Refactor user update logic function

ckan · Aug 13, 2013 · efc2b73 · efc2b73
1 parent cf64899
commit efc2b73
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 9 deletions.
diff --git a/ckan/logic/auth/publisher/update.py b/ckan/logic/auth/publisher/update.py
@@ -115,15 +115,33 @@ def authorization_group_edit_permissions(context, data_dict):
     return {'success': False, 'msg': _('Authorization group update not implemented')}
 
 def user_update(context, data_dict):
-    model = context['model']
     user = context['user']
+
     user_obj = get_user_object(context, data_dict)
 
-    if not (Authorizer().is_sysadmin(unicode(user)) or user == user_obj.name) and \
-       not ('reset_key' in data_dict and data_dict['reset_key'] == user_obj.reset_key):
-        return {'success': False, 'msg': _('User %s not authorized to edit user %s') % (str(user), user_obj.id)}
+    # Sysadmins can edit all users
+    if Authorizer().is_sysadmin(unicode(user)):
+        return {'success': True}
+
+    # If the user has a valid reset_key in the db, and that same reset key
+    # has been posted in the data_dict, we allow the user to update
+    # her account without using her password or API key.
+    if user_obj.reset_key and 'reset_key' in data_dict:
+        if user_obj.reset_key == data_dict['reset_key']:
+            return {'success': True}
 
-    return {'success': True}
+    if not user:
+        return {'success': False,
+                'msg': _('Have to be logged in to edit user')}
+
+    if user == user_obj.name:
+        # Allow users to update their own user accounts.
+        return {'success': True}
+    else:
+        # Don't allow users to update other users' accounts.
+        return {'success': False,
+                'msg': _('User %s not authorized to edit user %s') %
+                        (user, user_obj.id)}
 
 def revision_change_state(context, data_dict):
     model = context['model']

diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
@@ -151,13 +151,32 @@ def authorization_group_edit_permissions(context, data_dict):
 
 def user_update(context, data_dict):
     user = context['user']
+
     user_obj = get_user_object(context, data_dict)
 
-    if not (Authorizer().is_sysadmin(unicode(user)) or user == user_obj.name) and \
-       not ('reset_key' in data_dict and data_dict['reset_key'] == user_obj.reset_key):
-        return {'success': False, 'msg': _('User %s not authorized to edit user %s') % (str(user), user_obj.id)}
+    # Sysadmins can edit all users
+    if Authorizer().is_sysadmin(unicode(user)):
+        return {'success': True}
 
-    return {'success': True}
+    # If the user has a valid reset_key in the db, and that same reset key
+    # has been posted in the data_dict, we allow the user to update
+    # her account without using her password or API key.
+    if user_obj.reset_key and 'reset_key' in data_dict:
+        if user_obj.reset_key == data_dict['reset_key']:
+            return {'success': True}
+
+    if not user:
+        return {'success': False,
+                'msg': _('Have to be logged in to edit user')}
+
+    if user == user_obj.name:
+        # Allow users to update their own user accounts.
+        return {'success': True}
+    else:
+        # Don't allow users to update other users' accounts.
+        return {'success': False,
+                'msg': _('User %s not authorized to edit user %s') %
+                        (user, user_obj.id)}
 
 def revision_change_state(context, data_dict):
     model = context['model']