Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource DeleteView uses package_delete auth function #7131

Closed
bzar opened this issue Oct 11, 2022 · 0 comments · Fixed by #7132
Closed

Resource DeleteView uses package_delete auth function #7131

bzar opened this issue Oct 11, 2022 · 0 comments · Fixed by #7132
Assignees
@wardi

Comments

@bzar
Copy link
Contributor

bzar commented Oct 11, 2022

CKAN version
2.9.6

Describe the bug
Allowing deleting resources but not packages is not possible, because

ckan/ckan/views/resource.py

Line 454 in 9f1b5cf

check_access(u'package_delete', context, {u'id': id})
checks package_delete.

Steps to reproduce
Steps to reproduce the behavior:

  • Override package_delete and resource_delete auth functions with a plugin to create a situation where you can delete a resource in a package but not the package itsef
  • Navigate to the resource's edit view
  • Observe the delete button existing
  • Try to delete the resource
  • Observe 403 Forbidden: Unauthorized to delete package

Expected behavior
resource_delete auth function defining if a resource can be deleted

Additional details
Should be fixable by just changing the auth function. I'll make a PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wardi wardi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use resource_delete auth function in views.resource.DeleteView bzar/ckan
2 participants
@wardi @bzar