New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENJOY THE MERGE] 2939 orgs #146
Merged
Changes from all commits
Commits
Show all changes
362 commits
Select commit
Hold shift + click to select a range
01617b7
[#2939] Auth editors can update
tobes 86b4826
[#2930] Improve get_user_id_for_username()
tobes 0edd52d
[#2930] Allow create group/org for testing
tobes d99e4e5
[#2930] Api Tests allow sysadmin when needed
tobes 337000d
[#2930] Test fixes fn/api/model/group
tobes 0a665f3
[#2930] Test fixes fn/api/model/vocab
tobes bdc41dc
[#2930] Test fixes fn/admin
tobes 3afe0a8
[#2930] Test fixes fn/authz
tobes 9857a67
[#2930] Test fixes fn/group
tobes b65fa1f
[#2930] Test fixes fn/package
tobes b350413
[#2930] Test fixes lib/dictization
tobes ae6caba
[#2930] Test fixes lib/dictization_schema
tobes 981043c
[#2930] Test fixes create sysadmins with new method
tobes 81adad8
[#2939] Move is_sysadmin as a standalone function
tobes 59ffc63
[#2939] Clean-up imports in new_authz.py
tobes b6bd7e7
[#2939] Minor docstring fix
tobes 6fd440d
[#2939] remove publisher auth stuff - Yeah!
tobes c537cef
[#2939] Remove publisher tests
tobes 7f75ec9
[#2939] Remove form_alchemy controllers
tobes bc3009e
[#2939] Remove form_alchemy routes
tobes 92fcd77
[#2939] Sysadmins can change revision state in admin controller - rem…
tobes 606ea35
[#2939] Replace get editable groups in base controller
tobes b9c8ed7
[#2939] New get admins for group_id function added
tobes afc618c
[#2939] Group controller use new admins for group function
tobes 20d8d7b
[#2939] Remove autorizer from controllers
tobes 6302ba1
[#2939] Remove Authorizer from user controller
tobes 4252601
[#2939] Remove am_authorized helper function
tobes adca61b
[#2939] Package delete auth changes
tobes 9248559
[#2939] Remove publisher auth tests
tobes 5ca4e4f
[#2939] Remove ckan/forms
tobes a20ac52
[#2939] Remove forms usage in lib.base
tobes cf2a404
[#2939] Remove forms tests as no forms
tobes b3f7d55
[#2939] Api slugs no forms dependency
tobes 47f1764
[#2939] Remove ckan.forms from controllers
tobes fcf49ff
[#2939] User dictize sysadmin fix
tobes abc848a
[#2939] Dictize schema test fix
tobes 9d67c14
[#2939] Remove package saver tests
tobes c83a641
[#2939] Ignore auth handled earlier in the auth chain so remove
tobes c6dc49b
[#2939] Make site user sysadmin in new auth system
tobes cf9059f
[#2939] Fix model package tests re permissions
tobes 6d0e690
[#2939] Fix activity delete test re permissions
tobes 889b512
[#2939] Add snarky comment about pointless test
tobes ee11e9e
[#2939] Fix solr tests due to package changes
tobes a6376a8
[#2939] Fix lack of admin in test
tobes 42ec232
[#2939] Remove outdated auth test
tobes b4baa7e
[#2939] Fix api group delete test issues
tobes 819233a
[#2939] Add delete_dataset permission
tobes 80af92f
Merge branch 'master' into 2939-orgs
tobes 08be7c6
[#2939] Fix imports in logic validators
tobes 49f27ca
[#2939] Logic validators use new sysadmin check
tobes 8981838
[#2939] Minor refactor for readability
tobes 76a7d51
[#2939] remove some authz routes
tobes d265e12
[#2939] Remove some authz links from legacy templates
tobes a0376ce
[#2939] Remove unused import
tobes 6412b61
[#2939] Switch to you sysadmin model for plugins
tobes 83cadc9
[#2939] Update group_list_authz in actions get
tobes ac1b1b6
[#2939] New Authz add is_authorized_boolean() helper function
tobes 79ac573
[#2939] New Authz new permissions
tobes 043202d
[#2939] New Authz new permission
tobes 63a2fdd
[#2939] New Authz new helper has_user_permission_for_some_org()
tobes ef74b00
[#2939] Update get action organization_list_for_user()
tobes 3ad4727
[#2939] Update get action package_relationships_list()
tobes fb12eca
[#2939] Update get no longer uses Authorizer
tobes cc83950
[#2939] Better importing of _
tobes b423165
[#2939] Auth create package_create() changes
tobes c48c147
[#2939] Auth create resource_create() changes
tobes 38f33ea
[#2939] Auth create package_relationship_create() changes
tobes bccae61
[#2939] Auth create user_create() changes
tobes de9eeae
[#2939] Auth create _check_group_auth() changes
tobes 07d4a46
[#2939] Auth create no longer uses Authorizer
tobes e760721
[#2939] Auth get site_read() changes
tobes b587582
[#2939] Auth get package_relationships_list() changes
tobes 728a76b
[#2939] Auth get no longer uses Authorizer
tobes a631436
[#2939] Auth update remove package_edit_permissions()
tobes 75323df
[#2939] Auth update group_edit_permissions() changes
tobes cfb0097
[#2939] Auth update revision_change_state() changes
tobes fae330c
[#2939] Auth update no longer uses Authorizer
tobes 469a4c9
[#2939] Improve the org/group list logic functions
tobes 058d88d
[#2939] bugfix for logic auth create _check_group_auth()
tobes a5a5375
[#2939] Improve has_user_permission_for_some_org()
tobes 312b571
[#2939] Remove some authz tests
tobes 910f4b0
[#2939] remove another authz test
tobes 6a559bd
[#2939] Bugfix in package relationship list
tobes 559e6d8
[#2939] Run package test as admin due to permission changes
tobes 78ef5d8
[#2939] Disable part of user_role_update()
tobes 6f10ad4
[#2939] Sysadmins see all groups available
tobes bfac4af
[#2939] Fix error that must have existed for ever
tobes 0407a5d
[#2939] Fix functional package tests for new authz
tobes a1e5188
[#2939] Change default on create dataset for none org user
tobes 9b6969c
[#2939] Change default on create user
tobes e9a53c3
[#2939] Improve query in has_user_permission_for_some_org()
tobes c38cd43
[#2939] Add some auths to test-core.ini
tobes 969e87d
[#2939] remove model authz tests
tobes c209da5
[#2939] remove authz tests
tobes e775cd6
[#2939] remove model repo tests dueto use of Authorizer
tobes 4acb856
[#2939] create user option linked to api usage for tests
tobes 4fbca24
[#2939] Remove IAuthorizer interface as no longer valid
tobes ad2eb8d
[#2939] Remove IAuthorizer interface from authz.py
tobes cf905d0
[#2939] Add .ini option for anon dataset creation
tobes b6bb4b4
[#2939] Skip two tests that are causing problems
tobes b341ec6
[#2939] Clean up test-core.ini
tobes 9566050
[#2939] Allow create_package auth check to be run directly not via wsgi
tobes db3b7da
[#2939] Delete relationship auth no longer use old auth functions
tobes 226d7fc
[#2939] Remove IAuthorizer from plugins test
tobes 5057ad9
[#2939] Fix logic error in create package auth
tobes 2e51b56
[#2939] Add new file_upload auth function
tobes 780ca23
[#2939] Storage controller now uses file_upload auth function
tobes d24f04a
[#2939] Add new_authz helper functions
tobes 626c76a
[#2939] Auth create functions now use new_authz helpers
tobes ae062e7
[#2939] Remove unused import in logic.auth.delete
tobes d6768ce
[#2939] Replace old Authorizer functions in logic.auth.update
tobes 64b1bf5
[#2939] Add update dataset permission
tobes 9aa2463
[#2939] remove check_access_old() function
tobes fbf5a4a
[#2939] Fix tests in tests/functional/api/base.py
tobes acf03bc
[#2939] Fix tests in tests/functional/api/model/test_package.py
tobes b292c86
[#2939] Fix tests in tests/functional/api/test_activity.py
tobes ba11d6c
[#2939] Fix tests in tests/functional/test_activity.py
tobes 3ab3559
[#2939] Fix tests in tests/functional/test_admin.py
tobes 0a1ec62
[#2939] Fix tests in tests/functional/test_tag_vocab.p
tobes 2b19fcf
[#2939] Fix tests in tests/functional/test_upload.p
tobes ba4f348
[#2939] Fix tests in tests/logic/test_action.py
tobes 5ba21b9
[#2939] Remove tests in tests/functional/test_group.py
tobes 1a6d99b
[#2939] Remove Last traces of Authorizer
tobes ff90a37
[#2939] Permission change allow dataset creation for non org user
tobes e16738f
Merge branch 'master' into 2939-orgs
tobes f3f5331
[#2939] Remove unused function
tobes fc7d019
[#2939] Update default .ini permissions
tobes 992a5bb
Fix a broken activity streams test
1b48045
[#2939] Add org members initial template
tobes c5d7888
[#2939] Add members action to group controller
tobes ffb390d
[#2939] Add members route
tobes 0760050
Merge branch 'master' into 2939-orgs
tobes 7dba229
[#2939] Change permission functions to take user name not id
tobes 1d93942
[#2939] Add organization_member_create auth function
tobes 270ffaa
[#2939] Add member templates
tobes c263a85
[#2939] Add new member routes
tobes adb0c6c
[#2939] remove unwanted print statments
tobes 4490829
[#2939] Add group/org controller member change actions
tobes 168cc15
[#2939] Member create auth functions
tobes 3c41bb5
[#2939] Member create auth functions
tobes d34c4c2
[#2939] Member delete auth functions
tobes 15f526f
[#2939] Member delete action functions
tobes b315ede
[#2939] Fix revisions for member delete action
tobes 95fe7d0
[#2939] Get member roles action added
tobes 43e95d6
[#2939] Package show auth minor fix
tobes bcb21c0
[#2939] Get member roles auth function added
tobes 96c228e
[#2939] Fix package update auth function
tobes e760a09
[#2939] Add a couple of new validation functions
tobes 19b2504
[#2939] Add member schema
tobes 68a3d73
[#2939] Add some role helper functions
tobes 1820a02
[#2939] If no group the assume permission ok
tobes cb7d3d1
[#2939] fixes to org members template
tobes a697cdb
[#2939] delete member action bugfix
tobes 1a971cd
[#2939] Add memeber button to group/orgread templates
tobes f611bd4
[#2939] Do not assume that people have permissions for none organizat…
tobes c519f45
[#2939] Fix minor whitespace issue
tobes 1884cd0
Merge branch '2939-orgs' of github.com:okfn/ckan into 2939-orgs
tobes 21eabce
[#2939] Fix filesize issue which will not be found for years
tobes 430ba1d
Merge branch 'master' into 2939-orgs
tobes fddde43
[2939] the start of adding tests
kindly 22389d9
[2939] make sure config is updated in tests
kindly cdcc0cb
[#2939] Minor fix up remove is_org=True
tobes 4a788ea
[#3012] Fix template broken in merge
tobes 2754b34
[#2939] add auth check for package_owner_org_update
tobes d60e11b
[2939] fix so that users can not create dataset if belong to no org
kindly ba8db22
[2939] clean up tests
kindly 1d3356d
[2939] make sure old permissions get reset after test fininsh
kindly 521607e
[2939] add tests to check adding of datasets
kindly e96d979
Merge branch '2939-orgs' of github.com:okfn/ckan into 2939-orgs
kindly 5ea6c01
[2939] add more testing
kindly ce3bade
[#2939] Fix test 5
tobes 9a36d04
[#2939] Fix misnamed function
tobes 231ec96
[#2939] Fix comment typo
tobes 50b16cf
[#2939] Add owner_org validator
tobes 4009b4a
[#2939] Fix owner_org validator
tobes af95d0d
[#2939] Fix user is in group
tobes 1f710a9
[#2939] Need to set user org without admin checks
tobes 4714acb
[#2939] Need to set user org without admin checks in update
tobes 0f525d4
[#2939] Schema change for update
tobes 99ac4d7
[#2939] tests expect 409 not 403
tobes 893fdd0
[#2939] New config option
tobes 729ff64
[#2939] Move org chooser to stage one of add dataset
tobes 1208e16
[#2939] group tests and cleanup
kindly 14d5f4c
[#2939] make sure organizations are not getting indexed within org
kindly df57f8a
Merge branch '2911-internal-doc-of-org-group-auth' into 2939-orgs
kindly 01343fe
[#2939] merge in user story branch
kindly 187faa1
[#2939] test rename org admin
kindly 9601e41
[#2939] make sure user created in sysadmin cli
kindly d326da5
Merge branch 'master' into 2939-orgs
tobes a58b54f
[#2939] rename migrate to avoid conflict with master
tobes 5c948ff
[#2939] Fix test test_04_modify_group
tobes c236148
[#2939] Fix test test_03_add_dataset_to_group
tobes f114c2d
[#2939] Fix group/org delete permissions
tobes 120149b
[#2939] Clean logic auth tests
tobes 2723531
[#2939] Logic auth_test nicer api call fn name
tobes a408ed5
[#2939] io not require owner_org in package data
tobes 293534b
[#2939] Fix group controller for auth changesw
tobes 0635ad1
[#2939] Fix follow tests
tobes 3914033
Merge branch 'master' into 2939-orgs
tobes 85be1a7
[#2939] Fix errors on dashboard re undefined activity icon
tobes bd6f866
[#2939] update main.css
tobes c18deb5
[#2939] Proper activity stream fix
tobes 257a9cb
[#2939] Undefined activities now neutral colour
tobes c1cd8fa
[#2939] Css update
tobes bcae651
[#2939] Minified files
tobes 7875f3e
[#2939] Improve the markdown_extract function
tobes 2940296
[#2939] template fixes for org/group snippet
tobes a1f8c1c
Merge branch 'master' into 2939-orgs
tobes 3c274b9
[#2839] Fix group controller for group display pages
tobes 091228f
[#2939] Allow get_group_or_org_admin_ids() to accept name or id
tobes 2fb4797
[#2939] Hack follower snippet for group admins
tobes 6e03d1a
Merge branch 'master' into 2939-orgs
tobes 2317da3
Few UX tweaks to the org pages
johnmartin 8e07b4c
Dashboard icons and colors for activity streams
johnmartin 15bb505
Tweaks Organizations work-flow
johnmartin e51e914
Text overflow fix for organization description
johnmartin 69bd94d
Fix for allowing the title to be sent through to the facet list
johnmartin b4b1eb6
Fix for pre-filled organizations in package create form
johnmartin bd08b6d
Re-built main.css
johnmartin 8bd1579
Fix for user dropdown autocomplete
johnmartin 6dea0a8
Fix for group images overflowing on the homepage
johnmartin ad691fb
Re-compiled main.css
johnmartin 5ec66fd
Added minified files, maybe for the last time ;p
johnmartin dcdb613
[#2939] Fix org template to allow add org
tobes 03bcbca
Merge branch '2939-orgs' of github.com:okfn/ckan into 2939-orgs
tobes e21dac1
[#2939] Fix org template to allow org members
tobes 07b4fa5
[#2939] Only show members not orgs in org member list
tobes 0429cb9
Merge branch 'master' into 2939-orgs
tobes 2a756aa
[#2939] Fix tests due to creation rights issue
tobes 01d1718
[#2939] Fix package edit to show org on edit
tobes e993a52
[#2939] Do not allow update of group dataset for new templates
tobes c2269cb
[#2939] Unbreak group edit template
tobes 34ae5ff
[#2939] Show group memberships in legacy templates
tobes 0a3ffe0
[#2939] Only update datasets group if we have permission for that group
tobes df4d4db
[#2939] Add group info to dataset metadata form
tobes 7c4ee6b
[#2939] Simpler group dataset query
tobes 7cb4e60
[#2939] fix tests by adding user
kindly cdc8ee8
Merge branch 'master' into 2939-orgs
tobes 15eb468
Merge branch 'master' into 2939-orgs
tobes 072ba81
[#2939] Sean's dashboard test shim - Thanks sean
tobes 88e8532
[#2939] Fix group pending package test
tobes a2958bc
[#2939] Sysadmins have all the permissions
tobes a7c5934
[#2939] Fix couple of dashboard tests
tobes 463d184
[2939] fix organization availible helper so can take permission as ar…
kindly d6b761e
[2939] let the new dataset form^Cefault to first org the user belongs to
kindly c0ce7e2
[2939] show datasets is search to member of the org
kindly f629913
[2939] add extra params to test-core.ini
kindly 4c57d80
[2939] fix error in permission
kindly 61c5d2b
[#2939] Merged master
johnmartin b70ad3d
[#2939] Fix for undefined global within activity stream templates
johnmartin File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,267 +1,2 @@ | ||
import sqlalchemy as sa | ||
from sqlalchemy.orm.attributes import InstrumentedAttribute | ||
|
||
import ckan.model as model | ||
from ckan.plugins import PluginImplementations | ||
from ckan.plugins.interfaces import IAuthorizer | ||
|
||
class Blacklister(object): | ||
'''Blacklist by username. | ||
|
||
NB: username will be IP address if user not logged in. | ||
''' | ||
|
||
@staticmethod | ||
def is_blacklisted(username): | ||
from pylons import config | ||
blacklist_string = config.get('auth.blacklist', '') | ||
blacklisted = blacklist_string.split() | ||
if username in blacklisted: | ||
return True | ||
else: | ||
return False | ||
|
||
|
||
class Authorizer(object): | ||
'''An access controller. | ||
''' | ||
blacklister = Blacklister | ||
extensions = PluginImplementations(IAuthorizer) | ||
|
||
@classmethod | ||
def am_authorized(cls, c, action, domain_object): | ||
username = c.user or c.author | ||
return cls.is_authorized(username, action, domain_object) | ||
|
||
@classmethod | ||
def is_authorized(cls, username, action, domain_object): | ||
'''Authorize `action` by `username` on `domain_object`. | ||
|
||
:param username: a user identifier (may be e.g. an IP address). | ||
:param action: a ckan.model.authz.Action enumeration. | ||
:param domain_object: the domain object instance (or class/type in the | ||
case of e.g. 'create' action). | ||
|
||
:returns: True or False | ||
''' | ||
if isinstance(username, str): | ||
username = username.decode('utf8') | ||
assert isinstance(username, unicode), type(username) | ||
|
||
for extension in cls.extensions: | ||
authorized = extension.is_authorized(username, | ||
action, | ||
domain_object) | ||
if authorized: | ||
return True | ||
# sysadmins can do everything | ||
if cls.is_sysadmin(username) or domain_object is None: | ||
return True | ||
|
||
# check not blacklisted | ||
if action is not model.Action.READ: | ||
if cls.blacklister.is_blacklisted(username): | ||
return False | ||
|
||
# check this user's roles for this object | ||
roles = cls.get_roles(username, domain_object) | ||
if not roles: | ||
return False | ||
# print '%r has roles %s on object %s. Checking permission to %s' % (username, roles, domain_object.name, action) | ||
|
||
if model.Role.ADMIN in roles: | ||
return True | ||
|
||
# check it's active | ||
if domain_object.__class__ != type and hasattr(domain_object, 'state'): | ||
if domain_object.state == model.State.DELETED: | ||
return False | ||
|
||
# check if any of the roles allows the action requested | ||
for role in roles: | ||
action_query = model.Session.query(model.RoleAction).autoflush(False).filter_by( | ||
role=role, action=action) | ||
if action_query.count() > 0: | ||
return True | ||
|
||
return False | ||
|
||
@classmethod | ||
def get_domain_object_roles_printable(cls, domain_obj): | ||
prs = cls.get_domain_object_roles(domain_obj) | ||
printable_prs = [] | ||
for user, role in prs: | ||
printable_prs.append('%s - \t%s' % (user.name, role)) | ||
return '%s roles:\n' % domain_obj.name + '\n'.join(printable_prs) | ||
|
||
@classmethod | ||
def get_domain_object_roles(cls, domain_obj): | ||
'''Get a list of tuples (user, role) for domain_obj specified''' | ||
assert isinstance(domain_obj, (model.Package, model.Group)) | ||
if isinstance(domain_obj, model.Package): | ||
q = model.Session.query(model.PackageRole).filter_by(package=domain_obj) | ||
elif isinstance(domain_obj, model.Group): | ||
q = model.Session.query(model.GroupRole).filter_by(group=domain_obj) | ||
prs = [ (pr.user, pr.role) for pr in q.all() ] | ||
return prs | ||
|
||
|
||
@classmethod | ||
def get_roles(cls, username, domain_obj): | ||
'''Get the roles that the specified user has on the specified domain | ||
object. | ||
''' | ||
assert isinstance(username, unicode), repr(username) | ||
|
||
# filter by user and pseudo-users | ||
# TODO: these can be made into subqueries/joins! | ||
user = model.User.by_name(username, autoflush=False) | ||
visitor = model.User.by_name(model.PSEUDO_USER__VISITOR, autoflush=False) | ||
q = cls._get_roles_query(domain_obj) | ||
q = q.autoflush(False) | ||
|
||
filters = [model.UserObjectRole.user==visitor] | ||
|
||
if (username != model.PSEUDO_USER__VISITOR) and (user is not None): | ||
logged_in = model.User.by_name(model.PSEUDO_USER__LOGGED_IN) | ||
filters.append(model.UserObjectRole.user==user) | ||
filters.append(model.UserObjectRole.user==logged_in) | ||
|
||
q = q.filter(sa.or_(*filters)) | ||
return [pr.role for pr in q] | ||
|
||
@classmethod | ||
def is_sysadmin(cls, user): | ||
'''Returns whether the given user a sys-admin? | ||
(sysadmin = system administrator with full authorization) | ||
Ideally provide a user object. Next best is a user name. | ||
''' | ||
if not user: | ||
return False | ||
if isinstance(user, basestring): | ||
user = model.User.by_name(user, autoflush=False) | ||
if not user: | ||
return False | ||
elif not isinstance(user, model.User): | ||
raise NotImplementedError | ||
q = model.Session.query(model.SystemRole) | ||
q = q.autoflush(False) | ||
q = q.filter_by(role=model.Role.ADMIN, user=user) | ||
return q.count() > 0 | ||
|
||
@classmethod | ||
def get_admins(cls, domain_obj): | ||
if isinstance(domain_obj, model.Package): | ||
q = model.Session.query(model.PackageRole).filter_by(package=domain_obj, | ||
role=model.Role.ADMIN) | ||
elif isinstance(domain_obj, model.Group): | ||
q = model.Session.query(model.GroupRole).filter_by(group=domain_obj, | ||
role=model.Role.ADMIN) | ||
q = q.autoflush(False) | ||
admins = [do_role.user for do_role in q.all() if do_role.user] | ||
return admins | ||
|
||
@classmethod | ||
def authorized_query(cls, username, entity, action=model.Action.READ): | ||
q = model.Session.query(entity) | ||
q = q.autoflush(False) | ||
if username: | ||
user = model.User.by_name(username, autoflush=False) | ||
else: | ||
user = None | ||
visitor = model.User.by_name(model.PSEUDO_USER__VISITOR, autoflush=False) | ||
logged_in = model.User.by_name(model.PSEUDO_USER__LOGGED_IN, | ||
autoflush=False) | ||
if not cls.is_sysadmin(user): | ||
# This gets the role table the entity is joined to. we | ||
# need to use this in the queries below as if we use | ||
# model.UserObjectRole a cross join happens always | ||
# returning all the roles. | ||
if hasattr(entity, 'continuity'): | ||
q = q.filter_by(current=True) | ||
q = q.outerjoin('continuity', 'roles') | ||
continuity = entity.continuity.property.mapper.class_ | ||
role_cls = continuity.roles.property.mapper.class_ | ||
else: | ||
role_cls = entity.roles.property.mapper.class_ | ||
q = q.outerjoin('roles') | ||
|
||
if hasattr(entity, 'state'): | ||
state = entity.state | ||
else: | ||
state = None | ||
|
||
filters = [model.UserObjectRole.user==visitor] | ||
if user: | ||
filters.append(role_cls.user==user) | ||
filters.append(role_cls.user==logged_in) | ||
q = q.filter(sa.or_( | ||
sa.and_(role_cls.role==model.RoleAction.role, | ||
model.RoleAction.action==action, | ||
state and state!=model.State.DELETED), | ||
role_cls.role==model.Role.ADMIN)) | ||
else: | ||
q = q.filter( | ||
sa.and_(role_cls.role==model.RoleAction.role, | ||
model.RoleAction.action==action, | ||
state and state!=model.State.DELETED), | ||
) | ||
q = q.filter(sa.or_(*filters)) | ||
q = q.distinct() | ||
|
||
return q | ||
|
||
@classmethod | ||
def authorized_package_relationships(cls, username, | ||
package1, | ||
package2=None, | ||
relationship_type=None, | ||
action=model.Action.READ): | ||
'''For a given package(s) returns a list of relationships that | ||
the specified user is allowed to do the specified action on.''' | ||
# Maybe there is an sqlalchemy query to do this all in one, but | ||
# it would be rather complex. | ||
rels = package1.get_relationships(with_package=package2, | ||
type=relationship_type) | ||
authorized_rels = [] | ||
for rel in rels: | ||
if cls.authorized_package_relationship( | ||
username, rel.subject, rel.object, action): | ||
authorized_rels.append(rel) | ||
return authorized_rels | ||
|
||
@classmethod | ||
def authorized_package_relationship(cls, username, | ||
package1, | ||
package2, | ||
action=model.Action.READ): | ||
'''Returns a boolean - whether a user is authorized to perform the | ||
specified action on a package relationship between the specified | ||
packages.''' | ||
return cls.is_authorized(username, action, package1) and \ | ||
cls.is_authorized(username, action, package2) | ||
|
||
@classmethod | ||
def _get_roles_query(cls, domain_obj): | ||
q = model.Session.query(model.UserObjectRole) | ||
q = q.autoflush(False) | ||
is_a_class = domain_obj.__class__ == type | ||
if not is_a_class: | ||
# this is kind of ugly as we have to switch on the instance type | ||
if isinstance(domain_obj, model.Package): | ||
q = q.with_polymorphic(model.PackageRole) | ||
q = q.filter(model.PackageRole.package==domain_obj) | ||
elif isinstance(domain_obj, model.Group): | ||
q = q.with_polymorphic(model.GroupRole) | ||
q = q.filter(model.GroupRole.group==domain_obj) | ||
elif isinstance(domain_obj, model.System): | ||
q = q.with_polymorphic(model.SystemRole) | ||
q = q.filter(model.SystemRole.context==unicode(model.System.__name__)) | ||
else: | ||
raise Exception('Do not support context object like: %r' % | ||
domain_obj) | ||
context = domain_obj.__name__ if is_a_class else domain_obj.__class__.__name__ | ||
q = q.filter_by(context=unicode(context)) | ||
return q | ||
|
||
|
||
# Old Auth functions have been removed logic.auth functions now provide the | ||
# sole ckan authorization system | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -204,10 +204,6 @@ def make_map(): | |
map.redirect('/package', '/dataset') | ||
map.redirect('/package/{url:.*}', '/dataset/{url}') | ||
|
||
##to get back formalchemy uncomment these lines | ||
##map.connect('/package/new', controller='package_formalchemy', action='new') | ||
##map.connect('/package/edit/{id}', controller='package_formalchemy', action='edit') | ||
|
||
with SubMapper(map, controller='related') as m: | ||
m.connect('related_new', '/dataset/{id}/related/new', action='new') | ||
m.connect('related_edit', '/dataset/{id}/related/edit/{related_id}', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Delete these? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In my enthusiasm for deletion all the formalchemy stuff has gone too so no controller etc - david was keen for this |
||
|
@@ -235,7 +231,6 @@ def make_map(): | |
requirements=dict(action='|'.join([ | ||
'read', | ||
'edit', | ||
'authz', | ||
'history', | ||
])) | ||
) | ||
|
@@ -244,7 +239,6 @@ def make_map(): | |
'edit', | ||
'new_metadata', | ||
'new_resource', | ||
'authz', | ||
'history', | ||
'read_ajax', | ||
'history_ajax', | ||
|
@@ -296,8 +290,10 @@ def make_map(): | |
m.connect('group_action', '/group/{action}/{id}', | ||
requirements=dict(action='|'.join([ | ||
'edit', | ||
'authz', | ||
'delete', | ||
'members', | ||
'member_new', | ||
'member_delete', | ||
'history', | ||
'followers', | ||
'follow', | ||
|
@@ -310,6 +306,24 @@ def make_map(): | |
m.connect('group_activity', '/group/activity/{id}/{offset}', action='activity'), | ||
m.connect('group_read', '/group/{id}', action='read') | ||
|
||
# organizations these basically end up being the same as groups | ||
with SubMapper(map, controller='organization') as m: | ||
m.connect('organizations_index', '/organization', action='index') | ||
m.connect('/organization/list', action='list') | ||
m.connect('/organization/new', action='new') | ||
m.connect('/organization/{action}/{id}', | ||
requirements=dict(action='|'.join([ | ||
'edit', | ||
'delete', | ||
'admins', | ||
'members', | ||
'member_new', | ||
'member_delete', | ||
'history', | ||
'about' | ||
])) | ||
) | ||
m.connect('organization_read', '/organization/{id}', action='read') | ||
register_package_plugins(map) | ||
register_group_plugins(map) | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't just delete the whole file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes but I would need to trace all the places it is imported and I've sort of hit time constraints
feel free to do this though