[ckan-dev] Permissions and workflows
Alice Heaton
a.heaton at nhm.ac.uk
Mon Jun 9 16:14:17 UTC 2014
Hello,
I notice that CKAN permissions are per-organization, and that a given
user will have the same permission for all the datasets within that
organization. I can see that this was a deliberate choice, and I was
wondering what the intended workflow was.
My aim was to allow users to edit only the datasets they created. As it
is, it seems I would need an organization per user which seems quite
redundant. Is this because the intended workflow excludes this approach?
Am I thinking about this wrongly?
Or is this the kind of things that was left for extensions to implement?
I can see it would be possible to implement this in an extension - by
implementing IAuthFunctions to override the permissions for
package_update, resource_update, resource_view_update, etc. The dataset
creator is available as creator_user_id.
Creating a new role (to differentiate these users from editors who can
still edit all datasets) is not as straightforward. I did not see any
API for this. It is possible (by adding the role in
new_authz.ROLE_PERMISSIONS) but that also requires injecting a function
in the module ckan.new_authz to provide the translated string for that
role (ckan.new_authz._trans_role_<role name>), which is obviously not a
reliable thing to do.
Any thoughts on the alternative workflows for this or implementation
ideas are welcome :-)
Thanks,
Alice
More information about the ckan-dev
mailing list