Set ignore_auth on a copy of the context

So as not to modify the caller's view of the context.

ckanext/metadata/logic/action/create.py

@@ -192,7 +192,8 @@ def infrastructure_create(context, data_dict):
         'type': 'infrastructure',
         'is_organization': False,
     })
-    context.update({
+    internal_context = context.copy()
+    internal_context.update({
         'schema': schema.infrastructure_create_schema(),
         'invoked_action': 'infrastructure_create',
         'defer_commit': True,
@@ -203,13 +204,13 @@ def infrastructure_create(context, data_dict):
     # defer_commit does not actually work due to a bug in _group_or_org_create (in ckan.logic.action.create)
     # - addition of the creating user as a member is done (committed) without consideration for defer_commit
     # - but it does not make much difference to us here
-    infrastructure_id = tk.get_action('group_create')(context, data_dict)
+    infrastructure_id = tk.get_action('group_create')(internal_context, data_dict)
 
     if not defer_commit:
         model.repo.commit()
 
     output = infrastructure_id if return_id_only \
-        else tk.get_action('infrastructure_show')(context, {'id': infrastructure_id})
+        else tk.get_action('infrastructure_show')(internal_context, {'id': infrastructure_id})
     return output
 
 
@@ -249,7 +250,8 @@ def metadata_collection_create(context, data_dict):
         'type': 'metadata_collection',
         'is_organization': False,
     })
-    context.update({
+    internal_context = context.copy()
+    internal_context.update({
         'schema': schema.metadata_collection_create_schema(),
         'invoked_action': 'metadata_collection_create',
         'defer_commit': True,
@@ -260,14 +262,14 @@ def metadata_collection_create(context, data_dict):
     # defer_commit does not actually work due to a bug in _group_or_org_create (in ckan.logic.action.create)
     # - addition of the creating user as a member is done (committed) without consideration for defer_commit
     # - this will be a (minor) problem if saving of organization membership fails for whatever reason
-    metadata_collection_id = tk.get_action('group_create')(context, data_dict)
-    model_save.metadata_collection_organization_membership_save(data_dict['organization_id'], context)
+    metadata_collection_id = tk.get_action('group_create')(internal_context, data_dict)
+    model_save.metadata_collection_organization_membership_save(data_dict['organization_id'], internal_context)
 
     if not defer_commit:
         model.repo.commit()
 
     output = metadata_collection_id if return_id_only \
-        else tk.get_action('metadata_collection_show')(context, {'id': metadata_collection_id})
+        else tk.get_action('metadata_collection_show')(internal_context, {'id': metadata_collection_id})
     return output
 
 
@@ -319,29 +321,30 @@ def metadata_record_create(context, data_dict):
     return_id_only = context.get('return_id_only', False)
     deserialize_json = asbool(data_dict.get('deserialize_json'))
 
-    context['ignore_auth'] = True
+    internal_context = context.copy()
+    internal_context['ignore_auth'] = True
 
     # this is (mostly) duplicating the schema validation that will be done in package_create below,
     # but we want to validate before doing the attribute mappings
-    data, errors = tk.navl_validate(data_dict, schema.metadata_record_create_schema(), context)
+    data, errors = tk.navl_validate(data_dict, schema.metadata_record_create_schema(), internal_context)
     if errors:
         session.rollback()
         raise tk.ValidationError(errors)
 
     # map values from the metadata JSON into the data_dict
-    attr_map = tk.get_action('metadata_json_attr_map_apply')(context, {
+    attr_map = tk.get_action('metadata_json_attr_map_apply')(internal_context, {
         'metadata_standard_id': data_dict.get('metadata_standard_id'),
         'metadata_json': data_dict.get('metadata_json'),
     })
     data_dict.update(attr_map['data_dict'])
 
     # check if we match an existing record on key attributes mapped from the JSON; if so, switch to an update
-    matching_record_id = tk.get_action('metadata_record_attr_match')(context, attr_map['key_dict'])
+    matching_record_id = tk.get_action('metadata_record_attr_match')(internal_context, attr_map['key_dict'])
     if matching_record_id:
         log.info('Existing record found; switching to metadata_record_update')
         data_dict['id'] = matching_record_id
-        context['redirect_from_create'] = True
-        return tk.get_action('metadata_record_update')(context, data_dict)
+        internal_context['redirect_from_create'] = True
+        return tk.get_action('metadata_record_update')(internal_context, data_dict)
 
     # it's new metadata; create the package object
     data_dict.update({
@@ -351,21 +354,21 @@ def metadata_record_create(context, data_dict):
         'workflow_state_id': '',
         'private': True,
     })
-    context.update({
+    internal_context.update({
         'schema': schema.metadata_record_create_schema(),
         'invoked_action': 'metadata_record_create',
         'defer_commit': True,
         'return_id_only': True,
     })
-    metadata_record_id = tk.get_action('package_create')(context, data_dict)
-    model_save.metadata_record_collection_membership_save(data_dict['metadata_collection_id'], context)
-    model_save.metadata_record_infrastructure_list_save(data_dict.get('infrastructures'), context)
+    metadata_record_id = tk.get_action('package_create')(internal_context, data_dict)
+    model_save.metadata_record_collection_membership_save(data_dict['metadata_collection_id'], internal_context)
+    model_save.metadata_record_infrastructure_list_save(data_dict.get('infrastructures'), internal_context)
 
     if not defer_commit:
         model.repo.commit()
 
     output = metadata_record_id if return_id_only \
-        else tk.get_action('metadata_record_show')(context, {'id': metadata_record_id, 'deserialize_json': deserialize_json})
+        else tk.get_action('metadata_record_show')(internal_context, {'id': metadata_record_id, 'deserialize_json': deserialize_json})
     return output
 
 

ckanext/metadata/logic/action/delete.py

@@ -179,12 +179,13 @@ def infrastructure_delete(context, data_dict):
         tk.get_action('metadata_schema_delete')(cascade_context, {'id': metadata_schema_id})
 
     data_dict['type'] = 'infrastructure'
-    context.update({
+    group_context = context.copy()
+    group_context.update({
         'invoked_action': 'infrastructure_delete',
         'ignore_auth': True,
     })
 
-    tk.get_action('group_delete')(context, data_dict)
+    tk.get_action('group_delete')(group_context, data_dict)
 
 
 def metadata_collection_delete(context, data_dict):
@@ -220,12 +221,13 @@ def metadata_collection_delete(context, data_dict):
         raise tk.ValidationError(_('Metadata collection has dependent metadata records'))
 
     data_dict['type'] = 'metadata_collection'
-    context.update({
+    group_context = context.copy()
+    group_context.update({
         'invoked_action': 'metadata_collection_delete',
         'ignore_auth': True,
     })
 
-    tk.get_action('group_delete')(context, data_dict)
+    tk.get_action('group_delete')(group_context, data_dict)
 
 
 def metadata_record_delete(context, data_dict):
@@ -251,15 +253,16 @@ def metadata_record_delete(context, data_dict):
     tk.check_access('metadata_record_delete', context, data_dict)
 
     data_dict['type'] = 'metadata_record'
-    context.update({
+    internal_context = context.copy()
+    internal_context.update({
         'invoked_action': 'metadata_record_delete',
         'ignore_auth': True,
     })
 
-    tk.get_action('package_delete')(context, data_dict)
+    tk.get_action('package_delete')(internal_context, data_dict)
 
     # make sure it's not left in the search index
-    tk.get_action('metadata_record_index_update')(context, {'id': metadata_record_id})
+    tk.get_action('metadata_record_index_update')(internal_context, {'id': metadata_record_id})
 
 
 def workflow_state_delete(context, data_dict):
@@ -419,9 +422,10 @@ def metadata_record_workflow_annotation_delete(context, data_dict):
     tk.check_access('metadata_record_workflow_annotation_delete', context, data_dict)
 
     key = tk.get_or_bust(data_dict, 'key')
-    context['ignore_auth'] = True
+    internal_context = context.copy()
+    internal_context['ignore_auth'] = True
 
-    annotation_list = tk.get_action('metadata_record_workflow_annotation_list')(context, data_dict)
+    annotation_list = tk.get_action('metadata_record_workflow_annotation_list')(internal_context, data_dict)
     annotation_list = [annotation for annotation in annotation_list if annotation['key'] == key]
 
     if not annotation_list:
@@ -430,7 +434,7 @@ def metadata_record_workflow_annotation_delete(context, data_dict):
     # it's possible for multiple annotations with the same key to exist if applicable jsonpatches
     # were created directly using the ckanext-jsonpatch API; we delete all of them
     for annotation in annotation_list:
-        tk.get_action('jsonpatch_delete')(context, {'id': annotation['jsonpatch_id']})
+        tk.get_action('jsonpatch_delete')(internal_context, {'id': annotation['jsonpatch_id']})
 
 
 def organization_delete(context, data_dict):

ckanext/metadata/logic/action/get.py

@@ -236,13 +236,14 @@ def infrastructure_show(context, data_dict):
         'include_groups': False,
         'include_followers': True,
     })
-    context.update({
+    group_context = context.copy()
+    group_context.update({
         'schema': schema.infrastructure_show_schema(),
         'invoked_action': 'infrastructure_show',
         'ignore_auth': True,
     })
 
-    return tk.get_action('group_show')(context, data_dict)
+    return tk.get_action('group_show')(group_context, data_dict)
 
 
 @tk.side_effect_free
@@ -309,13 +310,14 @@ def metadata_collection_show(context, data_dict):
         'include_groups': False,
         'include_followers': True,
     })
-    context.update({
+    group_context = context.copy()
+    group_context.update({
         'schema': schema.metadata_collection_show_schema(),
         'invoked_action': 'metadata_collection_show',
         'ignore_auth': True,
     })
 
-    return tk.get_action('group_show')(context, data_dict)
+    return tk.get_action('group_show')(group_context, data_dict)
 
 
 @tk.side_effect_free