[#2939] Fix group/org delete permissions

ckan · Nov 19, 2012 · f114c2d · f114c2d
1 parent c236148
commit f114c2d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/ckan/logic/auth/delete.py b/ckan/logic/auth/delete.py
@@ -74,22 +74,29 @@ def package_relationship_delete(context, data_dict):
 def group_delete(context, data_dict):
     group = get_group_object(context, data_dict)
     user = context['user']
+    if not new_authz.check_config_permission('user_delete_groups'):
+        return {'success': False,
+            'msg': _('User %s not authorized to delete groups') % user}
     authorized = new_authz.has_user_permission_for_group_or_org(
         group.id, user, 'delete')
     if not authorized:
-        return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (str(user),group.id)}
+        return {'success': False, 'msg': _('User %s not authorized to delete group %s') % (user ,group.id)}
     else:
         return {'success': True}
 
 def organization_delete(context, data_dict):
     group = get_group_object(context, data_dict)
     user = context['user']
+    if not new_authz.check_config_permission('user_delete_organizations'):
+        return {'success': False,
+            'msg': _('User %s not authorized to delete organizations') % user}
     authorized = new_authz.has_user_permission_for_group_or_org(
         group.id, user, 'delete')
     if not authorized:
-        return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (str(user),group.id)}
+        return {'success': False, 'msg': _('User %s not authorized to delete organization %s') % (user ,group.id)}
     else:
         return {'success': True}
+
 def revision_undelete(context, data_dict):
     return {'success': False, 'msg': 'Not implemented yet in the auth refactor'}
 

diff --git a/ckan/new_authz.py b/ckan/new_authz.py
@@ -233,6 +233,8 @@ def _get_auth_function(action, profile=None):
     'create_unowned_dataset': True,
     'user_create_groups': True,
     'user_create_organizations': True,
+    'user_delete_groups': True,
+    'user_delete_organizations': True,
     'create_user_via_api': False,
 }
 

diff --git a/ckan/tests/logic/test_auth.py b/ckan/tests/logic/test_auth.py
@@ -10,6 +10,8 @@
     'create_dataset_if_not_in_organization': False,
     'user_create_groups': False,
     'user_create_organizations': False,
+    'user_delete_groups': False,
+    'user_delete_organizations': False,
     'create_user_via_api': False,
     'create_unowned_dataset': False,
 }