[#1038] Fix permission checking for organizations. Corrected bad test.

ckan · Jul 30, 2013 · 4db2d24 · 4db2d24
1 parent 68bfd7a
commit 4db2d24
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/ckan/logic/auth/create.py b/ckan/logic/auth/create.py
@@ -23,7 +23,7 @@ def package_create(context, data_dict=None):
 
     # If an organization is given are we able to add a dataset to it?
     data_dict = data_dict or {}
-    org_id = data_dict.get('organization_id')
+    org_id = data_dict.get('owner_org')
     if org_id and not new_authz.has_user_permission_for_group_or_org(
             org_id, user, 'create_dataset'):
         return {'success': False, 'msg': _('User %s not authorized to add dataset to this organization') % user}

diff --git a/ckan/tests/logic/test_auth.py b/ckan/tests/logic/test_auth.py
@@ -60,6 +60,8 @@ def create_user(cls, name):
 
 
 class TestAuthOrgs(TestAuth):
+    # NB: These tests are dependent on each other, so don't run them
+    #     separately.
 
     def test_01_create_users(self):
         # actual roles assigned later
@@ -90,6 +92,7 @@ def test_02_create_orgs(self):
 
     def test_03_create_dataset_no_org(self):
 
+        # no owner_org supplied
         dataset = {'name': 'admin_create_no_org'}
         self._call_api('package_create', dataset, 'sysadmin', 409)
 
@@ -106,7 +109,7 @@ def test_04_create_dataset_with_org(self):
                    'owner_org': 'org_no_user'}
         self._call_api('package_create', dataset, 'sysadmin', 200)
 
-        dataset = {'name': 'user_create_with_org',
+        dataset = {'name': 'user_create_with_no_org',
                    'owner_org': 'org_with_user'}
         self._call_api('package_create', dataset, 'no_org', 403)
 
@@ -138,15 +141,15 @@ def _add_datasets(self, user):
 
         #not able to add dataset to org admin does not belong to.
         dataset = {'name': user + '_dataset_bad', 'owner_org': 'org_no_user'}
-        self._call_api('package_create', dataset, user, 409)
+        self._call_api('package_create', dataset, user, 403)
 
         #admin not able to make dataset not owned by a org
         dataset = {'name': user + '_dataset_bad'}
         self._call_api('package_create', dataset, user, 409)
 
         #not able to add org to not existant org
         dataset = {'name': user + '_dataset_bad', 'owner_org': 'org_not_exist'}
-        self._call_api('package_create', dataset, user, 409)
+        self._call_api('package_create', dataset, user, 403)
 
     def test_07_add_datasets(self):
         self._add_datasets('org_admin')
@@ -317,7 +320,7 @@ def test_08_update_datasets_5(self):
     def test_08_update_datasets_6(self):
         dataset = {'name': 'adataset', 'owner_org': 'nhs-wirral-ccg'}
         self._call_api('package_update', dataset, 'nhseditor', 409)
-        
+
     def test_09_delete_datasets_1(self):
         dataset = {'id': 'doh-spend'}
         try: