[247] fixes #247 by disallowing anonymous users to edit something tha…

…t they are not allowed to create
ckan · Dec 21, 2012 · f3c9fd6 · f3c9fd6
1 parent b208572
commit f3c9fd6
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/ckan/logic/auth/update.py b/ckan/logic/auth/update.py
@@ -14,10 +14,13 @@ def package_update(context, data_dict):
     user = context.get('user')
     package = get_package_object(context, data_dict)
 
-    if package.owner_org:
-        check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset')
-    else:
-        check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization')
+    if not new_authz.auth_is_registered_user():
+        check1 = new_authz.check_config_permission('anon_create_dataset')
+    if check1:
+        if package.owner_org:
+            check1 = new_authz.has_user_permission_for_group_or_org(package.owner_org, user, 'update_dataset')
+        else:
+            check1 = new_authz.check_config_permission('create_dataset_if_not_in_organization')
     if not check1:
         return {'success': False, 'msg': _('User %s not authorized to edit package %s') % (str(user), package.id)}
     else: