Fix bug that allow anonymous users to access datasets without allowed users
This commit is contained in:
parent
1269492669
commit
95cac2b653
|
@ -38,9 +38,11 @@ def package_show(context, data_dict):
|
|||
# user is in the allowed_users object
|
||||
if not authorized:
|
||||
if hasattr(package, 'extras') and 'allowed_users' in package.extras:
|
||||
allowed_users = package.extras['allowed_users'].split(',')
|
||||
if user in allowed_users:
|
||||
authorized = True
|
||||
allowed_users = package.extras['allowed_users']
|
||||
if allowed_users != '': # ''.split(',') ==> ['']
|
||||
allowed_users_list = allowed_users.split(',')
|
||||
if user in allowed_users_list:
|
||||
authorized = True
|
||||
|
||||
if not authorized:
|
||||
# Show a flash message with the URL to adquire the dataset
|
||||
|
|
|
@ -46,6 +46,7 @@ class PluginTest(unittest.TestCase):
|
|||
(None, None, None, False, 'active', None, None, None, None, None, True),
|
||||
# Anonymous user (private)
|
||||
(None, None, None, True, 'active', None, None, None, None, '/', False),
|
||||
(None, None, '', True, 'active', None, None, '', None, '/', False),
|
||||
# Anonymous user (private). Buy URL not shown
|
||||
(None, None, None, True, 'active', None, None, None, 'google.es', '/', False),
|
||||
# Anonymous user (private). Buy URL shown
|
||||
|
@ -83,7 +84,7 @@ class PluginTest(unittest.TestCase):
|
|||
returned_package.owner_org = owner_org
|
||||
returned_package.extras = {}
|
||||
|
||||
if allowed_users:
|
||||
if allowed_users is not None:
|
||||
returned_package.extras['allowed_users'] = allowed_users
|
||||
|
||||
if adquire_url:
|
||||
|
@ -95,9 +96,9 @@ class PluginTest(unittest.TestCase):
|
|||
|
||||
# Prepare the context
|
||||
context = {}
|
||||
if user:
|
||||
if user is not None:
|
||||
context['user'] = user
|
||||
if user_obj_id:
|
||||
if user_obj_id is not None:
|
||||
context['auth_user_obj'] = MagicMock()
|
||||
context['auth_user_obj'].id = user_obj_id
|
||||
|
||||
|
@ -134,9 +135,9 @@ class PluginTest(unittest.TestCase):
|
|||
|
||||
# Prepare the context
|
||||
context = {}
|
||||
if user:
|
||||
if user is not None:
|
||||
context['user'] = user
|
||||
if user_obj_id:
|
||||
if user_obj_id is not None:
|
||||
context['auth_user_obj'] = MagicMock()
|
||||
context['auth_user_obj'].id = user_obj_id
|
||||
|
||||
|
@ -278,7 +279,7 @@ class PluginTest(unittest.TestCase):
|
|||
|
||||
plugin.private_datasets_metadata_checker(KEY, data, errors, {})
|
||||
|
||||
if (error_set):
|
||||
if error_set:
|
||||
self.assertEquals(1, len(errors[KEY]))
|
||||
else:
|
||||
self.assertEquals(0, len(errors[KEY]))
|
||||
|
|
Loading…
Reference in New Issue