Refactor user update logic function

ckan · Aug 13, 2013 · b283165 · b283165
1 parent dea7c12
commit b283165
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
@@ -178,21 +178,35 @@ def group_edit_permissions(context, data_dict):
 
 def user_update(context, data_dict):
     user = context['user']
-    if not user and 'reset_key' not in data_dict:
+
+    # FIXME: We shouldn't have to do a try ... except here, validation should
+    # have ensured that the data_dict contains a valid user id before we get to
+    # authorization.
+    try:
+        user_obj = logic_auth.get_user_object(context, data_dict)
+    except logic.NotFound:
+        return {'success': False, 'msg': _('User not found')}
+
+    # If the user has a valid reset_key in the db, and that same reset key
+    # has been posted in the data_dict, we allow the user to update
+    # her account without using her password or API key.
+    if user_obj.reset_key and 'reset_key' in data_dict:
+        if user_obj.reset_key == data_dict['reset_key']:
+            return {'success': True}
+
+    if not user:
         return {'success': False,
                 'msg': _('Have to be logged in to edit user')}
 
-    user_obj = logic_auth.get_user_object(context, data_dict)
-    user_reset = ('reset_key' in data_dict and
-                  data_dict['reset_key'] == user_obj.reset_key)
-
-    if not (user == user_obj.name) and not user_reset:
+    if user == user_obj.name:
+        # Allow users to update their own user accounts.
+        return {'success': True}
+    else:
+        # Don't allow users to update other users' accounts.
         return {'success': False,
                 'msg': _('User %s not authorized to edit user %s') %
                         (user, user_obj.id)}
 
-    return {'success': True}
-
 
 def revision_change_state(context, data_dict):
     # FIXME currently only sysadmins can change state