From ef4c875cafd8e4c1f3074a257a5cfb11d755cc9d Mon Sep 17 00:00:00 2001
From: Sergey Motornyuk <sergey.motornyuk@linkdigital.com.au>
Date: Fri, 21 Jul 2017 13:51:53 +0300
Subject: [PATCH] Restrict access to form pages

---
 ckan/controllers/group.py   |  6 +++++-
 ckan/controllers/package.py | 16 +++++++++-------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ckan/controllers/group.py b/ckan/controllers/group.py
index c963749bf94..1c011e9a370 100644
--- a/ckan/controllers/group.py
+++ b/ckan/controllers/group.py
@@ -707,7 +707,11 @@ def member_new(self, id):
         context = {'model': model, 'session': model.Session,
                    'user': c.user or c.author}
 
-        #self._check_access('group_delete', context, {'id': id})
+        try:
+            self._check_access('group_member_create', context, {'id': id})
+        except NotAuthorized:
+            abort(403, _('Unauthorized to create group %s members') % '')
+
         try:
             data_dict = {'id': id}
             data_dict['include_datasets'] = False
diff --git a/ckan/controllers/package.py b/ckan/controllers/package.py
index f0ba12ee6bb..a8214bd7d9b 100644
--- a/ckan/controllers/package.py
+++ b/ckan/controllers/package.py
@@ -549,6 +549,15 @@ def new(self, data=None, errors=None, error_summary=None):
 
     def resource_edit(self, id, resource_id, data=None, errors=None,
                       error_summary=None):
+        context = {'model': model, 'session': model.Session,
+                   'api_version': 3, 'for_edit': True,
+                   'user': c.user, 'auth_user_obj': c.userobj}
+        data_dict = {'id': id}
+
+        try:
+            check_access('package_update', context, data_dict)
+        except NotAuthorized:
+            abort(403, _('User %r not authorized to edit %s') % (c.user, id))
 
         if request.method == 'POST' and not data:
             data = data or \
@@ -557,10 +566,6 @@ def resource_edit(self, id, resource_id, data=None, errors=None,
             # we don't want to include save as it is part of the form
             del data['save']
 
-            context = {'model': model, 'session': model.Session,
-                       'api_version': 3, 'for_edit': True,
-                       'user': c.user or c.author, 'auth_user_obj': c.userobj}
-
             data['package_id'] = id
             try:
                 if resource_id:
@@ -578,9 +583,6 @@ def resource_edit(self, id, resource_id, data=None, errors=None,
             redirect(h.url_for(controller='package', action='resource_read',
                                id=id, resource_id=resource_id))
 
-        context = {'model': model, 'session': model.Session,
-                   'api_version': 3, 'for_edit': True,
-                   'user': c.user or c.author, 'auth_user_obj': c.userobj}
         pkg_dict = get_action('package_show')(context, {'id': id})
         if pkg_dict['state'].startswith('draft'):
             # dataset has not yet been fully created