From 8c026847881800b449fb8ad891eb5a165b490111 Mon Sep 17 00:00:00 2001
From: tobes <toby.junk@gmail.com>
Date: Wed, 3 Oct 2012 10:10:55 +0100
Subject: [PATCH] [#2939] Auth package_show() changes

---
 ckan/logic/auth/get.py | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/ckan/logic/auth/get.py b/ckan/logic/auth/get.py
index 0780e194598..30bdc4ad41b 100644
--- a/ckan/logic/auth/get.py
+++ b/ckan/logic/auth/get.py
@@ -1,6 +1,6 @@
 import ckan.logic as logic
+import ckan.new_authz as new_authz
 from ckan.authz import Authorizer
-import ckan.new_authz
 from ckan.lib.base import _
 from ckan.logic.auth import (get_package_object, get_group_object,
                             get_resource_object, get_related_object)
@@ -89,24 +89,24 @@ def package_relationships_list(context, data_dict):
         return {'success': True}
 
 def package_show(context, data_dict):
-    model = context['model']
-    user = context.get('user')
     package = get_package_object(context, data_dict)
-
-    authorized = logic.check_access_old(package, model.Action.READ, context)
+    # draft state indicates package is still in the creation process
+    # so we need to check we have creation rights.
+    if package.state.startswith('draft'):
+        auth = new_authz.is_authorized('package_update',
+                                       context, data_dict)
+        authorized = auth.get('success')
+    else:
+        # anyone can see a public package
+        if not package.private:
+            return {'success': True}
+        user = context.get('user')
+        user_id = new_authz.get_user_id_for_username(user, allow_none=True)
+        authorized = new_authz.has_user_permission_for_group_or_org(
+            package.owner_org, user_id, 'read')
     if not authorized:
-        return {'success': False, 'msg': _('User %s not authorized to read package %s') % (str(user),package.id)}
+        return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
     else:
-        # draft state indicates package is still in the creation process
-        # so we need to check we have creation rights.
-        if package.state.startswith('draft'):
-            auth = ckan.new_authz.is_authorized('package_update',
-                                                context, data_dict)
-            if not auth.get('success'):
-                msg = _('User %s not authorized to read package %s') \
-                        % (str(user),package.id)
-                return {'success': False, 'msg': msg}
-
         return {'success': True}
 
 def related_show(context, data_dict=None):