-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deleted packages (state=deleted) cannot be read by the owner #369
Conversation
This causes the v1/2 REST package update API to fail with access denied because after successfully updating the package, the user no longer has permission to read it to generate the dict-like response. Revised the auth logic to treat 'deleted' like 'draft', meaning only editors can read these packages.
Yup that's the current behaviour, but I can see there's an argument for that json being available after the package has been deleted. I think there might be some subtleties around it though - should ckan respond with http 410 for instance? Can you give a bit more detail about why you want to be able to see all the json for a deleted package? |
Sorry my description wasn't clear. Using the update API to delete the package results in a 403, even though it successfully sets the state to deleted. It should return a 200. That's the problem I'm trying to solve. As for reading the package later- It is possible for the owner to un-delete a package. If the owner can POST to the package, he ought also to be able to GET it too. But that's not what's getting in my way. |
Could you give the url so I know exactly which path you are taking. I think we can fix this in a less invasive way |
curl http://..../api/2/rest/dataset/some-dataset -d '{"state":"deleted"}' -H "Authorization: ...." |
does this fix the problem for you? basically it stops the auth check when getting the dataset to return as you had the right to update it.
|
Thanks I'll test that and will let you know. |
@tauberer did you get a chance to test this? |
Sorry for the delay. I've been on other projects. Yes, that works fine. Thanks! |
This causes the v1/2 REST package update API to fail with access denied because after successfully updating the package, the user no longer has permission to read it to generate the dict-like response. Just allow us to read the updated packeage
pull request for the fix #545 |
Closing this off as it's covered elsewhere. |
re opening as issue still not resolved |
[#369] updating packages to deleted state had permission issues [for 2.0]
@tobes @domoritz @TomDunham I'm a little confused about this pull request and #545 , which apparently was the fix but is different from this one. |
@amercader #545 is wanted this is not closing |
This causes the v1/2 REST package update API to fail with access denied because after successfully updating the package, the user no longer has permission to read it to generate the dict-like response. Just allow us to read the updated packeage
This causes the v1/2 REST package update API to fail with access denied because after successfully updating the package, the user no longer has permission to read it to generate the dict-like response.
Revised the auth logic to treat 'deleted' like 'draft', meaning only editors can read these packages.
Maybe there's a better way to do this.