[ckan-dev] Auth changes - branch 2939
Toby Dacre
toby.okfn at gmail.com
Fri Oct 12 10:20:57 UTC 2012
Assuming this branch gets merged into master these are the general changes
that occur
1) The Authorizer class has been removed - The table underlying this still
exists and should be removed sometime in the future but may be useful for
migrations. authz.py is now an empty stub file pending complete removal.
2) logic.check_access_old() has been removed as it relied on Authorizer.
3) IAuthorizer Interface has been removed as it too was part of Authorizer
(IAuthFunctions provides access to similar functionality).
4) Publisher auth functions have been removed.
*
This means that now all authorization occurs through the logic.auth
functions.*
new_authz.py has some new authz helper functions these include
is_sysadmin(username)
# is current user a sysadmin
is_authorized_boolean(action, context, data_dict=None)
# like is_authorized but just returns True or False
auth_is_reqistered_user()
# is current user registered?
there are some .ini configs these are prefixed with ckan.auth. in config
.ini file
the permissions and current defaults are
'anon_create_dataset': False,
'create_dataset_if_not_in_organization': True,
'user_create_groups': False,
'user_create_organizations': False,
'create_user_via_api': False,
a helper function to read these is
check_config_permission(permission)
Dataset permissions are now based on organization ownership of the
dataset. A single organization owns a dataset and members of the
organization have a role. In turn roles have permissions for a dataset -
these are defined in new_authz.py
helper functions also in new_authz.py include
get_roles_with_permission(permission)
has_user_permission_for_group_or_org(group_id, user_id, permission)
has_user_permission_for_some_org(user_id, permission)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20121012/76ebed8c/attachment.html>
More information about the ckan-dev
mailing list