Restrict access to form pages

ckan · Jul 21, 2017 · 21cefbb · 21cefbb
1 parent cda499a
commit 21cefbb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/ckan/controllers/group.py b/ckan/controllers/group.py
@@ -707,7 +707,11 @@ def member_new(self, id):
         context = {'model': model, 'session': model.Session,
                    'user': c.user or c.author}
 
-        #self._check_access('group_delete', context, {'id': id})
+        try:
+            self._check_access('group_member_create', context, {'id': id})
+        except NotAuthorized:
+            abort(403, _('Unauthorized to create group %s members') % '')
+
         try:
             data_dict = {'id': id}
             data_dict['include_datasets'] = False

diff --git a/ckan/controllers/package.py b/ckan/controllers/package.py
@@ -583,17 +583,22 @@ def new(self, data=None, errors=None, error_summary=None):
 
     def resource_edit(self, id, resource_id, data=None, errors=None,
                       error_summary=None):
+        context = {'model': model, 'session': model.Session,
+                   'api_version': 3, 'for_edit': True,
+                   'user': c.user, 'auth_user_obj': c.userobj}
+        data_dict = {'id': id}
+
+        try:
+            check_access('package_update', context, data_dict)
+        except NotAuthorized:
+            abort(403, _('User %r not authorized to edit %s') % (c.user, id))
 
         if request.method == 'POST' and not data:
             data = data or clean_dict(dict_fns.unflatten(tuplize_dict(parse_params(
                 request.POST))))
             # we don't want to include save as it is part of the form
             del data['save']
 
-            context = {'model': model, 'session': model.Session,
-                       'api_version': 3, 'for_edit': True,
-                       'user': c.user or c.author, 'auth_user_obj': c.userobj}
-
             data['package_id'] = id
             try:
                 if resource_id:
@@ -610,10 +615,6 @@ def resource_edit(self, id, resource_id, data=None, errors=None,
                 abort(401, _('Unauthorized to edit this resource'))
             redirect(h.url_for(controller='package', action='resource_read',
                                id=id, resource_id=resource_id))
-
-        context = {'model': model, 'session': model.Session,
-                   'api_version': 3, 'for_edit': True,
-                   'user': c.user or c.author, 'auth_user_obj': c.userobj}
         pkg_dict = get_action('package_show')(context, {'id': id})
         if pkg_dict['state'].startswith('draft'):
             # dataset has not yet been fully created