[#278] Auth fixes and re-show page after processing

ckan · Jan 22, 2013 · a9345dd · a9345dd
1 parent ecebc0f
commit a9345dd
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 8 deletions.
diff --git a/ckan/controllers/group.py b/ckan/controllers/group.py
@@ -6,6 +6,7 @@
 
 from ckan.lib.base import BaseController, c, model, request, render, h, g
 from ckan.lib.base import ValidationException, abort, gettext
+import ckan.lib.base as base
 from pylons.i18n import get_lang, _
 from ckan.lib.helpers import Page
 import ckan.lib.maintain as maintain
@@ -329,9 +330,13 @@ def bulk_process(self, id):
 
         data_dict = {'datasets': datasets, 'group_id': group_dict['id']}
 
-        get_action(action_functions[action])(context, data_dict)
+        try:
+            get_action(action_functions[action])(context, data_dict)
+        except NotAuthorized:
+            abort(401, _('Not authorized to perform bulk update'))
         # TODO @JohnMartin we need to do some styling of the bulk process form including the div that makes the form bigger and the corresponding FIXME in package/snippets/search-form.html
-
+        base.redirect(h.url_for(controller='organization', action='bulk_process',
+                           id=id))
 
     def new(self, data=None, errors=None, error_summary=None):
         group_type = self._guess_group_type(True)

diff --git a/ckan/logic/action/update.py b/ckan/logic/action/update.py
@@ -1118,14 +1118,17 @@ def _bulk_update_dataset(context, data_dict, update_dict):
 def bulk_update_private(context, data_dict):
     ''' make a list of datasets private '''
 
+    _check_access('bulk_update_private', context, data_dict)
     _bulk_update_dataset(context, data_dict, {'private': True})
 
 def bulk_update_public(context, data_dict):
     ''' make a list of datasets public '''
 
+    _check_access('bulk_update_public', context, data_dict)
     _bulk_update_dataset(context, data_dict, {'private': False})
 
 def bulk_update_delete(context, data_dict):
     ''' make a list of datasets deleted '''
 
+    _check_access('bulk_update_delete', context, data_dict)
     _bulk_update_dataset(context, data_dict, {'state': 'deleted'})
diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
@@ -192,15 +192,30 @@ def package_owner_org_update(context, data_dict):
 
 
 def bulk_update_private(context, data_dict):
-    # sysadmins only
-    return {'success': False}
+    group_id = data_dict.get('group_id')
+    user = context['user']
+    authorized = new_authz.has_user_permission_for_group_or_org(
+        group_id, user, 'update')
+    if not authorized:
+        return {'success': False}
+    return {'success': True}
 
 
 def bulk_update_public(context, data_dict):
-    # sysadmins only
-    return {'success': False}
+    group_id = data_dict.get('group_id')
+    user = context['user']
+    authorized = new_authz.has_user_permission_for_group_or_org(
+        group_id, user, 'update')
+    if not authorized:
+        return {'success': False}
+    return {'success': True}
 
 
 def bulk_update_delete(context, data_dict):
-    # sysadmins only
-    return {'success': False}
+    group_id = data_dict.get('group_id')
+    user = context['user']
+    authorized = new_authz.has_user_permission_for_group_or_org(
+        group_id, user, 'update')
+    if not authorized:
+        return {'success': False}
+    return {'success': True}