[ckan-dev] File Upload Users

Fri Oct 12 10:47:02 UTC 2012

> > ckan.default_roles.Package = {"visitor": ["reader"], "logged_in":
> > ["reader"]}
> > ckan.default_roles.Group = {"visitor": ["reader"], "logged_in": ["reader"]}
> > ckan.default_roles.System = {"visitor": ["reader"], "logged_in": ["reader"]}
> > ckan.default_roles.AuthorizationGroup = {"visitor": ["reader"],
> > "logged_in": ["reader"]}
> 
> Ok, I think the problem is with these auth settings. I will investigate
> further today..

The way you have it setup, logged-in users who are not sysadmins are not
authorized to add datasets or upload files. This is because "logged_in"
user (permissions that apply to all users when logged in) has only the
"reader" role for the "system" objects. By default it has the "editor"
role which allows it to both add datasets and upload files.

The documentation for this is here:

http://docs.ckan.org/en/ckan-1.7.1/authorization.html

I can see two solutions:

1. Give the logged_in user the editor role for the system object, as
they have by default. They will now be able to upload files, but they
will also be able to add datasets.

To do this you would change the line in your config file to this:

ckan.default_roles.System = {"visitor": ["reader"], "logged_in": ["editor"]}

but I think that only takes affect when you reinitialise your database
(which deletes all your data) to make the change on a "live" database
do:

paster --plugin=ckan rights -c /path/to/your/ckan.ini make logged_in editor system

2. Alternatively, give the reader role the file-upload action. This will
allow logged-in users to upload files to datasets that they can edit,
but will not allow them to add new datasets. This command should do it:

  paster --plugin=ckan roles -c /path/to/your/ckan.ini allow reader file-upload

Alternatively, instead of modifying the default "reader" role you could
create a new role, give it the file-upload action, and give the
logged_in user the new role for the system object. See paster roles
--help.