[ckan-dev] IPermissionLabels implementation

Serban Teodorescu teodorescu.serban at gmail.com
Fri Apr 12 17:00:03 UTC 2019


Usually you'd want to feature a public thing, right? I guess this is why
the assumption to ignore auth.

vin., 12 apr. 2019, 19:45 Jannik Levesque <jannik.levesque at dti.ulaval.ca> a
scris:

> Hi!
>
>
> I created an extension to add a permission level for the dataset
> visibility. I implemented the IPermissionLabels interface as recommended in
> the doc :
> https://docs.ckan.org/en/latest/maintaining/authorization.html#extensions
>
>
> I added an internal level, so people who are not logged in can't see those
> datasets. It work well excepted on the home page. The snippets
> *featured_group.html* and* featured_organization.html* use the core helper
> * featured_group_org. *​This function passes True to ignore_auth in the
> context :
>
>
>
> def featured_group_org(items, get_action, list_action, count):
>     def get_group(id):
>         context = {'ignore_auth': True,
> ....
>
>
> Because of that, when package_search is executed later, it assigns None to
> the labels :
>
>         # enforce permission filter based on user
>         if context.get('ignore_auth') or (user and
> authz.is_sysadmin(user)):
>             labels = None
>         else:
>             labels = lib_plugins.get_permission_labels(
>                 ).get_user_dataset_labels(context['auth_user_obj'])
>
>         query = search.query_for(model.Package)
>         query.run(data_dict, permission_labels=labels)
>
> So when the query runs, it bypass the permission labels, and an unlogged
> user can see internal datasets in the featured group/org on the home page.
> I tried to set ignore_auth to False, and it fixes my problem. So I could
> overwrite this helper with the interface ITemplateHelpers. But I wanted to
> know if this change could lead to another problem somewhere else? Why the
> permission are bypassed there, does someone know?
>
> Thank for your time!​
> __________________
> Jannik Levesque
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20190412/49175f00/attachment-0002.html>


More information about the ckan-dev mailing list