[#316] Add auth for followee_list APIs

Don't let visitors or other users see what a user is following.
ckan · Jan 30, 2013 · 7f4f0de · 7f4f0de
1 parent b722815
commit 7f4f0de
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 3 deletions.
diff --git a/ckan/logic/action/get.py b/ckan/logic/action/get.py
@@ -2383,6 +2383,7 @@ def user_followee_list(context, data_dict):
     :rtype: list of dictionaries
 
     '''
+    _check_access('user_followee_list', context, data_dict)
     schema = context.get('schema') or (
             ckan.logic.schema.default_follow_user_schema())
     data_dict, errors = _validate(data_dict, schema, context)
@@ -2410,6 +2411,7 @@ def dataset_followee_list(context, data_dict):
     :rtype: list of dictionaries
 
     '''
+    _check_access('dataset_followee_list', context, data_dict)
     schema = context.get('schema') or (
             ckan.logic.schema.default_follow_user_schema())
     data_dict, errors = _validate(data_dict, schema, context)
@@ -2438,6 +2440,7 @@ def group_followee_list(context, data_dict):
     :rtype: list of dictionaries
 
     '''
+    _check_access('group_followee_list', context, data_dict)
     schema = context.get('schema',
             ckan.logic.schema.default_follow_user_schema())
     data_dict, errors = _validate(data_dict, schema, context)

diff --git a/ckan/logic/auth/get.py b/ckan/logic/auth/get.py
@@ -229,3 +229,32 @@ def dataset_follower_list(context, data_dict):
 
 def group_follower_list(context, data_dict):
     return sysadmin(context, data_dict)
+
+
+def _followee_list(context, data_dict):
+    model = context['model']
+
+    # Visitors cannot see what users are following.
+    authorized_user = model.User.get(context.get('user'))
+    if not authorized_user:
+        return {'success': False, 'msg': _('Not authorized')}
+
+    # Any user is authorized to see what she herself is following.
+    requested_user = model.User.get(data_dict.get('id'))
+    if authorized_user == requested_user:
+        return {'success': True}
+
+    # Sysadmins are authorized to see what anyone is following.
+    return sysadmin(context, data_dict)
+
+
+def user_followee_list(context, data_dict):
+    return _followee_list(context, data_dict)
+
+
+def dataset_followee_list(context, data_dict):
+    return _followee_list(context, data_dict)
+
+
+def group_followee_list(context, data_dict):
+    return _followee_list(context, data_dict)
diff --git a/ckan/tests/functional/api/test_follow.py b/ckan/tests/functional/api/test_follow.py
@@ -72,7 +72,7 @@ def follow_user(app, follower_id, apikey, object_id, object_arg,
 
     # Check that the object appears in the follower's list of followees.
     followees = ckan.tests.call_action_api(app, 'user_followee_list',
-            id=follower_id)
+            apikey=sysadmin_apikey, id=follower_id)
     assert len(followees) == followee_count_before + 1
     assert len([followee for followee in followees if followee['id'] == object_id]) == 1
 
@@ -133,7 +133,7 @@ def follow_dataset(app, follower_id, apikey, dataset_id, dataset_arg,
 
     # Check that the dataset appears in the follower's list of followees.
     followees = ckan.tests.call_action_api(app, 'dataset_followee_list',
-            id=follower_id)
+            apikey=sysadmin_apikey, id=follower_id)
     assert len(followees) == followee_count_before + 1
     assert len([followee for followee in followees if followee['id'] == dataset_id]) == 1
 
@@ -194,7 +194,7 @@ def follow_group(app, user_id, apikey, group_id, group_arg, sysadmin_apikey):
 
     # Check that the group appears in the user's list of followees.
     followees = ckan.tests.call_action_api(app, 'group_followee_list',
-            id=user_id)
+            apikey=sysadmin_apikey, id=user_id)
     assert len(followees) == followee_count_before + 1
     assert len([followee for followee in followees
         if followee['id'] == group_id]) == 1
@@ -297,6 +297,73 @@ def test_00_sysadmin_can_get_group_follower_list(self):
         ckan.tests.call_action_api(self.app, 'group_follower_list',
                 id='roger', status=200, apikey=self.testsysadmin['apikey'])
 
+    def test_00_visitor_cannot_get_user_followee_list(self):
+        '''A visitor cannot see what users a user is following.'''
+        ckan.tests.call_action_api(self.app, 'user_followee_list',
+                id=self.russianfan['id'], status=403)
+
+    def test_00_user_cannot_get_user_followee_list(self):
+        '''A user cannot see what users another user is following.'''
+        ckan.tests.call_action_api(self.app, 'user_followee_list',
+                id=self.russianfan['id'], status=403,
+                apikey=self.annafan['apikey'])
+
+    def test_00_sysadmin_can_get_user_followee_list(self):
+        '''A sysadmin can see what users another user is following.'''
+        ckan.tests.call_action_api(self.app, 'user_followee_list',
+                id=self.russianfan['id'], status=200,
+                apikey=self.testsysadmin['apikey'])
+
+    def test_00_user_can_get_own_user_followee_list(self):
+        '''A user can see what users she herself is following.'''
+        ckan.tests.call_action_api(self.app, 'user_followee_list',
+                id=self.russianfan['id'], status=200,
+                apikey=self.russianfan['apikey'])
+
+    def test_00_visitor_cannot_get_dataset_followee_list(self):
+        '''A visitor cannot see what datasets a user is following.'''
+        ckan.tests.call_action_api(self.app, 'dataset_followee_list',
+                id=self.russianfan['id'], status=403)
+
+    def test_00_user_cannot_get_dataset_followee_list(self):
+        '''A user cannot see what datasets another user is following.'''
+        ckan.tests.call_action_api(self.app, 'dataset_followee_list',
+                id='russianfan', status=403, apikey=self.annafan['apikey'])
+
+    def test_00_sysadmin_can_get_dataset_followee_list(self):
+        '''A sysadmin can see what datasets another user is following.'''
+        ckan.tests.call_action_api(self.app, 'dataset_followee_list',
+                id='russianfan', status=200,
+                apikey=self.testsysadmin['apikey'])
+
+    def test_00_user_can_get_own_dataset_followee_list(self):
+        '''A user can see what datasets she herself is following.'''
+        ckan.tests.call_action_api(self.app, 'dataset_followee_list',
+                id=self.russianfan['id'], status=200,
+                apikey=self.russianfan['apikey'])
+
+    def test_00_visitor_cannot_get_group_followee_list(self):
+        '''A visitor cannot see what groups a user is following.'''
+        ckan.tests.call_action_api(self.app, 'group_followee_list',
+                id='roger', status=403)
+
+    def test_00_user_cannot_get_group_followee_list(self):
+        '''A user cannot see what groups another user is following.'''
+        ckan.tests.call_action_api(self.app, 'group_followee_list',
+                id='roger', status=403, apikey=self.annafan['apikey'])
+
+    def test_00_sysadmin_can_get_group_followee_list(self):
+        '''A sysadmin can see what groups another user is following.'''
+        ckan.tests.call_action_api(self.app, 'group_followee_list',
+                id=self.annafan['id'], status=200,
+                apikey=self.testsysadmin['apikey'])
+
+    def test_00_user_can_get_own_group_followee_list(self):
+        '''A user can see what groups she herself is following.'''
+        ckan.tests.call_action_api(self.app, 'group_followee_list',
+                id=self.russianfan['id'], status=200,
+                apikey=self.russianfan['apikey'])
+
     def test_01_user_follow_user_bad_apikey(self):
         for apikey in ('bad api key', '', '     ', 'None', '3', '35.7', 'xxx'):
             error = ckan.tests.call_action_api(self.app, 'follow_user',