[#1902] Don't show private datasets to group members

1. User Sean creates organization my-org 2. Sean adds private dataset my-dataset to my-org 3. Sean creates group my-group 4. Sean adds private dataset my-dataset to my-group 5. Sean adds user Fred to my-group 6. The group_show API will now show the private dataset my-dataset to Fred, even though Fred is not a member of my-org. For some reason the private dataset does not show on the group's page, but it does show in ther API. This commit removes it from the API. If backported this commit will also fix a problem present on 2.2 and 2.2.1 (but not master) that after following the steps above Fred will see the private dataset on the site front page. Arguably you should not be able to add private datasets to groups at all, but you could add a public dataset to a group and then make the dataset private and it would still belong to the group, so we do need to filter private datasets out of groups. Conflicts: ckan/lib/dictization/model_dictize.py
ckan · Oct 2, 2014 · b43caad · b43caad
1 parent 7ddac4c
commit b43caad
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/ckan/lib/dictization/model_dictize.py b/ckan/lib/dictization/model_dictize.py
@@ -368,10 +368,13 @@ def group_dictize(group, context):
     else:
         q['fq'] = 'groups:"{0}"'.format(group.name)
 
-    is_group_member = (context.get('user') and
-         new_authz.has_user_permission_for_group_or_org(group.id, context.get('user'), 'read'))
-    if is_group_member:
-        context['ignore_capacity_check'] = True
+    # Allow members of organizations to see private datasets.
+    if group.is_organization:
+        is_group_member = (context.get('user') and
+            new_authz.has_user_permission_for_group_or_org(
+                group.id, context.get('user'), 'read'))
+        if is_group_member:
+            context['ignore_capacity_check'] = True
 
     if include_datasets:
         q['rows'] = 1000    # Only the first 1000 datasets are returned