[ckan-dev] Get updates for permission changes (related to datastore)

Thu Mar 28 12:47:44 UTC 2013

Hello everyone,

There is this issue which I need to solve [1] so that all datasets which are not public are hidden in the datastore as well. Even though we explicitly state the fact in the docs [2] that the SQL search allow access to all datasets, we intend to change this behaviour. The code that will mostly talk about can be found at [3].

The difficulty with the SQL search is that we have no way of checking which tables are accessed and consequently no way to prevent the query from getting executed or the results to be returned. So my solution would be to prevent access to any datastore table that does not belong to a resource that is part of a public dataset. The way to implement this is to revoke the SELECT privilege for private tables from the read-only pg user that is used by the sql search. In order to do that, I need two things:

First, a way to get notified if there is a change to the permissions of a resource so that the permissions in the datastore can be adapted. Can IDomainObjectModification be used for that?

Second, a way to tell whether a resource is part of a private dataset. A crude way to do this is to use a user without any special permissions and then see what `p.toolkit.check_access` returns for `resource_read`. 

When we discussed this on IRC, there were some doubts whether this is a good implementation. So I'd like to see whether there are any ideas to hide  resources that are easier, safer or cleaner that the solution I proposed. Also, I don't know how to implement the two things I mentioned above and would like to get suggestions where to look for solutions. 

Best wishes,
Dominik

[1] https://github.com/okfn/ckan/issues/652
[2] http://docs.ckan.org/en/latest/datastore-setup.html
[3] https://github.com/okfn/ckan/blob/master/ckanext/datastore/logic/action.py