[ckan-changes] commit/ckan: 2 new changesets
Bitbucket
commits-noreply at bitbucket.org
Thu Jun 23 16:47:52 UTC 2011
2 new changesets in ckan:
http://bitbucket.org/okfn/ckan/changeset/5c65a4d8c92d/
changeset: 5c65a4d8c92d
branch: feature-1094-authz
user: thejimmyg
date: 2011-06-23 18:45:25
summary: [authz] starting to put in the lagic layer auth functions
affected #: 7 files (3.8 KB)
--- a/ckan/logic/__init__.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/__init__.py Thu Jun 23 17:45:25 2011 +0100
@@ -80,15 +80,17 @@
log.debug('check access - user %r' % user)
if action and data_dict and object_type != 'package_relationship':
- if action != model.Action.READ and user in (model.PSEUDO_USER__VISITOR, ''):
- log.debug("Valid API key needed to make changes")
- raise NotAuthorized
-
- if not new_authz.check_overridden(context, action, object_id, object_type):
- new_authz.is_authorized(context, action, data_dict, object_id, object_type)
-
+ #if action != model.Action.READ and user in (model.PSEUDO_USER__VISITOR, ''):
+ # # XXX Check the API key is valid at some point too!
+ # log.debug("Valid API key needed to make changes")
+ # raise NotAuthorized
+ logic_authorization = new_authz.is_authorized(context, action, data_dict, object_id, object_type)
+ if not logic_authorization['success']:
+ if not new_authz.check_overridden(context, action, object_id, object_type):
+ raise NotAuthorized(logic_authorization['msg'])
elif not user:
log.debug("No valid API key provided.")
- raise NotAuthorized
+ raise NotAuthorized()
log.debug("Access OK.")
- return True
+ return True
+
--- a/ckan/logic/action/get.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/action/get.py Thu Jun 23 17:45:25 2011 +0100
@@ -159,16 +159,16 @@
api = context.get('api_version') or '1'
id = context['id']
+ check_access(context, 'package_show', {'id': context['id']})
+
pkg = model.Package.get(id)
- context['package'] = pkg
-
if pkg is None:
raise NotFound
+ context['package'] = pkg
package_dict = package_dictize(pkg, context)
- check_access(context, 'package_show', package_dict)
for item in PluginImplementations(IPackageController):
item.read(pkg)
--- a/ckan/logic/action/update.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/action/update.py Thu Jun 23 17:45:25 2011 +0100
@@ -16,6 +16,10 @@
from ckan.lib.navl.dictization_functions import validate
log = logging.getLogger(__name__)
+#
+# Helpers (could be moved elsewhere)
+#
+
def prettify(field_name):
field_name = re.sub('(?<!\w)[Uu]rl(?!\w)', 'URL', field_name.replace('_', ' ').capitalize())
return _(field_name.replace('_', ' '))
@@ -46,31 +50,6 @@
error_summary[_(prettify(key))] = error[0]
return error_summary
-def check_group_auth(data_dict, context):
- model = context['model']
- pkg = context.get("package")
-
- ## hack as api does not allow groups
- if context.get("allow_partial_update"):
- return
-
- group_dicts = data_dict.get("groups", [])
- groups = set()
- for group_dict in group_dicts:
- id = group_dict.get('id')
- if not id:
- continue
- grp = model.Group.get(id)
- if grp is None:
- raise NotFound(_('Group was not found.'))
- groups.add(grp)
-
- if pkg:
- groups = groups - set(pkg.groups)
-
- for group in groups:
- check_access(group, model.Action.EDIT, context)
-
def _make_latest_rev_active(context, q):
session = context['model'].Session
@@ -100,6 +79,51 @@
context['latest_revision_date'] = latest_rev.revision_timestamp
context['latest_revision'] = latest_rev.revision_id
+def _update_package_relationship(relationship, comment, context):
+ model = context['model']
+ api = context.get('api_version') or '1'
+ ref_package_by = 'id' if api == '2' else 'name'
+ is_changed = relationship.comment != comment
+ if is_changed:
+ rev = model.repo.new_revision()
+ rev.author = context["user"]
+ rev.message = (_(u'REST API: Update package relationship: %s %s %s') %
+ (relationship.subject, relationship.type, relationship.object))
+ relationship.comment = comment
+ model.repo.commit_and_remove()
+ rel_dict = relationship.as_dict(package=relationship.subject,
+ ref_package_by=ref_package_by)
+ return rel_dict
+
+def check_group_auth(data_dict, context):
+ model = context['model']
+ pkg = context.get("package")
+
+ ## hack as api does not allow groups
+ if context.get("allow_partial_update"):
+ return
+
+ group_dicts = data_dict.get("groups", [])
+ groups = set()
+ for group_dict in group_dicts:
+ id = group_dict.get('id')
+ if not id:
+ continue
+ grp = model.Group.get(id)
+ if grp is None:
+ raise NotFound(_('Group was not found.'))
+ groups.add(grp)
+
+ if pkg:
+ groups = groups - set(pkg.groups)
+
+ for group in groups:
+ check_access(group, model.Action.EDIT, context)
+
+#
+# Logic functions
+#
+
def make_latest_pending_package_active(context):
model = context['model']
@@ -186,22 +210,6 @@
return data
-def _update_package_relationship(relationship, comment, context):
- model = context['model']
- api = context.get('api_version') or '1'
- ref_package_by = 'id' if api == '2' else 'name'
- is_changed = relationship.comment != comment
- if is_changed:
- rev = model.repo.new_revision()
- rev.author = context["user"]
- rev.message = (_(u'REST API: Update package relationship: %s %s %s') %
- (relationship.subject, relationship.type, relationship.object))
- relationship.comment = comment
- model.repo.commit_and_remove()
- rel_dict = relationship.as_dict(package=relationship.subject,
- ref_package_by=ref_package_by)
- return rel_dict
-
def package_relationship_update(data_dict, context):
model = context['model']
--- a/ckan/logic/auth/create.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/auth/create.py Thu Jun 23 17:45:25 2011 +0100
@@ -1,3 +1,24 @@
-def package_create(data_dict, context):
- raise Exception('asdada')
- return True
+
+def package_create(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def resource_create(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_relationship_create(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_create(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def rating_create(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+## Modifications for rest api
+
+def package_create_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_create_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
--- a/ckan/logic/auth/get.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/auth/get.py Thu Jun 23 17:45:25 2011 +0100
@@ -0,0 +1,49 @@
+def package_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def current_package_list_with_resources(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def revision_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_revision_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_list_authz(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_list_availible(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def licence_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def tag_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_relationships_list(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_show(context, data_dict):
+ #return {'success': True}
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def revision_show(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_show(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def tag_show(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_show_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_show_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
--- a/ckan/logic/auth/update.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/logic/auth/update.py Thu Jun 23 17:45:25 2011 +0100
@@ -0,0 +1,20 @@
+def make_latest_pending_package_active(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_update(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def package_relationship_update(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_update(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+## Modifications for rest api
+
+def package_update_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
+def group_update_rest(context, data_dict):
+ return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
+
--- a/ckan/new_authz.py Thu Jun 23 11:29:48 2011 +0100
+++ b/ckan/new_authz.py Thu Jun 23 17:45:25 2011 +0100
@@ -48,13 +48,13 @@
def is_authorized(context, action=None, data_dict=None, object_id=None, object_type=None):
auth_function = _get_auth_function(action)
if auth_function:
- return auth_function(data_dict, context)
+ return auth_function(context, data_dict)
else:
- return True
+ return {'success': True}
def _get_auth_function(action):
if _auth_functions:
- return _auth_functions.get('action')
+ return _auth_functions.get(action)
# Otherwise look in all the plugins to resolve all possible
global _auth_functions
# First get the default ones in the ckan/logic/auth directory
@@ -86,7 +86,7 @@
fetched_auth_functions[name] = auth_function
# Use the updated ones in preference to the originals.
_auth_functions.update(fetched_auth_functions)
- return _auth_functions.get('action')
+ return _auth_functions.get(action)
def check_overridden(context, action, object_id, object_type):
http://bitbucket.org/okfn/ckan/changeset/a59e41b0d761/
changeset: a59e41b0d761
branch: feature-1094-authz
user: thejimmyg
date: 2011-06-23 18:47:40
summary: [merge]
affected #: 5 files (3.3 KB)
--- a/ckan/migration/versions/040_add_user_group_tables.py Thu Jun 23 17:45:25 2011 +0100
+++ b/ckan/migration/versions/040_add_user_group_tables.py Thu Jun 23 17:47:40 2011 +0100
@@ -1,67 +1,74 @@
from migrate import *
def upgrade(migrate_engine):
-
migrate_engine.execute('''
BEGIN;
-CREATE TABLE user_group (
- id text NOT NULL,
- name text NOT NULL,
- parent_id text
+CREATE TABLE "member" (
+ id text NOT NULL,
+ user_id text,
+ group_id text,
+ capacity text,
+ "state" text,
+ revision_id text
);
-CREATE TABLE user_group_extra (
- id text NOT NULL,
- user_group_id text NOT NULL,
- "key" text NOT NULL,
- "value" text NOT NULL
-);
+CREATE TABLE member_revision (
+ id text NOT NULL,
+ user_id text,
+ group_id text,
+ capacity text,
+ "state" text,
+ revision_id text NOT NULL,
+ continuity_id text,
+ expired_id text,
+ revision_timestamp timestamp without time zone,
+ expired_timestamp timestamp without time zone,
+ "current" boolean
+);
+
-CREATE TABLE user_group_package (
- id text NOT NULL,
- user_group_id text NOT NULL,
- package_id text NOT NULL,
- capacity text
-);
+ALTER TABLE "group"
+ ADD COLUMN parent_id text;
-CREATE TABLE user_group_user (
- id text NOT NULL,
- user_group_id text NOT NULL,
- user_id text NOT NULL,
- capacity text
-);
+ALTER TABLE group_revision
+ ADD COLUMN parent_id text;
+ALTER TABLE package_group
+ ADD COLUMN capacity text,
+ ADD COLUMN type text;
-ALTER TABLE user_group
- ADD CONSTRAINT user_group_pkey PRIMARY KEY (id);
+ALTER TABLE package_group_revision
+ ADD COLUMN capacity text,
+ ADD COLUMN type text;
-ALTER TABLE user_group_extra
- ADD CONSTRAINT user_group_extra_pkey PRIMARY KEY (id);
+ALTER TABLE "member"
+ ADD CONSTRAINT member_pkey PRIMARY KEY (id);
-ALTER TABLE user_group_package
- ADD CONSTRAINT user_group_package_pkey PRIMARY KEY (id);
+ALTER TABLE "member"
+ ADD CONSTRAINT member_group_id_fkey FOREIGN KEY (group_id) REFERENCES "group"(id);
-ALTER TABLE user_group_user
- ADD CONSTRAINT user_group_user_pkey PRIMARY KEY (id);
+ALTER TABLE "member"
+ ADD CONSTRAINT member_user_id_fkey FOREIGN KEY (user_id) REFERENCES "user"(id);
+ALTER TABLE "member"
+ ADD CONSTRAINT member_revision_id_fkey FOREIGN KEY (revision_id) REFERENCES revision(id);
-
-ALTER TABLE user_group_extra
- ADD CONSTRAINT user_group_extra_user_group_id_fkey FOREIGN KEY (user_group_id) REFERENCES user_group(id);
-
-ALTER TABLE user_group_package
- ADD CONSTRAINT user_group_package_package_id_fkey FOREIGN KEY (package_id) REFERENCES package(id);
-
-ALTER TABLE user_group_package
- ADD CONSTRAINT user_group_package_user_group_id_fkey FOREIGN KEY (user_group_id) REFERENCES user_group(id);
-
-ALTER TABLE user_group_user
- ADD CONSTRAINT user_group_user_user_group_id_fkey FOREIGN KEY (user_group_id) REFERENCES user_group(id);
-
-ALTER TABLE user_group_user
- ADD CONSTRAINT user_group_user_user_id_fkey FOREIGN KEY (user_id) REFERENCES "user"(id);
+ALTER TABLE member_revision
+ ADD CONSTRAINT member_revision_pkey PRIMARY KEY (id, revision_id);
+
+ALTER TABLE member_revision
+ ADD CONSTRAINT member_revision_continuity_id_fkey FOREIGN KEY (continuity_id) REFERENCES member(id);
+
+ALTER TABLE member_revision
+ ADD CONSTRAINT member_revision_group_id_fkey FOREIGN KEY (group_id) REFERENCES "group"(id);
+
+ALTER TABLE member_revision
+ ADD CONSTRAINT member_revision_revision_id_fkey FOREIGN KEY (revision_id) REFERENCES revision(id);
+
+ALTER TABLE member_revision
+ ADD CONSTRAINT member_revision_user_id_fkey FOREIGN KEY (user_id) REFERENCES "user"(id);
COMMIT;
''')
--- a/ckan/migration/versions/041_auth_refactor.py Thu Jun 23 17:45:25 2011 +0100
+++ b/ckan/migration/versions/041_auth_refactor.py Thu Jun 23 17:47:40 2011 +0100
@@ -14,6 +14,9 @@
--DROP TABLE system_role;
BEGIN;
+alter table "user" add column sysadmin bool;
+update "user" set sysadmin = (select true from user_object_role where context = 'System' and role = 'admin' and user_object_role.user_id = "user".id);
+
alter table group_role drop constraint group_role_group_id_fkey;
alter table package_role drop constraint package_role_package_id_fkey;
alter table user_object_role drop constraint user_object_role_authorized_group_id_fkey;
--- a/ckan/model/authz.py Thu Jun 23 17:45:25 2011 +0100
+++ b/ckan/model/authz.py Thu Jun 23 17:47:40 2011 +0100
@@ -100,38 +100,6 @@
Column('role', UnicodeText)
)
-user_group_table = Table(
- 'user_group', metadata,
- Column('id', UnicodeText, primary_key=True, default=make_uuid),
- Column('name', UnicodeText, nullable=False),
- Column('parent_id', UnicodeText, nullable=True),
-)
-
-user_group_extra_table = Table(
- 'user_group_extra', metadata,
- Column('id', UnicodeText, primary_key=True, default=make_uuid),
- Column('user_group_id', UnicodeText, ForeignKey('user_group.id'), nullable=False),
- Column('key', UnicodeText, nullable=False),
- Column('value', UnicodeText, nullable=False),
-)
-
-user_group_user_table = Table(
- 'user_group_user', metadata,
- Column('id', UnicodeText, primary_key=True, default=make_uuid),
- Column('user_group_id', UnicodeText, ForeignKey('user_group.id'), nullable=False),
- Column('user_id', UnicodeText, ForeignKey('user.id'), nullable=False),
- Column('capacity', UnicodeText),
-)
-
-user_group_package_table = Table(
- 'user_group_package', metadata,
- Column('id', UnicodeText, primary_key=True, default=make_uuid),
- Column('user_group_id', UnicodeText, ForeignKey('user_group.id'), nullable=False),
- Column('package_id', UnicodeText, ForeignKey('package.id'), nullable=False),
- Column('capacity', UnicodeText),
-)
-
-
class RoleAction(DomainObject):
def __repr__(self):
--- a/ckan/model/group.py Thu Jun 23 17:45:25 2011 +0100
+++ b/ckan/model/group.py Thu Jun 23 17:47:40 2011 +0100
@@ -5,6 +5,7 @@
from sqlalchemy.orm import eagerload_all
from domain_object import DomainObject
from package import *
+from user import *
from types import make_uuid
import vdm.sqlalchemy
from ckan.model import extension
@@ -12,12 +13,25 @@
__all__ = ['group_table', 'Group', 'package_revision_table',
'PackageGroup', 'GroupRevision', 'PackageGroupRevision',
- 'package_group_revision_table']
+ 'package_group_revision_table', 'Member', 'member_table',
+ 'member_revision_table']
+
+member_table = Table('member', metadata,
+ Column('id', UnicodeText, primary_key=True, default=make_uuid),
+ Column('user_id', UnicodeText, ForeignKey('user.id')),
+ Column('group_id', UnicodeText, ForeignKey('group.id')),
+ Column('capacity', UnicodeText),
+ )
+
+vdm.sqlalchemy.make_table_stateful(member_table)
+member_revision_table = make_revisioned_table(member_table)
package_group_table = Table('package_group', metadata,
Column('id', UnicodeText, primary_key=True, default=make_uuid),
Column('package_id', UnicodeText, ForeignKey('package.id')),
Column('group_id', UnicodeText, ForeignKey('group.id')),
+ Column('capacity', UnicodeText),
+ Column('type', UnicodeText),
)
vdm.sqlalchemy.make_table_stateful(package_group_table)
@@ -29,6 +43,7 @@
Column('title', UnicodeText),
Column('description', UnicodeText),
Column('created', DateTime, default=datetime.now),
+ Column('parent_id', UnicodeText),
)
vdm.sqlalchemy.make_table_stateful(group_table)
@@ -40,6 +55,11 @@
DomainObject):
pass
+class Member(vdm.sqlalchemy.RevisionedObjectMixin,
+ vdm.sqlalchemy.StatefulObjectMixin,
+ DomainObject):
+ pass
+
class Group(vdm.sqlalchemy.RevisionedObjectMixin,
vdm.sqlalchemy.StatefulObjectMixin,
DomainObject):
@@ -140,6 +160,17 @@
extension=[vdm.sqlalchemy.Revisioner(package_group_revision_table),],
)
+mapper(Member, member_table, properties={
+ 'group': relation(Group,
+ backref=backref('member_all', cascade='all, delete-orphan'),
+ ),
+ 'user': relation(User,
+ backref=backref('member_all', cascade='all, delete-orphan'),
+ ),
+},
+ extension=[vdm.sqlalchemy.Revisioner(member_revision_table),],
+)
+
def _create_group(group):
return PackageGroup(group=group)
@@ -150,11 +181,26 @@
Group.packages = association_proxy('package_group_all', 'package', creator=_create_package)
+def _create_member_group(group):
+ return Member(group=group)
+
+def _create_user(user):
+ return Member(user=user)
+
+User.groups = association_proxy('member_all', 'group', creator=_create_member_group)
+Group.users = association_proxy('member_all', 'user', creator=_create_user)
+
+
vdm.sqlalchemy.modify_base_object_mapper(PackageGroup, Revision, State)
PackageGroupRevision = vdm.sqlalchemy.create_object_version(mapper, PackageGroup,
package_group_revision_table)
+vdm.sqlalchemy.modify_base_object_mapper(Member, Revision, State)
+MemberRevision = vdm.sqlalchemy.create_object_version(mapper, Member,
+ member_revision_table)
+
+
from vdm.sqlalchemy.base import add_stateful_versioned_m2m
#vdm.sqlalchemy.add_stateful_versioned_m2m(Package, PackageGroup, 'groups', 'group',
# 'package_group')
--- a/ckan/model/user.py Thu Jun 23 17:45:25 2011 +0100
+++ b/ckan/model/user.py Thu Jun 23 17:47:40 2011 +0100
@@ -19,6 +19,7 @@
Column('apikey', UnicodeText, default=make_uuid),
Column('created', DateTime, default=datetime.now),
Column('about', UnicodeText),
+ Column('sysadmin', Boolean),
)
class User(DomainObject):
Repository URL: https://bitbucket.org/okfn/ckan/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
More information about the ckan-changes
mailing list