Tighten up auth checking in group membership save operations

Otherwise (not raising auth exceptions) the integrity of group memberships might be compromised.
SAEONData · Nov 15, 2018 · cc8e7ee · cc8e7ee
1 parent e6a37c7
commit cc8e7ee
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/ckanext/metadata/lib/dictization/model_save.py b/ckanext/metadata/lib/dictization/model_save.py
@@ -37,6 +37,8 @@ def metadata_record_collection_membership_save(metadata_collection_id, context):
             member_obj.capacity = capacity
             member_obj.state = 'deleted'
             session.add(member_obj)
+        else:
+            raise tk.NotAuthorized
 
     # Add the record to the new metadata collection group
     member_obj = collection_members.get(new_collection)
@@ -54,6 +56,8 @@ def metadata_record_collection_membership_save(metadata_collection_id, context):
                                       capacity=capacity,
                                       state='active')
         session.add(member_obj)
+    else:
+        raise tk.NotAuthorized
 
 
 def metadata_collection_organization_membership_save(organization_id, context):
@@ -147,6 +151,8 @@ def metadata_record_infrastructure_list_save(infrastructure_dicts, context):
             member_obj.capacity = capacity
             member_obj.state = 'deleted'
             session.add(member_obj)
+        else:
+            raise tk.NotAuthorized
 
     # Add any new infrastructure groups
     for infrastructure in infrastructures:
@@ -165,6 +171,8 @@ def metadata_record_infrastructure_list_save(infrastructure_dicts, context):
                                           capacity=capacity,
                                           state='active')
             session.add(member_obj)
+        else:
+            raise tk.NotAuthorized
 
 
 def metadata_schema_dict_save(metadata_schema_dict, context):

diff --git a/ckanext/metadata/tests/factories.py b/ckanext/metadata/tests/factories.py
@@ -24,7 +24,10 @@ def _create(cls, target_class, *args, **kwargs):
             assert False, "Positional args aren't supported, use keyword args."
 
         context = {'user': ckan_factories._get_action_user_name(kwargs)}
-        organization_id = kwargs.pop('organization_id', None) or ckan_factories.Organization()['id']
+        org_kwargs = {}
+        if 'user' in kwargs:
+            org_kwargs['user'] = kwargs['user']
+        organization_id = kwargs.pop('organization_id', None) or ckan_factories.Organization(**org_kwargs)['id']
 
         return helpers.call_action('metadata_collection_create',
                                    context=context,