[#2037] Make resource_create auth work against package_update

Right now it was deferring to package_create, which doesn't make much sense. Basically if you can update this particular dataset, you should be able to add a resource to it. Added auth tests. Also fixed the authorization for resource views creation. This is being fully tested on #1852 Conflicts: ckan/logic/auth/create.py ckan/new_tests/logic/auth/test_create.py
ckan · Feb 10, 2015 · f353e26 · f353e26
1 parent 3c45edc
commit f353e26
Showing 1 changed file with 31 additions and 7 deletions.
diff --git a/ckan/logic/auth/create.py b/ckan/logic/auth/create.py
@@ -2,6 +2,7 @@
 
 import ckan.logic as logic
 import ckan.new_authz as new_authz
+import ckan.logic.auth as logic_auth
 
 
 def package_create(context, data_dict=None):
@@ -47,13 +48,36 @@ def related_create(context, data_dict=None):
     return {'success': False, 'msg': _('You must be logged in to add a related item')}
 
 def resource_create(context, data_dict):
-    # resource_create runs through package_update, no need to
-    # check users eligibility to add resource to package here.
-
-    # FIXME This is identical behaviour to what existed but feels like we
-    # should be using package_update permissions and have better errors.  I
-    # am also not sure about the need for the group issue
-    return new_authz.is_authorized('package_create', context, data_dict)
+    model = context['model']
+    user = context.get('user')
+
+    package_id = data_dict.get('package_id')
+    if not package_id and data_dict.get('id'):
+        # This can happen when auth is deferred, eg from `resource_view_create`
+        resource = logic_auth.get_resource_object(context, data_dict)
+        package_id = resource.package_id
+
+    if not package_id:
+        raise logic.NotFound(
+            _('No dataset id provided, cannot check auth.')
+        )
+
+    # check authentication against package
+    pkg = model.Package.get(package_id)
+    if not pkg:
+        raise logic.NotFound(
+            _('No package found for this resource, cannot check auth.')
+        )
+
+    pkg_dict = {'id': pkg.id}
+    authorized = new_authz.is_authorized('package_update', context, pkg_dict).get('success')
+
+    if not authorized:
+        return {'success': False,
+                'msg': _('User %s not authorized to create resources on dataset %s') %
+                        (str(user), package_id)}
+    else:
+        return {'success': True}
 
 def package_relationship_create(context, data_dict):
     user = context['user']