[ckan-dev] Permissions and workflows

• Previous message: [ckan-dev] Help! - data resources gone missing (Aaron McGlinchy)
• Next message: [ckan-dev] Permissions and workflows
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I notice that CKAN permissions are per-organization, and that a given 
user will have the same permission for all the datasets within that 
organization. I can see that this was a deliberate choice, and I was 
wondering what the intended workflow was.

My aim was to allow users to edit only the datasets they created. As it 
is, it seems I would need an organization per user which seems quite 
redundant. Is this because the intended workflow excludes this approach? 
Am I thinking about this wrongly?

Or is this the kind of things that was left for extensions to implement? 
I can see it would be possible to implement this in an extension - by 
implementing IAuthFunctions to override the permissions for 
package_update, resource_update, resource_view_update, etc. The dataset 
creator is available as creator_user_id.

Creating a new role (to differentiate these users from editors who can 
still edit all datasets) is not as straightforward. I did not see any 
API for this. It is possible (by adding the role in 
new_authz.ROLE_PERMISSIONS) but that also requires injecting a function 
in the module ckan.new_authz to provide the translated string for that 
role (ckan.new_authz._trans_role_<role name>), which is obviously not a 
reliable thing to do.

Any thoughts on the alternative workflows for this or implementation 
ideas are welcome :-)

Thanks,
Alice

• Previous message: [ckan-dev] Help! - data resources gone missing (Aaron McGlinchy)
• Next message: [ckan-dev] Permissions and workflows
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]