From f3c9fd69c031da7e13a78d7f4a80857ffcd242a6 Mon Sep 17 00:00:00 2001
From: Dominik Moritz <domoritz@gmail.com>
Date: Fri, 21 Dec 2012 14:21:49 +0100
Subject: [PATCH] [247] fixes #247 by disallowing anonymous users to edit
 something that they are not allowed to create

---
 ckan/logic/auth/update.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
index da02b2d1009..8a8c2d8d67f 100644
--- a/ckan/logic/auth/update.py
+++ b/ckan/logic/auth/update.py
@@ -14,10 +14,13 @@ def package_update(context, data_dict):
     user = context.get('user')
     package = get_package_object(context, data_dict)
 
-    if package.owner_org:
-        check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset')
-    else:
-        check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization')
+    if not new_authz.auth_is_registered_user():
+        check1 = new_authz.check_config_permission('anon_create_dataset')
+    if check1:
+        if package.owner_org:
+            check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset')
+        else:
+            check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization')
     if not check1:
         return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
     else: