From b28316512cba0e31022b4fc1b88b6356dd027b9c Mon Sep 17 00:00:00 2001 From: amercader Date: Tue, 13 Aug 2013 10:34:23 +0100 Subject: [PATCH] Refactor user update logic function --- ckan/logic/auth/update.py | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py index ac907f487d0..59ec935a52a 100644 --- a/ckan/logic/auth/update.py +++ b/ckan/logic/auth/update.py @@ -178,21 +178,35 @@ def group_edit_permissions(context, data_dict): def user_update(context, data_dict): user = context['user'] - if not user and 'reset_key' not in data_dict: + + # FIXME: We shouldn't have to do a try ... except here, validation should + # have ensured that the data_dict contains a valid user id before we get to + # authorization. + try: + user_obj = logic_auth.get_user_object(context, data_dict) + except logic.NotFound: + return {'success': False, 'msg': _('User not found')} + + # If the user has a valid reset_key in the db, and that same reset key + # has been posted in the data_dict, we allow the user to update + # her account without using her password or API key. + if user_obj.reset_key and 'reset_key' in data_dict: + if user_obj.reset_key == data_dict['reset_key']: + return {'success': True} + + if not user: return {'success': False, 'msg': _('Have to be logged in to edit user')} - user_obj = logic_auth.get_user_object(context, data_dict) - user_reset = ('reset_key' in data_dict and - data_dict['reset_key'] == user_obj.reset_key) - - if not (user == user_obj.name) and not user_reset: + if user == user_obj.name: + # Allow users to update their own user accounts. + return {'success': True} + else: + # Don't allow users to update other users' accounts. return {'success': False, 'msg': _('User %s not authorized to edit user %s') % (user, user_obj.id)} - return {'success': True} - def revision_change_state(context, data_dict): # FIXME currently only sysadmins can change state