diff --git a/ckan/config/deployment.ini_tmpl b/ckan/config/deployment.ini_tmpl index 738ff22858d..a36ebf37eb1 100644 --- a/ckan/config/deployment.ini_tmpl +++ b/ckan/config/deployment.ini_tmpl @@ -65,7 +65,7 @@ ckan.auth.user_create_groups = true ckan.auth.user_create_organizations = true ckan.auth.user_delete_groups = true ckan.auth.user_delete_organizations = true -ckan.auth.create_user_via_api = false +ckan.auth.anon_create_user = true ## Search Settings diff --git a/ckan/config/environment.py b/ckan/config/environment.py index fd1d3c24b9e..3b4ec8fcfba 100644 --- a/ckan/config/environment.py +++ b/ckan/config/environment.py @@ -99,11 +99,19 @@ def __getattr__(self, name): return self.null_function +def _warn_deprecated_configs(app_conf): + if 'ckan.auth.create_user_via_api' in app_conf: + log.warn('Configuration `ckan.auth.create_user_via_api` is deprecated ' + 'and will be removed soon. Please use ' + '`ckan.auth.anon_create_user` instead.') + def load_environment(global_conf, app_conf): """Configure the Pylons environment via the ``pylons.config`` object. This code should only need to be run once. """ + _warn_deprecated_configs(app_conf) + ###### Pylons monkey-patch # this must be run at a time when the env is semi-setup, thus inlined here. # Required by the deliverance plugin and iATI diff --git a/ckan/logic/auth/create.py b/ckan/logic/auth/create.py index 168f61a2b63..6cb0d19455e 100644 --- a/ckan/logic/auth/create.py +++ b/ckan/logic/auth/create.py @@ -105,12 +105,20 @@ def rating_create(context, data_dict): def user_create(context, data_dict=None): + # create_user_via_api is deprecated + using_api = 'api_version' in context + create_user_via_api = new_authz.check_config_permission( + 'create_user_via_api') + create_user = new_authz.check_config_permission( 'anon_create_user') if not create_user: return {'success': False, 'msg': _('Not authorized to ' 'create users')} + elif using_api and not create_user_via_api: + return {'success': False, 'msg': _('User {user} not authorized to ' + 'create users via the API').format(user=context.get('user'))} else: return {'success': True} diff --git a/ckan/new_authz.py b/ckan/new_authz.py index 650711d4c22..36c34d36c11 100644 --- a/ckan/new_authz.py +++ b/ckan/new_authz.py @@ -275,13 +275,14 @@ def _get_auth_function(action): # permission and default # these are prefixed with ckan.auth. in config to override 'anon_create_dataset': False, + 'anon_create_user': True, 'create_dataset_if_not_in_organization': True, 'create_unowned_dataset': True, 'user_create_groups': True, 'user_create_organizations': True, 'user_delete_groups': True, 'user_delete_organizations': True, - 'anon_create_user': True, + 'create_user_via_api': False, } CONFIG_PERMISSIONS = {} diff --git a/ckan/tests/logic/test_auth.py b/ckan/tests/logic/test_auth.py index 0c8ca4b3934..b8da953f0b3 100644 --- a/ckan/tests/logic/test_auth.py +++ b/ckan/tests/logic/test_auth.py @@ -6,13 +6,14 @@ INITIAL_TEST_CONFIG_PERMISSIONS = { 'anon_create_dataset': False, + 'anon_create_user': False, 'create_dataset_if_not_in_organization': False, 'user_create_groups': False, 'user_create_organizations': False, 'user_delete_groups': False, 'user_delete_organizations': False, - 'anon_create_user': False, 'create_unowned_dataset': False, + 'create_user_via_api': False, } diff --git a/doc/configuration.rst b/doc/configuration.rst index 889341299a0..c4d706bdc79 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -268,6 +268,21 @@ Default value: ``False`` Allow users to create datasets without registering and logging in. +.. _ckan.auth.anon_create_user: + +ckan.auth.anon_create_user +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Example:: + + ckan.auth.anon_create_user = True + +Default value: ``True`` + + +Allow visitors to create user accounts. + + .. _ckan.auth.create_unowned_dataset: ckan.auth.create_unowned_dataset @@ -359,6 +374,10 @@ Allow users to delete organizations. ckan.auth.create_user_via_api ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +.. deprecated:: 2.2 + It's not possible to disable user creation just through the API anymore. + See :ref:`ckan.auth.anon_create_user`. + Example:: ckan.auth.create_user_via_api = False