[#1471] Fix dataset deletion authorization for unowned datasets

We are basically deferring the whole package_delete auth function to
package_update, because deletions are basically changing the state field
of a dataset from 'active' to 'deleted'.

ckan/logic/auth/delete.py

@@ -1,6 +1,6 @@
 import ckan.logic as logic
 import ckan.new_authz as new_authz
-from ckan.logic.auth import get_package_object, get_group_object, get_related_object
+from ckan.logic.auth import get_group_object, get_related_object
 from ckan.logic.auth import get_resource_object
 import ckan.logic.auth.create as _auth_create
 from ckan.lib.base import _
@@ -12,14 +12,9 @@ def user_delete(context, data_dict):
 
 
 def package_delete(context, data_dict):
-    user = context['user']
-    package = get_package_object(context, data_dict)
-
-    authorized = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'delete_dataset')
-    if not authorized:
-        return {'success': False, 'msg': _('User %s not authorized to delete package %s') % (user, package.id)}
-    else:
-        return {'success': True}
+    # Defer auhtorization for package_delete to package_update, as deletions
+    # are essentially changing the state field
+    return logic.check_access('package_update', context, data_dict)
 
 def resource_delete(context, data_dict):
     model = context['model']