Saml2 - add check_access calls to some user actions

ckan · Apr 15, 2013 · 48f37ef · 48f37ef
1 parent ba5063c
commit 48f37ef
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
@@ -141,6 +141,12 @@ def me(self, locale=None):
                       id=user_ref)
 
     def register(self, data=None, errors=None, error_summary=None):
+        context = {'model': model, 'session': model.Session, 'user': c.user}
+        try:
+            check_access('user_create', context)
+        except NotAuthorized:
+            abort(401, _('Unauthorized to register as a user.'))
+
         return self.new(data, errors, error_summary)
 
     def new(self, data=None, errors=None, error_summary=None):
@@ -213,6 +219,8 @@ def _save_new(self, context):
     def edit(self, id=None, data=None, errors=None, error_summary=None):
         context = {'save': 'save' in request.params,
                    'schema': self._edit_form_to_db_schema(),
+                   'model': model, 'session': model.Session,
+                   'user': c.user,
                    }
         if id is None:
             if c.userobj:
@@ -221,6 +229,11 @@ def edit(self, id=None, data=None, errors=None, error_summary=None):
                 abort(400, _('No user specified'))
         data_dict = {'id': id}
 
+        try:
+            check_access('user_update', context, data_dict)
+        except NotAuthorized:
+            abort(401, _('Unauthorized to edit a user.'))
+
         if (context['save']) and not data:
             return self._save_edit(id, context)
 
@@ -381,6 +394,13 @@ def logged_out_page(self):
         return render('user/logout.html')
 
     def request_reset(self):
+        context = {'model': model, 'session': model.Session, 'user': c.user}
+        data_dict = {'id': request.params.get('user')}
+        try:
+            check_access('request_reset', context)
+        except NotAuthorized:
+            abort(401, _('Unauthorized to request reset password.'))
+
         if request.method == 'POST':
             id = request.params.get('user')
 
@@ -435,6 +455,11 @@ def perform_reset(self, id):
 
         data_dict = {'id': id}
 
+        try:
+            check_access('user_reset', context)
+        except NotAuthorized:
+            abort(401, _('Unauthorized to reset password.'))
+
         try:
             user_dict = get_action('user_show')(context, data_dict)
 

diff --git a/ckan/logic/auth/get.py b/ckan/logic/auth/get.py
@@ -262,3 +262,11 @@ def dataset_followee_list(context, data_dict):
 
 def group_followee_list(context, data_dict):
     return _followee_list(context, data_dict)
+
+
+def user_reset(context, data_dict):
+    return {'success': True}
+
+
+def request_reset(context, data_dict):
+    return {'success': True}