[#3694] Restrict access to add member form to anon users

ckan · Jul 21, 2017 · b473ef1 · b473ef1
1 parent 4117515
commit b473ef1
Show file tree

Hide file tree

Showing 3 changed files with 151 additions and 1 deletion.
diff --git a/ckan/controllers/group.py b/ckan/controllers/group.py
@@ -685,8 +685,11 @@ def member_new(self, id):
 
         context = {'model': model, 'session': model.Session,
                    'user': c.user}
+        try:
+            self._check_access('group_member_create', context, {'id': id})
+        except NotAuthorized:
+            abort(403, _('Unauthorized to create group %s members') % '')
 
-        #self._check_access('group_delete', context, {'id': id})
         try:
             data_dict = {'id': id}
             data_dict['include_datasets'] = False

diff --git a/ckan/tests/controllers/test_group.py b/ckan/tests/controllers/test_group.py
@@ -409,6 +409,62 @@ def test_remove_member(self):
         assert_equal(len(user_roles.keys()), 1)
         assert_equal(user_roles['User One'], 'Admin')
 
+    def test_member_users_cannot_add_members(self):
+
+        user = factories.User()
+        group = factories.Group(
+                users=[{'name': user['name'], 'capacity': 'member'}]
+        )
+
+        app = helpers._get_test_app()
+
+        env = {'REMOTE_USER': user['name'].encode('ascii')}
+
+        app.get(
+            url_for(
+                controller='group',
+                action='member_new',
+                id=group['id'],
+            ),
+            extra_environ=env,
+            status=403,
+        )
+
+        app.post(
+            url_for(
+                controller='group',
+                action='member_new',
+                id=group['id'],
+            ),
+            {'id': 'test', 'username': 'test', 'save': 'save', 'role': 'test'},
+            extra_environ=env,
+            status=403,
+        )
+
+    def test_anonymous_users_cannot_add_members(self):
+        group = factories.Group()
+
+        app = helpers._get_test_app()
+
+        app.get(
+            url_for(
+                controller='group',
+                action='member_new',
+                id=group['id'],
+            ),
+            status=403,
+        )
+
+        app.post(
+            url_for(
+                controller='group',
+                action='member_new',
+                id=group['id'],
+            ),
+            {'id': 'test', 'username': 'test', 'save': 'save', 'role': 'test'},
+            status=403,
+        )
+
 
 class TestGroupFollow(helpers.FunctionalTestBase):
 

diff --git a/ckan/tests/controllers/test_organization.py b/ckan/tests/controllers/test_organization.py
@@ -444,3 +444,94 @@ def test_organization_search_within_org_no_results(self):
         ds_titles = [t.string for t in ds_titles]
 
         assert_equal(len(ds_titles), 0)
+
+
+class TestOrganizationMembership(helpers.FunctionalTestBase):
+
+    def test_editor_users_cannot_add_members(self):
+
+        user = factories.User()
+        organization = factories.Organization(
+                users=[{'name': user['name'], 'capacity': 'editor'}]
+        )
+
+        app = helpers._get_test_app()
+
+        env = {'REMOTE_USER': user['name'].encode('ascii')}
+
+        app.get(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            extra_environ=env,
+            status=403,
+        )
+
+        app.post(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            {'id': 'test', 'username': 'test', 'save': 'save', 'role': 'test'},
+            extra_environ=env,
+            status=403,
+        )
+
+    def test_member_users_cannot_add_members(self):
+
+        user = factories.User()
+        organization = factories.Organization(
+                users=[{'name': user['name'], 'capacity': 'member'}]
+        )
+
+        app = helpers._get_test_app()
+
+        env = {'REMOTE_USER': user['name'].encode('ascii')}
+
+        app.get(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            extra_environ=env,
+            status=403,
+        )
+
+        app.post(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            {'id': 'test', 'username': 'test', 'save': 'save', 'role': 'test'},
+            extra_environ=env,
+            status=403,
+        )
+
+    def test_anonymous_users_cannot_add_members(self):
+        organization = factories.Organization()
+
+        app = helpers._get_test_app()
+
+        app.get(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            status=403,
+        )
+
+        app.post(
+            url_for(
+                controller='organization',
+                action='member_new',
+                id=organization['id'],
+            ),
+            {'id': 'test', 'username': 'test', 'save': 'save', 'role': 'test'},
+            status=403,
+        )