Merge 6fad260 into 520da26

.eggs/README.txt

@@ -0,0 +1,6 @@
+This directory contains eggs that were downloaded by setuptools to build, test, and run plug-ins.
+
+This directory caches those eggs to prevent repeated downloads.
+
+However, it is safe to delete this directory.
+

.gitignore

@@ -50,3 +50,6 @@ coverage.xml
 
 # Sphinx documentation
 docs/_build/
+
+.idea
+venv

ckanext/privatedatasets/auth.py

@@ -41,41 +41,37 @@ def package_show(context, data_dict):
     # Not active packages can only be seen by its owners
     if package.state == 'active':
         # anyone can see a public package
-        if not package.private:
-            return {'success': True}
+        if package.private:
 
-        # if the user has rights to read in the organization or in the group
-        if package.owner_org:
-            authorized = authz.has_user_permission_for_group_or_org(
-                package.owner_org, user, 'read')
-        else:
-            authorized = False
+            acquired = False
 
-        # if the user is not authorized yet, we should check if the
-        # user is in the allowed_users object
-        if not authorized:
-            # Init the model
-            db.init_db(context['model'])
+            if package.owner_org:
+                acquired = authz.has_user_permission_for_group_or_org(
+                    package.owner_org, user, 'read')
 
-            # Branch not executed if the database return an empty list
-            if db.AllowedUser.get(package_id=package.id, user_name=user):
-                authorized = True
+            if not acquired:
+                # Init the model
+                db.init_db(context['model'])
 
-        if not authorized:
-            # Show a flash message with the URL to acquire the dataset
-            # This message only can be shown when the user tries to access the dataset via its URL (/dataset/...)
-            # The message cannot be displayed in other pages that uses the package_show function such as
-            # the user profile page
-
-            if hasattr(package, 'extras') and 'acquire_url' in package.extras and request.path.startswith('/dataset/')\
-                    and package.extras['acquire_url'] != '':
-                helpers.flash_notice(_('This private dataset can be acquired. To do so, please click ' +
-                                       '<a target="_blank" href="%s">here</a>') % package.extras['acquire_url'],
-                                     allow_html=True)
-
-            return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
-        else:
-            return {'success': True}
+                # Branch not executed if the database return an empty list
+                if db.AllowedUser.get(package_id=package.id, user_name=user):
+                    acquired = True
+
+            if not acquired:
+
+                # Show a flash message with the URL to acquire the dataset
+                # This message only can be shown when the user tries to access the dataset via its URL (/dataset/...)
+                # The message cannot be displayed in other pages that uses the package_show function such as
+                # the user profile page
+
+                if hasattr(package, 'extras') and 'acquire_url' in package.extras and request.path.startswith(
+                        '/dataset/') \
+                        and package.extras['acquire_url'] != '':
+                    helpers.flash_notice(_('This private dataset can be acquired. To do so, please click ' +
+                                           '<a target="_blank" href="%s">here</a>') % package.extras['acquire_url'],
+                                         allow_html=True)
+
+        return {'success': True}
     else:
         return {'success': False, 'msg': _('User %s not authorized to read package %s') % (user, package.id)}
 
@@ -104,32 +100,49 @@ def package_update(context, data_dict):
 
 @tk.auth_allow_anonymous_access
 def resource_show(context, data_dict):
-    # This function is needed since CKAN resource_show function uses the default package_show
-    # function instead of the one defined in the plugin.
-    # A bug is openend in order to be able to remove this function
-    # https://github.com/ckan/ckan/issues/1818
-    # It's fixed now, so this function can be deleted when the new version is released.
-    _model = context['model']
+
     user = context.get('user')
+    user_obj = context.get('auth_user_obj')
     resource = logic_auth.get_resource_object(context, data_dict)
-
     # check authentication against package
-    query = _model.Session.query(_model.Package)\
-        .join(_model.ResourceGroup)\
-        .join(_model.Resource)\
-        .filter(_model.ResourceGroup.id == resource.resource_group_id)
-    pkg = query.first()
-    if not pkg:
+    package_dict = {'id': resource.package_id}
+    package = logic_auth.get_package_object(context, package_dict)
+    if not package:
         raise tk.ObjectNotFound(_('No package found for this resource, cannot check auth.'))
 
-    pkg_dict = {'id': pkg.id}
-    authorized = package_show(context, pkg_dict).get('success')
-
-    if not authorized:
-        return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
-    else:
+    if package and user_obj and package.creator_user_id == user_obj.id:
         return {'success': True}
 
+    # active packages can only be seen by its owners
+    if package.state == 'active':
+
+        # anyone can see a public package
+        if not package.private:
+            return {'success': True}
+
+        # if the user has rights to read in the organization or in the group
+        if package.owner_org:
+            authorized = authz.has_user_permission_for_group_or_org(
+                package.owner_org, user, 'read')
+        else:
+            authorized = False
+
+        if not authorized:
+            # Init the model
+            db.init_db(context['model'])
+
+            # Branch not executed if the database return an empty list
+            if db.AllowedUser.get(package_id=package.id, user_name=user):
+                authorized = True
+
+        if not authorized:
+            return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
+
+        else:
+            return {'success': True}
+
+    else:
+        return {'success': False, 'msg': _('User %s not authorized to read resource %s') % (user, resource.id)}
 
 @tk.auth_allow_anonymous_access
 def package_acquired(context, data_dict):

ckanext/privatedatasets/plugin.py

@@ -29,6 +29,8 @@
 from ckanext.privatedatasets import auth, actions, constants, converters_validators as conv_val, db, helpers
 from ckanext.privatedatasets.views import acquired_datasets
 
+
+
 HIDDEN_FIELDS = [constants.ALLOWED_USERS, constants.SEARCHABLE]
 
 
@@ -43,6 +45,7 @@ class PrivateDatasets(p.SingletonPlugin, tk.DefaultDatasetForm, DefaultPermissio
     p.implements(p.IPackageController, inherit=True)
     p.implements(p.ITemplateHelpers)
     p.implements(p.IPermissionLabels)
+    p.implements(p.IResourceController)
 
     ######################################################################
     ############################ DATASET FORM ############################
@@ -112,7 +115,7 @@ def package_types(self):
     def get_auth_functions(self):
         auth_functions = {'package_show': auth.package_show,
                           'package_update': auth.package_update,
-                          # 'resource_show': auth.resource_show,
+                          'resource_show': auth.resource_show,
                           constants.PACKAGE_ACQUIRED: auth.package_acquired,
                           constants.ACQUISITIONS_LIST: auth.acquisitions_list,
                           constants.PACKAGE_DELETED: auth.revoke_access}
@@ -162,11 +165,13 @@ def get_blueprint(self):
     ######################################################################
 
     def get_actions(self):
-        return {
-            constants.PACKAGE_ACQUIRED: actions.package_acquired,
-            constants.ACQUISITIONS_LIST: actions.acquisitions_list,
-            constants.PACKAGE_DELETED: actions.revoke_access
-        }
+        action_functions = {constants.PACKAGE_ACQUIRED: actions.package_acquired,
+                            constants.ACQUISITIONS_LIST: actions.acquisitions_list,
+                            constants.PACKAGE_DELETED: actions.revoke_access}
+
+        return action_functions
+
+
 
     ######################################################################
     ######################### IPACKAGECONTROLLER #########################
@@ -187,6 +192,9 @@ def before_index(self, pkg_dict):
 
         return pkg_dict
 
+
+
+
     def after_create(self, context, pkg_dict):
         session = context['session']
         update_cache = False
@@ -244,6 +252,16 @@ def after_update(self, context, pkg_dict):
 
     def after_show(self, context, pkg_dict):
 
+        void = False;
+
+        for resource in pkg_dict['resources']:
+            if resource == {}:
+                void = True
+
+        if void:
+            del pkg_dict['resources']
+            del pkg_dict['num_resources']
+
         user_obj = context.get('auth_user_obj')
         updating_via_api = context.get(constants.CONTEXT_CALLBACK, False)
 
@@ -294,13 +312,30 @@ def after_search(self, search_results, search_params):
                 # NotAuthorized exception is risen when the user is not allowed
                 # to read the package.
                 attrs.append('resources')
-
             # Delete
             self._delete_pkg_atts(result, attrs)
 
         return search_results
 
     ####
+    def before_view(self, pkg_dict):
+
+        for resource in pkg_dict['resources']:
+
+            context = {
+                'model': model,
+                'session': model.Session,
+                'user': tk.c.user,
+                'user_obj': tk.c.userobj
+            }
+
+            try:
+                tk.check_access('resource_show', context, resource)
+            except tk.NotAuthorized:
+                pkg_dict['resources'].remove(resource)
+                pkg_dict = self.before_view(pkg_dict)
+        return pkg_dict
+
 
     def get_dataset_labels(self, dataset_obj):
         labels = super(PrivateDatasets, self).get_dataset_labels(
@@ -318,6 +353,45 @@ def get_user_dataset_labels(self, user_obj):
         labels.append('searchable')
         return labels
 
+
+    ######################################################################
+    ######################### IRESOURCECONTROLLER ########################
+    ######################################################################
+
+
+    def before_create(self, context, resource):
+        pass
+
+   #def after_create(self, context, resource): #Coincide el nombre con el de IPackageController
+   #    return resource
+
+    def before_update(self, context, current, resource):
+        pass
+
+    #def after_update(self, context, resource): #Coincide el nombre con el de IPackageController
+    #    return resource
+
+    def before_delete(self, context, resource, resources):
+        pass
+
+    #def after_delete(self, context, resources): #Coincide el nombre con el de IPackageController
+    #    return resources
+
+    def before_show(self, resource_dict):
+
+        context = {
+            'model': model,
+            'session': model.Session,
+            'user': tk.c.user,
+            'user_obj': tk.c.userobj
+        }
+
+        try:
+            tk.check_access('resource_show', context, resource_dict)
+        except tk.NotAuthorized:
+            resource_dict.clear()
+        return resource_dict
+
     ######################################################################
     ######################### ITEMPLATESHELPER ###########################
     ######################################################################
@@ -330,4 +404,29 @@ def get_helpers(self):
                 'show_acquire_url_on_create': helpers.show_acquire_url_on_create,
                 'show_acquire_url_on_edit': helpers.show_acquire_url_on_edit,
                 'acquire_button': helpers.acquire_button
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                 }

ckanext/privatedatasets/templates/snippets/package_item.html

@@ -26,7 +26,7 @@
   {% block package_item_content %}
     <div class="dataset-content">
       <h3 class="dataset-heading">
-        {% if package.private and not h.can_read(package) %}
+        {% if package.private and not owner and not acquired %}
           <span class="dataset-private label label-inverse">
             <i class="icon-lock fa fa-lock"></i>
             {{ _('Private') }}
@@ -46,8 +46,8 @@ <h3 class="dataset-heading">
         {% endif %}
 
         <!-- Customizations Acquire Button -->
-        {% if package.private and not h.can_read(package) %}
-            {{ _(h.truncate(title, truncate_title)) }}
+        {% if package.private and not owner and not acquired %}
+            {{ h.link_to(h.truncate(title, truncate_title), h.url_for(controller='package', action='read', id=package.name)) }}
              <div class="divider"/>
             {{ h.acquire_button(package) }}
         {% else %}

ckanext/privatedatasets/templates_2.8/snippets/package_item.html

@@ -26,7 +26,7 @@
   {% block package_item_content %}
     <div class="dataset-content">
       <h3 class="dataset-heading">
-        {% if package.private and not h.can_read(package) %}
+        {% if package.private and not owner and not acquired%}
           <span class="dataset-private label label-inverse">
             <i class="icon-lock fa fa-lock"></i>
             {{ _('Private') }}
@@ -46,8 +46,8 @@ <h3 class="dataset-heading">
         {% endif %}
 
         <!-- Customizations Acquire Button -->
-        {% if package.private and not h.can_read(package) %}
-            {{ _(h.truncate(title, truncate_title)) }}
+        {% if package.private and not owner and not acquired %}
+            {{ h.link_to(h.truncate(title, truncate_title), h.url_for(controller='package', action='read', id=package.name)) }}
              <div class="divider"/>
             {{ h.acquire_button(package) }}
         {% else %}