Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[#283] Check context has user in related_update
* Check that the context has user key. * Check that a user object exists corresponding to value of 'user' in context.
- Loading branch information
Showing
1 changed file
with
8 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -126,10 +126,18 @@ def related_update(context, data_dict): | |
:rtype: dictionary | ||
''' | ||
if not context.has_key('user'): | ||
raise logic.NotAuthorized( | ||
_("You must be logged in to update a related item.")) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
seanh
Contributor
|
||
|
||
model = context['model'] | ||
user = context['user'] | ||
id = _get_or_bust(data_dict, "id") | ||
userobj = model.User.get(user) | ||
if not userobj: | ||
raise logic.NotAuthorized( | ||
_("You must be logged in to update a related item.")) | ||
|
||
session = context['session'] | ||
|
||
schema = context.get('schema') or ckan.logic.schema.default_related_schema() | ||
|
Hmm. Is this necessary? I think you can assume that
'user'
is always incontext
. If no one's logged in, then'user'
will be an IP address, you can still domodel.User.get()
with it like below but you will getNone
back, then you only need to raise NotAuthorized in one place not two.has_key()
is deprecated in Python useif 'user' not in context
.I know that several other action functions do the authorization themselves and then raise NotAuthorized, but I think this is actually incorrect, authorization should be done in a
ckan.logic.auth.related_update()
function, and thenckan.logic.action.related_update()
should usecheck_access()
. See for exampleorganization_create()
for the Right Way to do this. The reason is that if you don't use a separate auth function, then theIAuthFunctions
plugin interface does not work. @tobes Do you agree?