A regular user can place his organization under any organization

[Vilsepi]

We are using CKAN 2.2 with code from the ckanext-hierachy to provide a UI for handling organization hierarchy.

It seems that a regular user (without sysadmin rights) is able to select any organization as the parent organization. Consider userAlice who has created organization cutePets, and then userEve who has created organization bunnySlaughterhouse. Now userEve can move her organization to be a suborganization of cutePets, and to the rest of the users, this looks like a valid, "official" suborganization.

I am not sure whether this is by design or a bug, but we have a case where we cannot completely trust every CKAN user, and thus it would probably be better if users can only select those organizations in which they are already admins.

[davidread]

It's working as it was designed. The parent org's admin will automatically get admin power for the sub-organization. But all the same you're right about conferring officialness.

I suggest that we require the user to be admin for the parent.

[amercader]

@davidread is this something that needs to be fixed on ckanext-hierachy? If so can you please move the issue there and close this one? Cheers.

[davidread]

The code for this is in ckan, so let's leave the issue here.

I think this a worthwhile improvement so will try and get round to doing it.

[rossjones]

This issue is being closed as it is nearly more than 18 months old. If you are still experiencing this problem and wish to help investigate further, or submit a PR, please feel free to re-open it.