Skip to content

Commit

Permalink
Fix some auth functions not using IAuthFunctions
Browse files Browse the repository at this point in the history 
Various auth functions are purely wrappers around other auth functions.
Unfortunately this means when overriding one of auth functions (a parent) that is used by others (children),
the children will still call the original version, not the overridden version.

This commit fixes this for most cases.
  • Loading branch information
@Psykar
Psykar committed Jun 1, 2016
1 parent 1885cba commit 2cc254d
Show file tree
Hide file tree
Showing 9 changed files with 160 additions and 45 deletions.
8 changes: 4 additions & 4 deletions ckan/logic/auth/create.py
View file
Expand Up @@ -78,11 +78,11 @@ def resource_create(context, data_dict):


def resource_view_create(context, data_dict):
return resource_create(context, {'id': data_dict['resource_id']})
return authz.is_authorized('resource_create', context, {'id': data_dict['resource_id']})


def resource_create_default_resource_views(context, data_dict):
return resource_create(context, {'id': data_dict['resource']['id']})
return authz.is_authorized('resource_create', context, {'id': data_dict['resource']['id']})


def package_create_default_resource_views(context, data_dict):
Expand Down Expand Up @@ -208,15 +208,15 @@ def package_create_rest(context, data_dict):
if not user:
return {'success': False, 'msg': _('Valid API key needed to create a package')}

return package_create(context, data_dict)
return authz.is_authorized('package_create', context, data_dict)

def group_create_rest(context, data_dict):
model = context['model']
user = context['user']
if not user:
return {'success': False, 'msg': _('Valid API key needed to create a group')}

return group_create(context, data_dict)
return authz.is_authorized('group_create', context, data_dict)

def vocabulary_create(context, data_dict):
# sysadmins only
Expand Down
16 changes: 8 additions & 8 deletions ckan/logic/auth/delete.py
View file
Expand Up @@ -2,8 +2,6 @@
import ckan.authz as authz
from ckan.logic.auth import get_group_object
from ckan.logic.auth import get_resource_object
import ckan.logic.auth.create as _auth_create
import ckan.logic.auth.update as _auth_update
from ckan.lib.base import _


Expand All @@ -15,12 +13,14 @@ def user_delete(context, data_dict):
def package_delete(context, data_dict):
# Defer authorization for package_delete to package_update, as deletions
# are essentially changing the state field
return _auth_update.package_update(context, data_dict)
return authz.is_authorized('package_update', context, data_dict)


def dataset_purge(context, data_dict):
# Only sysadmins are authorized to purge datasets
return {'success': False}


def resource_delete(context, data_dict):
model = context['model']
user = context.get('user')
Expand All @@ -32,7 +32,7 @@ def resource_delete(context, data_dict):
raise logic.NotFound(_('No package found for this resource, cannot check auth.'))

pkg_dict = {'id': pkg.id}
authorized = package_delete(context, pkg_dict).get('success')
authorized = authz.is_authorized('package_delete', context, pkg_dict).get('success')

if not authorized:
return {'success': False, 'msg': _('User %s not authorized to delete resource %s') % (user, resource.id)}
Expand All @@ -43,9 +43,9 @@ def resource_delete(context, data_dict):
def resource_view_delete(context, data_dict):

if context.get('resource'):
return resource_delete(context, {})
return authz.is_authorized('resource_delete', context, {})
if context.get('resource_view'):
return resource_delete(context, {'id': context['resource_view'].resource_id})
return authz.is_authorized('resource_delete', context, {'id': context['resource_view'].resource_id})

resource_id = data_dict.get('resource_id')
if not resource_id:
Expand All @@ -54,7 +54,7 @@ def resource_view_delete(context, data_dict):
raise logic.NotFound(_('Resource view not found, cannot check auth.'))
resource_id = resource_view.resource_id

return resource_delete(context, {'id': resource_id})
return authz.is_authorized('resource_delete', context, {'id': resource_id})


def resource_view_clear(context, data_dict):
Expand Down Expand Up @@ -134,4 +134,4 @@ def organization_member_delete(context, data_dict):
return {'success': True}

def member_delete(context, data_dict):
return _auth_create.member_create(context, data_dict)
return authz.is_authorized('member_create', context, data_dict)
68 changes: 45 additions & 23 deletions ckan/logic/auth/get.py
View file
Expand Up @@ -29,31 +29,40 @@ def package_list(context, data_dict):
# List of all active packages are visible by default
return {'success': True}


def current_package_list_with_resources(context, data_dict):
return package_list(context, data_dict)
return authz.is_authorized('package_list', context, data_dict)


def revision_list(context, data_dict):
# In our new model everyone can read the revison list
return {'success': True}


def group_revision_list(context, data_dict):
return group_show(context, data_dict)
return authz.is_authorized('group_show', context, data_dict)


def organization_revision_list(context, data_dict):
return group_show(context, data_dict)
return authz.is_authorized('group_show', context, data_dict)


def package_revision_list(context, data_dict):
return package_show(context, data_dict)
return authz.is_authorized('package_show', context, data_dict)


def group_list(context, data_dict):
# List of all active groups is visible by default
return {'success': True}


def group_list_authz(context, data_dict):
return group_list(context, data_dict)
return authz.is_authorized('group_list', context, data_dict)


def group_list_available(context, data_dict):
return group_list(context, data_dict)
return authz.is_authorized('group_list', context, data_dict)


def organization_list(context, data_dict):
# List of all active organizations are visible by default
Expand Down Expand Up @@ -141,10 +150,12 @@ def resource_show(context, data_dict):


def resource_view_show(context, data_dict):
return resource_show(context, data_dict)
return authz.is_authorized('resource_show', context, data_dict)


def resource_view_list(context, data_dict):
return resource_show(context, data_dict)
return authz.is_authorized('resource_show', context, data_dict)


def revision_show(context, data_dict):
# No authz check in the logic function
Expand All @@ -162,8 +173,10 @@ def group_show(context, data_dict):
else:
return {'success': False, 'msg': _('User %s not authorized to read group %s') % (user, group.id)}


def organization_show(context, data_dict):
return group_show(context, data_dict)
return authz.is_authorized('group_show', context, data_dict)


def vocabulary_show(context, data_dict):
# Allow viewing of vocabs by default
Expand All @@ -178,20 +191,26 @@ def user_show(context, data_dict):
# the API key are stripped at the action level if not not logged in.
return {'success': True}


def package_autocomplete(context, data_dict):
return package_list(context, data_dict)
return authz.is_authorized('package_list', context, data_dict)


def group_autocomplete(context, data_dict):
return group_list(context, data_dict)
return authz.is_authorized('group_list', context, data_dict)


def organization_autocomplete(context, data_dict):
return organization_list(context, data_dict)
return authz.is_authorized('organization_list', context, data_dict)


def tag_autocomplete(context, data_dict):
return tag_list(context, data_dict)
return authz.is_authorized('tag_list', context, data_dict)


def user_autocomplete(context, data_dict):
return user_list(context, data_dict)
return authz.is_authorized('user_list', context, data_dict)


def format_autocomplete(context, data_dict):
return {'success': True}
Expand All @@ -202,16 +221,19 @@ def task_status_show(context, data_dict):
def resource_status_show(context, data_dict):
return {'success': True}

## Modifications for rest api

## Modifications for rest api
def package_show_rest(context, data_dict):
return package_show(context, data_dict)
return authz.is_authorized('package_show', context, data_dict)


def group_show_rest(context, data_dict):
return group_show(context, data_dict)
return authz.is_authorized('group_show', context, data_dict)


def tag_show_rest(context, data_dict):
return tag_show(context, data_dict)
return authz.is_authorized('tag_show', context, data_dict)


def get_site_user(context, data_dict):
# FIXME this is available to sysadmins currently till
Expand Down Expand Up @@ -243,19 +265,19 @@ def dashboard_new_activities_count(context, data_dict):


def user_follower_list(context, data_dict):
return sysadmin(context, data_dict)
return authz.is_authorized('sysadmin', context, data_dict)


def dataset_follower_list(context, data_dict):
return sysadmin(context, data_dict)
return authz.is_authorized('sysadmin', context, data_dict)


def group_follower_list(context, data_dict):
return sysadmin(context, data_dict)
return authz.is_authorized('sysadmin', context, data_dict)


def organization_follower_list(context, data_dict):
return sysadmin(context, data_dict)
return authz.is_authorized('sysadmin', context, data_dict)


def _followee_list(context, data_dict):
Expand All @@ -272,7 +294,7 @@ def _followee_list(context, data_dict):
return {'success': True}

# Sysadmins are authorized to see what anyone is following.
return sysadmin(context, data_dict)
return authz.is_authorized('sysadmin', context, data_dict)


def followee_list(context, data_dict):
Expand Down
19 changes: 13 additions & 6 deletions ckan/logic/auth/patch.py
View file
@@ -1,10 +1,17 @@
from ckan import logic
import ckan.logic.auth.update as _update
import ckan.authz as authz

package_patch = _update.package_update

resource_patch = _update.resource_update
def package_patch(context, data_dict):
return authz.is_authorized('package_update', context, data_dict)

group_patch = _update.group_update

organization_patch = _update.organization_update
def resource_patch(context, data_dict):
return authz.is_authorized('resource_update', context, data_dict)


def group_patch(context, data_dict):
return authz.is_authorized('group_update', context, data_dict)


def organization_patch(context, data_dict):
return authz.is_authorized('organization_update', context, data_dict)
6 changes: 3 additions & 3 deletions ckan/logic/auth/update.py
View file
Expand Up @@ -73,10 +73,10 @@ def resource_update(context, data_dict):


def resource_view_update(context, data_dict):
return resource_update(context, {'id': data_dict['resource_id']})
return authz.is_authorized('resource_update', context, {'id': data_dict['resource_id']})

def resource_view_reorder(context, data_dict):
return resource_update(context, {'id': data_dict['resource_id']})
return authz.is_authorized('resource_update', context, {'id': data_dict['resource_id']})

def package_relationship_update(context, data_dict):
return authz.is_authorized('package_relationship_create',
Expand Down Expand Up @@ -268,7 +268,7 @@ def group_update_rest(context, data_dict):
return {'success': False,
'msg': _('Valid API key needed to edit a group')}

return group_update(context, data_dict)
return authz.is_authorized('group_update', context, data_dict)


def package_owner_org_update(context, data_dict):
Expand Down
2 changes: 1 addition & 1 deletion ckan/tests/logic/auth/test_delete.py
View file
Expand Up @@ -48,7 +48,7 @@ def test_org_user_can_delete(self):
user=user)

response = auth_delete.resource_delete(
{'user': user['name'], 'model': model},
{'user': user['name'], 'model': model, 'auth_user_obj': user},
{'id': dataset['resources'][0]['id']})

assert_equals(response['success'], True)
Expand Down
16 changes: 16 additions & 0 deletions ckanext/example_iauthfunctions/plugin_v6_parent_auth_functions.py
View file
@@ -0,0 +1,16 @@
import pylons.config as config

import ckan.plugins as plugins
import ckan.plugins.toolkit as toolkit


def package_delete(context, data_dict=None):
return {'success': False,
'msg': 'Only sysadmins can delete packages'}


class ExampleIAuthFunctionsPlugin(plugins.SingletonPlugin):
plugins.implements(plugins.IAuthFunctions)

def get_auth_functions(self):
return {'package_delete': package_delete}

0 comments on commit 2cc254d

Please sign in to comment.