_new('licence_list',context, data_dict)
+ check_access('licence_list',context, data_dict)
license_register = model.Package.get_license_register()
licenses = license_register.values()
@@ -197,7 +197,7 @@
all_fields = data_dict.get('all_fields',None)
- check_access_new('tag_list',context, data_dict)
+ check_access('tag_list',context, data_dict)
q = data_dict.get('q','')
if q:
@@ -230,7 +230,7 @@
model = context['model']
user = context['user']
- check_access_new('user_list',context, data_dict)
+ check_access('user_list',context, data_dict)
q = data_dict.get('q','')
order_by = data_dict.get('order_by','name')
@@ -282,7 +282,7 @@
if rel == 'relationships':
rel = None
- check_access_new('package_relationships_list',context, data_dict)
+ check_access('package_relationships_list',context, data_dict)
# TODO: How to handle this object level authz?
relationships = Authorizer().\
@@ -311,7 +311,7 @@
if pkg is None:
raise NotFound
- check_access_new('package_show',context, data_dict)
+ check_access('package_show',context, data_dict)
package_dict = package_dictize(pkg, context)
@@ -348,7 +348,7 @@
if group is None:
raise NotFound
- check_access_new('group_show',context, data_dict)
+ check_access('group_show',context, data_dict)
group_dict = group_dictize(group, context)
@@ -371,7 +371,7 @@
if tag is None:
raise NotFound
- check_access_new('tag_show',context, data_dict)
+ check_access('tag_show',context, data_dict)
tag_dict = tag_dictize(tag,context)
extended_packages = []
@@ -399,7 +399,7 @@
else:
raise NotFound
- check_access_new('user_show',context, data_dict)
+ check_access('user_show',context, data_dict)
user_dict = user_dictize(user_obj,context)
@@ -423,7 +423,7 @@
def package_show_rest(context, data_dict):
- check_access_new('package_show_rest',context, data_dict)
+ check_access('package_show_rest',context, data_dict)
package_show(context, data_dict)
@@ -439,7 +439,7 @@
def group_show_rest(context, data_dict):
- check_access_new('group_show_rest',context, data_dict)
+ check_access('group_show_rest',context, data_dict)
group_show(context, data_dict)
api = context.get('api_version') or '1'
@@ -454,7 +454,7 @@
def tag_show_rest(context, data_dict):
- check_access_new('tag_show_rest',context, data_dict)
+ check_access('tag_show_rest',context, data_dict)
tag_show(context, data_dict)
api = context.get('api_version') or '1'
@@ -477,7 +477,7 @@
like_q = u"%s%%" % q
- check_access_new('package_autocomplete', context, data_dict)
+ check_access('package_autocomplete', context, data_dict)
query = model.Session.query(model.PackageRevision)
query = query.filter(model.PackageRevision.state=='active')
@@ -500,7 +500,7 @@
session = context['session']
user = context['user']
- check_access_new('tag_autocomplete', context, data_dict)
+ check_access('tag_autocomplete', context, data_dict)
q = data_dict.get('q',None)
if not q:
@@ -524,7 +524,7 @@
session = context['session']
user = context['user']
- check_access_new('format_autocomplete', context, data_dict)
+ check_access('format_autocomplete', context, data_dict)
q = data_dict.get('q', None)
if not q:
@@ -555,7 +555,7 @@
if not q:
return []
- check_access_new('user_autocomplete', context, data_dict)
+ check_access('user_autocomplete', context, data_dict)
limit = data_dict.get('limit',20)
@@ -576,7 +576,7 @@
session = context['session']
user = context['user']
- check_access_new('package_search', context, data_dict)
+ check_access('package_search', context, data_dict)
q=data_dict.get('q','')
fields=data_dict.get('fields',[])
--- a/ckan/logic/action/update.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/action/update.py Tue Aug 09 10:40:05 2011 +0100
@@ -4,8 +4,7 @@
from ckan.plugins import PluginImplementations, IGroupController, IPackageController
from ckan.logic import NotFound, ValidationError
-# check_access will be renamed to check_access_old
-from ckan.logic import check_access_new, check_access
+from ckan.logic import check_access
from ckan.lib.base import _
from vdm.sqlalchemy.base import SQLAlchemySession
@@ -111,7 +110,7 @@
id = data_dict["id"]
pkg = model.Package.get(id)
- check_access_new('make_latest_pending_package_active', context, data_dict)
+ check_access('make_latest_pending_package_active', context, data_dict)
#packages
q = session.query(model.PackageRevision).filter_by(id=pkg.id)
@@ -169,7 +168,7 @@
if not pkg:
raise NotFound(_('No package found for this resource, cannot check auth.'))
- check_access_new('package_update', context, data_dict)
+ check_access('package_update', context, data_dict)
data, errors = validate(data_dict, schema, context)
@@ -206,7 +205,7 @@
raise NotFound(_('Package was not found.'))
data_dict["id"] = pkg.id
- check_access_new('package_update', context, data_dict)
+ check_access('package_update', context, data_dict)
data, errors = validate(data_dict, schema, context)
@@ -249,7 +248,7 @@
raise NotFound(_('Package was not found.'))
data_dict["id"] = pkg.id
- check_access_new('package_update', context, data_dict)
+ check_access('package_update', context, data_dict)
data, errors = validate(data_dict, schema, context)
@@ -293,7 +292,7 @@
if not pkg2:
return NotFound('Second package named in address was not found.')
- check_access_new('package_relationship_update', context, data_dict)
+ check_access('package_relationship_update', context, data_dict)
existing_rels = pkg1.get_relationships_with(pkg2, rel)
if not existing_rels:
@@ -314,7 +313,7 @@
if group is None:
raise NotFound('Group was not found.')
- check_access_new('group_update', context, data_dict)
+ check_access('group_update', context, data_dict)
data, errors = validate(data_dict, schema, context)
if errors:
@@ -354,7 +353,7 @@
if user_obj is None:
raise NotFound('User was not found.')
- check_access_new('user_update', context, data_dict)
+ check_access('user_update', context, data_dict)
data, errors = validate(data_dict, schema, context)
if errors:
@@ -402,7 +401,7 @@
context["allow_partial_update"] = True
dictized_package = package_api_to_dict(data_dict, context)
- check_access_new('package_update_rest', context, dictized_package)
+ check_access('package_update_rest', context, dictized_package)
dictized_after = package_update(context, dictized_package)
@@ -426,7 +425,7 @@
context["allow_partial_update"] = True
dictized_group = group_api_to_dict(data_dict, context)
- check_access_new('group_update_rest', context, dictized_group)
+ check_access('group_update_rest', context, dictized_group)
dictized_after = group_update(context, dictized_group)
--- a/ckan/logic/auth/create.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/auth/create.py Tue Aug 09 10:40:05 2011 +0100
@@ -1,5 +1,4 @@
-#This will be check_access_old
-from ckan.logic import check_access
+from ckan.logic import check_access_old
from ckan.authz import Authorizer
from ckan.lib.base import _
@@ -8,7 +7,7 @@
model = context['model']
user = context['user']
- check1 = check_access(model.System(), model.Action.PACKAGE_CREATE, context)
+ check1 = check_access_old(model.System(), model.Action.PACKAGE_CREATE, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % str(user)}
else:
@@ -43,7 +42,7 @@
model = context['model']
user = context['user']
- authorized = check_access(model.System(), model.Action.GROUP_CREATE, context)
+ authorized = check_access_old(model.System(), model.Action.GROUP_CREATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to create groups') % str(user)}
else:
@@ -57,7 +56,7 @@
model = context['model']
user = context['user']
- authorized = check_access(model.System(), model.Action.USER_CREATE, context)
+ authorized = check_access_old(model.System(), model.Action.USER_CREATE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to create users') % str(user)}
else:
@@ -86,7 +85,7 @@
groups = groups - set(pkg.groups)
for group in groups:
- if not check_access(group, model.Action.EDIT, context):
+ if not check_access_old(group, model.Action.EDIT, context):
return False
return True
--- a/ckan/logic/auth/delete.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/auth/delete.py Tue Aug 09 10:40:05 2011 +0100
@@ -1,5 +1,4 @@
-#This will be check_access_old
-from ckan.logic import check_access
+from ckan.logic import check_access_old
from ckan.logic.auth.create import package_relationship_create
from ckan.authz import Authorizer
from ckan.lib.base import _
@@ -16,7 +15,7 @@
package = context['package']
#TODO: model.Action.CHANGE_STATE or model.Action.PURGE?
- authorized = check_access(package, model.Action.PURGE, context)
+ authorized = check_access_old(package, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (str(user),package.id)}
else:
@@ -30,7 +29,7 @@
user = context['user']
relationship = context['relationship']
- authorized = check_access(relationship, model.Action.PURGE, context)
+ authorized = check_access_old(relationship, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete relationship %s') % (str(user),relationship.id)}
else:
@@ -47,7 +46,7 @@
else:
group = context['group']
- authorized = check_access(group, model.Action.PURGE, context)
+ authorized = check_access_old(group, model.Action.PURGE, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)}
else:
--- a/ckan/logic/auth/get.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/auth/get.py Tue Aug 09 10:40:05 2011 +0100
@@ -1,5 +1,4 @@
-#This will be check_access_old
-from ckan.logic import check_access, NotFound
+from ckan.logic import check_access_old, NotFound
from ckan.authz import Authorizer
from ckan.lib.base import _
@@ -91,7 +90,7 @@
else:
package = context['package']
- authorized = check_access(package, model.Action.READ, context)
+ authorized = check_access_old(package, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
else:
@@ -112,7 +111,7 @@
else:
group = context['group']
- authorized = check_access(group, model.Action.READ, context)
+ authorized = check_access_old(group, model.Action.READ, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (str(user),group.id)}
else:
--- a/ckan/logic/auth/update.py Mon Aug 08 18:23:29 2011 +0100
+++ b/ckan/logic/auth/update.py Tue Aug 09 10:40:05 2011 +0100
@@ -1,5 +1,4 @@
-#This will be check_access_old
-from ckan.logic import check_access
+from ckan.logic import check_access_old
from ckan.logic.auth.create import check_group_auth, package_relationship_create
from ckan.authz import Authorizer
from ckan.lib.base import _
@@ -13,7 +12,7 @@
id = data_dict['id']
pkg = model.Package.get(id)
- check1 = check_access(pkg, model.Action.EDIT, context)
+ check1 = check_access_old(pkg, model.Action.EDIT, context)
if not check1:
return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), pkg.id)}
else:
@@ -32,7 +31,7 @@
group = model.Group.get(id)
user = context['user']
- authorized = check_access(group, model.Action.EDIT, context)
+ authorized = check_access_old(group, model.Action.EDIT, context)
if not authorized:
return {'success': False, 'msg': _('User %s not authorized to edit group %s') % (str(user),id)}
else:
http://bitbucket.org/okfn/ckan/changeset/95430b981bfb/
changeset: 95430b981bfb
branch: feature-1253-authz-refactor
user: amercader
date: 2011-08-09 12:34:43
summary: [tests] Fix package autocomplete test
affected #: 1 file (338 bytes)
--- a/ckan/tests/functional/test_package.py Tue Aug 09 10:40:05 2011 +0100
+++ b/ckan/tests/functional/test_package.py Tue Aug 09 11:34:43 2011 +0100
@@ -1653,7 +1653,21 @@
anna_hash = str(PackageController._pkg_cache_key(self.anna))
self.assert_equal(res.header_dict['ETag'], anna_hash)
+class TestAutocomplete(PylonsTestCase, TestPackageBase):
+ @classmethod
+ def setup_class(cls):
+ PylonsTestCase.setup_class()
+ CreateTestData.create()
+
+ @classmethod
+ def teardown_class(cls):
+ model.repo.rebuild_db()
+
def test_package_autocomplete(self):
query = 'a'
res = self.app.get('/package/autocomplete?q=%s' % query)
- assert res.body == "annakarenina|annakarenina\nA Wonderful Story (warandpeace)|warandpeace"
+
+ expected = ['A Wonderful Story (warandpeace)|warandpeace','annakarenina|annakarenina']
+ received = sorted(res.body.split('\n'))
+ assert expected == received
+
http://bitbucket.org/okfn/ckan/changeset/6c072ac0d9ab/
changeset: 6c072ac0d9ab
branch: feature-1253-authz-refactor
user: amercader
date: 2011-08-09 14:55:05
summary: [auth] Refactor site_read checks
affected #: 10 files (900 bytes)
--- a/ckan/controllers/api.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/api.py Tue Aug 09 13:55:05 2011 +0100
@@ -35,7 +35,10 @@
def __call__(self, environ, start_response):
self._identify_user()
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
response_msg = self._finish(403, _('Not authorized to see this page'))
# Call start_response manually instead of the parent __call__
# because we want to end the request instead of continuing.
@@ -43,10 +46,10 @@
body = '%i %s' % (response.status_int, response_msg)
start_response(body, response.headers.items())
return [response_msg]
- else:
- # avoid status_code_redirect intercepting error responses
- environ['pylons.status_code_redirect'] = True
- return BaseController.__call__(self, environ, start_response)
+
+ # avoid status_code_redirect intercepting error responses
+ environ['pylons.status_code_redirect'] = True
+ return BaseController.__call__(self, environ, start_response)
def _finish(self, status_int, response_data=None,
content_type='text'):
--- a/ckan/controllers/authorization_group.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/authorization_group.py Tue Aug 09 13:55:05 2011 +0100
@@ -6,6 +6,8 @@
import ckan.authz as authz
import ckan.forms
from ckan.lib.helpers import Page
+from ckan.logic import NotAuthorized
+import ckan.logic.action.get as get
class AuthorizationGroupController(BaseController):
@@ -14,8 +16,10 @@
def index(self):
from ckan.lib.helpers import Page
-
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
query = ckan.authz.Authorizer().authorized_query(c.user, model.AuthorizationGroup)
--- a/ckan/controllers/group.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/group.py Tue Aug 09 13:55:05 2011 +0100
@@ -42,8 +42,10 @@
## end hooks
def index(self):
-
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
context = {'model': model, 'session': model.Session,
--- a/ckan/controllers/home.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/home.py Tue Aug 09 13:55:05 2011 +0100
@@ -5,7 +5,8 @@
from genshi.template import NewTextTemplate
from ckan.authz import Authorizer
-from ckan.logic.action.get import current_package_list_with_resources
+import ckan.logic.action.get as get
+from ckan.logic import NotAuthorized
from ckan.i18n import set_session_locale
from ckan.lib.search import query_for, QueryOptions, SearchError
from ckan.lib.cache import proxy_cache, get_cache_expires
@@ -20,7 +21,10 @@
def __before__(self, action, **env):
BaseController.__before__(self, action, **env)
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
@staticmethod
@@ -48,7 +52,7 @@
c.facets = query.facets
c.fields = []
c.package_count = query.count
- c.latest_packages = current_package_list_with_resources({'model': model,
+ c.latest_packages = get.current_package_list_with_resources({'model': model,
'user': c.user},
{'limit': 5})
return render('home/index.html', cache_key=cache_key,
--- a/ckan/controllers/package.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/package.py Tue Aug 09 13:55:05 2011 +0100
@@ -15,7 +15,7 @@
import ckan.logic.action.create as create
import ckan.logic.action.update as update
import ckan.logic.action.get as get
-from ckan.logic import get_action
+from ckan.logic import get_action, check_access
from ckan.logic.schema import package_form_schema
from ckan.lib.base import request, c, BaseController, model, abort, h, g, render
from ckan.lib.base import etag_cache, response, redirect, gettext
@@ -95,8 +95,11 @@
authorizer = ckan.authz.Authorizer()
extensions = PluginImplementations(IPackageController)
- def search(self):
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ def search(self):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
q = c.q = request.params.get('q') # unicode format (decoded from utf8)
c.open_only = request.params.get('open_only')
--- a/ckan/controllers/revision.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/revision.py Tue Aug 09 13:55:05 2011 +0100
@@ -3,6 +3,9 @@
from pylons.i18n import get_lang
+from ckan.logic import NotAuthorized
+import ckan.logic.action.get as get
+
from ckan.lib.base import *
from ckan.lib.helpers import Page
import ckan.authz
@@ -18,7 +21,10 @@
self.authorizer.is_authorized(c.user, model.Action.CHANGE_STATE,
model.Revision)
)
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
def index(self):
--- a/ckan/controllers/tag.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/controllers/tag.py Tue Aug 09 13:55:05 2011 +0100
@@ -16,7 +16,10 @@
def __before__(self, action, **env):
BaseController.__before__(self, action, **env)
- if not self.authorizer.am_authorized(c, model.Action.SITE_READ, model.System):
+ try:
+ context = {'model':model,'user': c.user or c.author}
+ get.site_read(context)
+ except NotAuthorized:
abort(401, _('Not authorized to see this page'))
def index(self):
--- a/ckan/logic/action/get.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/logic/action/get.py Tue Aug 09 13:55:05 2011 +0100
@@ -23,6 +23,10 @@
tag_to_api2)
from ckan.lib.search import query_for
+def site_read(context,data_dict=None):
+ check_access('site_read',context,data_dict)
+ return True
+
def package_list(context, data_dict):
'''Lists packages by name or id'''
--- a/ckan/logic/auth/create.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/logic/auth/create.py Tue Aug 09 13:55:05 2011 +0100
@@ -11,6 +11,7 @@
if not check1:
return {'success': False, 'msg': _('User %s not authorized to create packages') % str(user)}
else:
+
check2 = check_group_auth(context,data_dict)
if not check2:
return {'success': False, 'msg': _('User %s not authorized to edit these groups') % str(user)}
@@ -63,6 +64,9 @@
return {'success': True}
def check_group_auth(context, data_dict):
+ if not data_dict:
+ return True
+
model = context['model']
pkg = context.get("package")
--- a/ckan/logic/auth/get.py Tue Aug 09 11:34:43 2011 +0100
+++ b/ckan/logic/auth/get.py Tue Aug 09 13:55:05 2011 +0100
@@ -11,6 +11,11 @@
./ckan/controllers/api.py
"""
+ model = context['model']
+ user = context['user']
+ if not Authorizer().is_authorized(user, model.Action.SITE_READ, model.System):
+ return {'success': False, 'msg': _('Not authorized to see this page')}
+
return {'success': True}
def package_search(context, data_dict):
http://bitbucket.org/okfn/ckan/changeset/18c4be404d09/
changeset: 18c4be404d09
branch: feature-1253-authz-refactor
user: amercader
date: 2011-08-10 14:33:48
summary: [auth] Refactor package controller checks.
affected #: 5 files (2.8 KB)
--- a/ckan/controllers/package.py Tue Aug 09 13:55:05 2011 +0100
+++ b/ckan/controllers/package.py Wed Aug 10 13:33:48 2011 +0100
@@ -87,8 +87,12 @@
## This is messy as auths take domain object not data_dict
pkg = context.get('package') or c.pkg
if pkg:
- c.auth_for_change_state = Authorizer().am_authorized(
- c, model.Action.CHANGE_STATE, pkg)
+ try:
+ context = {'model':model,'user':c.user or c.author, 'package':pkg}
+ check_access('package_change_state',context)
+ c.auth_for_change_state = True
+ except NotAuthorized:
+ c.auth_for_change_state = False
## end hooks
@@ -332,9 +336,9 @@
'preview': 'preview' in request.params,
'save': 'save' in request.params,
'schema': self._form_to_db_schema()}
-
- auth_for_create = Authorizer().am_authorized(c, model.Action.PACKAGE_CREATE, model.System())
- if not auth_for_create:
+ try:
+ check_access('package_create',context)
+ except NotAuthorized:
abort(401, _('Unauthorized to create a package'))
if (context['save'] or context['preview']) and not data:
@@ -374,8 +378,9 @@
c.pkg = context.get("package")
- am_authz = self.authorizer.am_authorized(c, model.Action.EDIT, c.pkg)
- if not am_authz:
+ try:
+ check_access('package_update',context)
+ except NotAuthorized, e:
abort(401, _('User %r not authorized to edit %s') % (c.user, id))
errors = errors or {}
@@ -535,8 +540,13 @@
c.pkg = pkg # needed to add in the tab bar to the top of the auth page
c.pkgname = pkg.name
c.pkgtitle = pkg.title
+ try:
+ context = {'model':model,'user':c.user or c.author, 'package':pkg}
+ check_access('package_edit_permissions',context)
+ c.authz_editable = True
+ except NotAuthorized:
+ c.authz_editable = False
- c.authz_editable = self.authorizer.am_authorized(c, model.Action.EDIT_PERMISSIONS, pkg)
if not c.authz_editable:
abort(401, gettext('User %r not authorized to edit %s authorizations') % (c.user, id))
--- a/ckan/logic/__init__.py Tue Aug 09 13:55:05 2011 +0100
+++ b/ckan/logic/__init__.py Wed Aug 10 13:33:48 2011 +0100
@@ -116,14 +116,12 @@
model = context['model']
user = context.get('user')
- log.debug('check access - user %r' % user)
-
+ log.debug('check access - user %r, action %s' % (user,action))
if action and entity and not isinstance(entity, model.PackageRelationship):
- if action != model.Action.READ and user in (model.PSEUDO_USER__VISITOR, ''):
+ if action != model.Action.READ and user == '':
log.debug('Valid API key needed to make changes')
return False
#raise NotAuthorized
-
am_authz = ckan.authz.Authorizer().is_authorized(user, action, entity)
if not am_authz:
log.debug('User is not authorized to %s %s' % (action, entity))
--- a/ckan/logic/auth/create.py Tue Aug 09 13:55:05 2011 +0100
+++ b/ckan/logic/auth/create.py Wed Aug 10 13:33:48 2011 +0100
@@ -97,7 +97,17 @@
## Modifications for rest api
def package_create_rest(context, data_dict):
+ model = context['model']
+ user = context['user']
+ if user in (model.PSEUDO_USER__VISITOR, ''):
+ return {'success': False, 'msg': _('Valid API key needed to create a package')}
+
return package_create(context, data_dict)
def group_create_rest(context, data_dict):
+ model = context['model']
+ user = context['user']
+ if user in (model.PSEUDO_USER__VISITOR, ''):
+ return {'success': False, 'msg': _('Valid API key needed to create a group')}
+
return group_create(context, data_dict)
--- a/ckan/logic/auth/update.py Tue Aug 09 13:55:05 2011 +0100
+++ b/ckan/logic/auth/update.py Wed Aug 10 13:33:48 2011 +0100
@@ -9,12 +9,17 @@
def package_update(context, data_dict):
model = context['model']
user = context.get('user')
- id = data_dict['id']
- pkg = model.Package.get(id)
+ if not 'package' in context:
+ id = data_dict.get('id',None)
+ package = model.Package.get(id)
+ if not package:
+ raise NotFound
+ else:
+ package = context['package']
- check1 = check_access_old(pkg, model.Action.EDIT, context)
+ check1 = check_access_old(package, model.Action.EDIT, context)
if not check1:
- return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), pkg.id)}
+ return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
else:
check2 = check_group_auth(context,data_dict)
if not check2:
@@ -25,6 +30,28 @@
def package_relationship_update(context, data_dict):
return package_relationship_create(context, data_dict)
+def package_change_state(context, data_dict):
+ model = context['model']
+ package = context['package']
+ user = context['user']
+
+ authorized = check_access_old(package, model.Action.CHANGE_STATE, context)
+ if not authorized:
+ return {'success': False, 'msg': _('User %s not authorized to change state of package %s') % (str(user),package.id)}
+ else:
+ return {'success': True}
+
+def package_edit_permissions(context, data_dict):
+ model = context['model']
+ package = context['package']
+ user = context['user']
+
+ authorized = check_access_old(package, model.Action.EDIT_PERMISSIONS, context)
+ if not authorized:
+ return {'success': False, 'msg': _('User %s not authorized to edit permissions of package %s') % (str(user),package.id)}
+ else:
+ return {'success': True}
+
def group_update(context, data_dict):
model = context['model']
id = data_dict['id']
@@ -53,8 +80,18 @@
## Modifications for rest api
def package_update_rest(context, data_dict):
+ model = context['model']
+ user = context['user']
+ if user in (model.PSEUDO_USER__VISITOR, ''):
+ return {'success': False, 'msg': _('Valid API key needed to edit a package')}
+
return package_update(context, data_dict)
def group_update_rest(context, data_dict):
+ model = context['model']
+ user = context['user']
+ if user in (model.PSEUDO_USER__VISITOR, ''):
+ return {'success': False, 'msg': _('Valid API key needed to edit a group')}
+
return group_update(context, data_dict)
--- a/ckan/tests/functional/api/test_action.py Tue Aug 09 13:55:05 2011 +0100
+++ b/ckan/tests/functional/api/test_action.py Wed Aug 10 13:33:48 2011 +0100
@@ -98,6 +98,25 @@
package_created.pop('revision_timestamp')
assert package_updated == package_created#, (pformat(json.loads(res.body)), pformat(package_created['result']))
+ def test_18_create_package_not_authorized(self):
+
+ package = {
+ 'extras': [{'key': u'original media','value': u'"book"'}],
+ 'license_id': u'other-open',
+ 'maintainer': None,
+ 'maintainer_email': None,
+ 'name': u'annakareninanew_not_authorized',
+ 'notes': u'Some test now',
+ 'tags': [{'name': u'russian'}, {'name': u'tolstoy'}],
+ 'title': u'A Novel By Tolstoy',
+ 'url': u'http://www.annakarenina.com',
+ }
+
+ wee = json.dumps(package)
+ postparams = '%s=1' % json.dumps(package)
+ res = self.app.post('/api/action/package_create', params=postparams,
+ status=self.STATUS_403_ACCESS_DENIED)
+
def test_04_user_list(self):
postparams = '%s=1' % json.dumps({})
res = self.app.post('/api/action/user_list', params=postparams)
Repository URL: https://bitbucket.org/okfn/ckan/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
More information about the ckan-changes
mailing list