[ckan-dev] File Upload Users

Michael Reichart michael.reichart at gmail.com
Fri Oct 12 13:26:28 UTC 2012


Hi Sean,

thanks for the info. we also figured out that this is the problem today.
our setup is with organizations - so logged-in - users can create and edit
datasets, this works.
we now added file-upload to reader and it works.

but in our opinion the problem lies in controllers/storage.py line 96:

is_authorized = authz.Authorizer.is_authorized(username, 'file-upload',
model.System())

why do you ask for authorization for uploads for model.System()?
wouldn't it be better to ask authorize in the authorizationgroup?

Anyway thanks for the help - it works now!

thanks
michi


2012/10/12 Sean Hammond <sean.hammond at okfn.org>

> > > ckan.default_roles.Package = {"visitor": ["reader"], "logged_in":
> > > ["reader"]}
> > > ckan.default_roles.Group = {"visitor": ["reader"], "logged_in":
> ["reader"]}
> > > ckan.default_roles.System = {"visitor": ["reader"], "logged_in":
> ["reader"]}
> > > ckan.default_roles.AuthorizationGroup = {"visitor": ["reader"],
> > > "logged_in": ["reader"]}
> >
> > Ok, I think the problem is with these auth settings. I will investigate
> > further today..
>
> The way you have it setup, logged-in users who are not sysadmins are not
> authorized to add datasets or upload files. This is because "logged_in"
> user (permissions that apply to all users when logged in) has only the
> "reader" role for the "system" objects. By default it has the "editor"
> role which allows it to both add datasets and upload files.
>
> The documentation for this is here:
>
> http://docs.ckan.org/en/ckan-1.7.1/authorization.html
>
> I can see two solutions:
>
> 1. Give the logged_in user the editor role for the system object, as
> they have by default. They will now be able to upload files, but they
> will also be able to add datasets.
>
> To do this you would change the line in your config file to this:
>
> ckan.default_roles.System = {"visitor": ["reader"], "logged_in":
> ["editor"]}
>
> but I think that only takes affect when you reinitialise your database
> (which deletes all your data) to make the change on a "live" database
> do:
>
> paster --plugin=ckan rights -c /path/to/your/ckan.ini make logged_in
> editor system
>
> 2. Alternatively, give the reader role the file-upload action. This will
> allow logged-in users to upload files to datasets that they can edit,
> but will not allow them to add new datasets. This command should do it:
>
>   paster --plugin=ckan roles -c /path/to/your/ckan.ini allow reader
> file-upload
>
> Alternatively, instead of modifying the default "reader" role you could
> create a new role, give it the file-upload action, and give the
> logged_in user the new role for the system object. See paster roles
> --help.
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20121012/4c34c8c6/attachment-0001.html>


More information about the ckan-dev mailing list