From 5baa9e968fc750c2861efe162a96bcb2d87e9172 Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Wed, 11 Jun 2014 18:11:25 +0100
Subject: [PATCH 1/2] [#1766] Don't show 'add some resources' link if not
 auhtorized

---
 ckan/templates/package/snippets/resources_list.html | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ckan/templates/package/snippets/resources_list.html b/ckan/templates/package/snippets/resources_list.html
index 4672539cbc3..9eb739284e6 100644
--- a/ckan/templates/package/snippets/resources_list.html
+++ b/ckan/templates/package/snippets/resources_list.html
@@ -21,12 +21,13 @@ <h3>{{ _('Data and Resources') }}</h3>
         {% endblock %}
       </ul>
     {% else %}
-      <p>
-        {# Comment out "add some" as action doesn't exist yet #}
-        {% trans url=h.url_for(controller='package', action='new_resource', id=pkg.name) %}
-          <p class="empty">This dataset has no data, <a href="{{ url }}">why not add some?</a>
-        {% endtrans %}
-      </p>
+      {% if h.check_access('resource_create', pkg) %}
+          {% trans url=h.url_for(controller='package', action='new_resource', id=pkg.name) %}
+            <p class="empty">This dataset has no data, <a href="{{ url }}">why not add some?</a></p>
+          {% endtrans %}
+      {% else %}
+          <p class="empty">{{ _('This dataset has no data') }}</p>
+      {% endif %}
     {% endif %}
     {% endblock %}
 </section>

From 4dd343803e515c8ae74d5965afa2f1ffcadcedde Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Wed, 11 Jun 2014 18:12:05 +0100
Subject: [PATCH 2/2] [#1766] Check access on new resource page

Add auth check to the `new_resource` action on the package controller so
the form is not shown to unauthorized users.
---
 ckan/controllers/package.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ckan/controllers/package.py b/ckan/controllers/package.py
index a7019add4cd..46bb986e90f 100644
--- a/ckan/controllers/package.py
+++ b/ckan/controllers/package.py
@@ -704,6 +704,11 @@ def new_resource(self, id, data=None, errors=None, error_summary=None):
             pkg_dict = get_action('package_show')(context, {'id': id})
         except NotFound:
             abort(404, _('The dataset {id} could not be found.').format(id=id))
+        try:
+            check_access('resource_create', context, pkg_dict)
+        except NotAuthorized:
+            abort(401, _('Unauthorized to create a resource for this package'))
+
         # required for nav menu
         vars['pkg_dict'] = pkg_dict
         template = 'package/new_resource_not_draft.html'