[#1407] Fix for resource_delete auth and added tests.

ckan/logic/auth/delete.py

@@ -13,7 +13,7 @@ def user_delete(context, data_dict):
 
 
 def package_delete(context, data_dict):
-    # Defer auhtorization for package_delete to package_update, as deletions
+    # Defer authorization for package_delete to package_update, as deletions
     # are essentially changing the state field
     return _auth_update.package_update(context, data_dict)
 
@@ -23,7 +23,7 @@ def resource_delete(context, data_dict):
     resource = get_resource_object(context, data_dict)
 
     # check authentication against package
-    query = model.Package.get(resource.package_id)
+    pkg = model.Package.get(resource.package_id)
     if not pkg:
         raise logic.NotFound(_('No package found for this resource, cannot check auth.'))
 

ckan/new_tests/logic/action/test_delete.py

@@ -0,0 +1,31 @@
+import nose.tools
+
+import ckan.new_tests.helpers as helpers
+import ckan.new_tests.factories as factories
+import ckan.logic as logic
+import ckan.model as model
+
+assert_equals = nose.tools.assert_equals
+assert_raises = nose.tools.assert_raises
+
+
+class TestDelete:
+
+    def setup(self):
+        helpers.reset_db()
+
+    def test_resource_delete(self):
+        user = factories.User()
+        sysadmin = factories.Sysadmin()
+        resource = factories.Resource(user=user)
+        context = {}
+        params = {'id': resource['id']}
+
+        helpers.call_action('resource_delete', context, **params)
+
+        # Not even a sysadmin can see it now
+        assert_raises(logic.NotFound, helpers.call_action, 'resource_show',
+                      {'user': sysadmin['name']}, **params)
+        # It is still there but with state=deleted
+        res_obj = model.Resource.get(resource['id'])
+        assert_equals(res_obj.state, 'deleted')

ckan/new_tests/logic/auth/test_delete.py

@@ -0,0 +1,52 @@
+
+'''Unit tests for ckan/logic/auth/delete.py.
+
+'''
+
+import nose
+
+import ckan.new_tests.helpers as helpers
+import ckan.new_tests.factories as factories
+import ckan.logic.auth.delete as auth_delete
+from ckan import model
+
+logic = helpers.logic
+assert_equals = nose.tools.assert_equals
+
+
+class TestResourceDelete(object):
+
+    def setup(self):
+        helpers.reset_db()
+
+    def test_anon_cant_delete(self):
+        context = {'user': None, 'model': model}
+        params = {}
+        nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth,
+                                 'resource_delete', context=context, **params)
+
+    def test_no_org_user_cant_delete(self):
+        user = factories.User()
+        org = factories.Organization()
+        dataset = factories.Dataset(owner_org=org['id'],
+                                    resources=[factories.Resource()])
+
+        response = auth_delete.resource_delete(
+            {'user': user['name'], 'model': model},
+            {'id': dataset['resources'][0]['id']})
+
+        assert_equals(response['success'], False)
+
+    def test_org_user_can_delete(self):
+        user = factories.User()
+        org_users = [{'name': user['name'], 'capacity': 'editor'}]
+        org = factories.Organization(users=org_users)
+        dataset = factories.Dataset(owner_org=org['id'],
+                                    resources=[factories.Resource()],
+                                    user=user)
+
+        response = auth_delete.resource_delete(
+            {'user': user['name'], 'model': model},
+            {'id': dataset['resources'][0]['id']})
+
+        assert_equals(response['success'], True)