Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deleted packages (state=deleted) cannot be read by the owner #369

Closed
wants to merge 1 commit into from
Closed

deleted packages (state=deleted) cannot be read by the owner #369

wants to merge 1 commit into from

Conversation

JoshData
Copy link
Contributor

@JoshData JoshData commented Feb 8, 2013

This causes the v1/2 REST package update API to fail with access denied because after successfully updating the package, the user no longer has permission to read it to generate the dict-like response.

Revised the auth logic to treat 'deleted' like 'draft', meaning only editors can read these packages.

Maybe there's a better way to do this.

@JoshData
deleted packages (state=deleted) cannot be read
962e141 
This causes the v1/2 REST package update API to fail with access denied
because after successfully updating the package, the user no longer
has permission to read it to generate the dict-like response.

Revised the auth logic to treat 'deleted' like 'draft', meaning
only editors can read these packages.
@ghost ghost assigned TomDunham Feb 12, 2013
@TomDunham
Copy link

Yup that's the current behaviour, but I can see there's an argument for that json being available after the package has been deleted. I think there might be some subtleties around it though - should ckan respond with http 410 for instance? Can you give a bit more detail about why you want to be able to see all the json for a deleted package?

@JoshData
Copy link
Contributor Author

Sorry my description wasn't clear.

Using the update API to delete the package results in a 403, even though it successfully sets the state to deleted. It should return a 200. That's the problem I'm trying to solve.

As for reading the package later- It is possible for the owner to un-delete a package. If the owner can POST to the package, he ought also to be able to GET it too. But that's not what's getting in my way.

@tobes
Copy link
Contributor

tobes commented Feb 14, 2013

Using the update API to delete the package

Could you give the url so I know exactly which path you are taking. I think we can fix this in a less invasive way

@JoshData
Copy link
Contributor Author

curl http://..../api/2/rest/dataset/some-dataset -d '{"state":"deleted"}' -H "Authorization: ...."

@tobes
Copy link
Contributor

tobes commented Feb 14, 2013

does this fix the problem for you?

basically it stops the auth check when getting the dataset to return as you had the right to update it.

diff --git a/ckan/logic/action/update.py b/ckan/logic/action/update.py
index c5d8e60..7e7e7fa 100644
--- a/ckan/logic/action/update.py
+++ b/ckan/logic/action/update.py
@@ -286,6 +286,7 @@ def package_update(context, data_dict):

     return_id_only = context.get('return_id_only', False)

+    context['ignore_auth'] = True
     output = data_dict['id'] if return_id_only \
             else _get_action('package_show')(context, {'id': data_dict['id']})

@JoshData
Copy link
Contributor Author

Thanks I'll test that and will let you know.

@tobes
Copy link
Contributor

tobes commented Feb 22, 2013

@tauberer did you get a chance to test this?

@JoshData
Copy link
Contributor Author

JoshData commented Mar 3, 2013

Sorry for the delay. I've been on other projects.

Yes, that works fine.

Thanks!

tobes added a commit that referenced this pull request Mar 4, 2013
@tobes
[#369] updating packages to deleted state had permission issues
0d67c12 
This causes the v1/2 REST package update API to fail with access denied
because after successfully updating the package, the user no longer has
permission to read it to generate the dict-like response.

Just allow us to read the updated packeage
@tobes
Copy link
Contributor

tobes commented Mar 4, 2013

pull request for the fix #545

@tobes tobes mentioned this pull request Mar 4, 2013
Merged
@TomDunham
Copy link

Closing this off as it's covered elsewhere.

@TomDunham TomDunham closed this Mar 12, 2013
@tobes tobes reopened this Mar 12, 2013
@tobes
Copy link
Contributor

tobes commented Mar 12, 2013

re opening as issue still not resolved

domoritz added a commit that referenced this pull request Mar 14, 2013
@domoritz
Merge pull request #545 from okfn/369-update-package-read-issue
80d36de 
[#369] updating packages to deleted state had permission issues [for 2.0]
@ghost ghost assigned tobes Mar 19, 2013
@amercader
Copy link
Member

@tobes @domoritz @TomDunham I'm a little confused about this pull request and #545 , which apparently was the fix but is different from this one.
Are the two different issues? Does #545 still need to go to 2.0?

@tobes
Copy link
Contributor

tobes commented Mar 19, 2013

@amercader #545 is wanted this is not closing

@tobes tobes closed this Mar 19, 2013
tobes added a commit that referenced this pull request Mar 20, 2013
@tobes @amercader
[#369] updating packages to deleted state had permission issues
0c0f19f 
This causes the v1/2 REST package update API to fail with access denied
because after successfully updating the package, the user no longer has
permission to read it to generate the dict-like response.

Just allow us to read the updated packeage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tobes tobes

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@JoshData @TomDunham @tobes @amercader