harvester-d4science/ckanext/harvest/logic/auth/get.py

from ckan.plugins import toolkit as pt

from ckanext.harvest.logic.auth import get_job_object


def auth_allow_anonymous_access(auth_function):
    '''
        Local version of the auth_allow_anonymous_access decorator that only
        calls the actual toolkit decorator if the CKAN version supports it
    '''
    if pt.check_ckan_version(min_version='2.2'):
        auth_function = pt.auth_allow_anonymous_access(auth_function)

    return auth_function


@auth_allow_anonymous_access
def harvest_source_show(context, data_dict):
    '''
        Authorization check for getting the details of a harvest source

        It forwards the checks to package_show, which will check for
        organization membership, whether if sysadmin, etc according to the
        instance configuration.
    '''
    model = context.get('model')
    user = context.get('user')
    source_id = data_dict['id']

    pkg = model.Package.get(source_id)
    if not pkg:
        raise pt.ObjectNotFound(pt._('Harvest source not found'))

    context['package'] = pkg

    try:
        pt.check_access('package_show', context, data_dict)
        return {'success': True}
    except pt.NotAuthorized:
        return {'success': False,
                'msg': pt._('User {0} not authorized to read harvest source {1}')
                .format(user, source_id)}

@auth_allow_anonymous_access
def harvest_source_show_status(context, data_dict):
    '''
        Authorization check for getting the status of a harvest source

        It forwards the checks to harvest_source_show.
    '''
    return harvest_source_show(context, data_dict)

@auth_allow_anonymous_access
def harvest_source_list(context, data_dict):
    '''
        Authorization check for getting a list of harveste sources

        Everybody can do it
    '''
    return {'success': True}


def harvest_job_show(context, data_dict):
    '''
        Authorization check for getting the details of a harvest job

        It forwards the checks to harvest_source_update, ie if the user can
        update the parent source (eg create new jobs), she can get the details
        for the job, including the reports
    '''
    user = context.get('user')
    job = get_job_object(context, data_dict)

    try:
        pt.check_access('harvest_source_update',
                        context,
                        {'id': job.source.id})
        return {'success': True}
    except pt.NotAuthorized:
        return {'success': False,
                'msg': pt._('User {0} not authorized to see jobs from source {1}')
                .format(user, job.source.id)}


def harvest_job_list(context, data_dict):
    '''
        Authorization check for getting a list of jobs for a source

        It forwards the checks to harvest_source_update, ie if the user can
        update the parent source (eg create new jobs), she can get the list of
        jobs
    '''
    user = context.get('user')
    source_id = data_dict['source_id']

    try:
        pt.check_access('harvest_source_update',
                        context,
                        {'id': source_id})
        return {'success': True}
    except pt.NotAuthorized:
        return {'success': False,
                'msg': pt._('User {0} not authorized to list jobs for source {1}')
                .format(user, source_id)}


@auth_allow_anonymous_access
def harvest_object_show(context, data_dict):
    '''
        Authorization check for getting the contents of a harvest object

        Everybody can do it
    '''
    return {'success': True}


def harvest_object_list(context, data_dict):
    '''
    TODO: remove
    '''
    return {'success': True}


@auth_allow_anonymous_access
def harvesters_info_show(context, data_dict):
    '''
        Authorization check for getting information about the available
        harvesters

        Everybody can do it
    '''
    return {'success': True}
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`from ckan.plugins import toolkit as pt`
[#5] Change default auth for showing and listing jobs Forward auth checks to harvest_source_update instead of harvest_source_show, as job reports should only be visible to users that can manage sources. 2013-01-28 17:31:11 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`from ckanext.harvest.logic.auth import get_job_object`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00

[#77] Use auth_allow_anonymous_access decorator Starting from 2.2 you need to explicitly flag auth functions that allow anonymous access with the p.toolkit.auth_allow_anonymous_access decorator. A local version of the decorator is used to ensure we only use it on CKAN>=2.2 2014-01-20 14:47:37 +01:00
			`def auth_allow_anonymous_access(auth_function):`
			`'''`
			`Local version of the auth_allow_anonymous_access decorator that only`
			`calls the actual toolkit decorator if the CKAN version supports it`
			`'''`
			`if pt.check_ckan_version(min_version='2.2'):`
			`auth_function = pt.auth_allow_anonymous_access(auth_function)`

			`return auth_function`


			`@auth_allow_anonymous_access`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvest_source_show(context, data_dict):`
			`'''`
			`Authorization check for getting the details of a harvest source`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`It forwards the checks to package_show, which will check for`
			`organization membership, whether if sysadmin, etc according to the`
			`instance configuration.`
			`'''`
			`model = context.get('model')`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00			`user = context.get('user')`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`source_id = data_dict['id']`

			`pkg = model.Package.get(source_id)`
			`if not pkg:`
			`raise pt.ObjectNotFound(pt._('Harvest source not found'))`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`context['package'] = pkg`

			`try:`
			`pt.check_access('package_show', context, data_dict)`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00			`return {'success': True}`
[#4] Fix typo in auth functions 2013-01-16 13:56:58 +01:00			`except pt.NotAuthorized:`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`return {'success': False,`
[#5] Change default auth for showing and listing jobs Forward auth checks to harvest_source_update instead of harvest_source_show, as job reports should only be visible to users that can manage sources. 2013-01-28 17:31:11 +01:00			`'msg': pt._('User {0} not authorized to read harvest source {1}')`
			`.format(user, source_id)}`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#77] Use auth_allow_anonymous_access decorator Starting from 2.2 you need to explicitly flag auth functions that allow anonymous access with the p.toolkit.auth_allow_anonymous_access decorator. A local version of the decorator is used to ensure we only use it on CKAN>=2.2 2014-01-20 14:47:37 +01:00			`@auth_allow_anonymous_access`
Add auth function for harvest_source_show_status 2013-03-18 17:48:27 +01:00			`def harvest_source_show_status(context, data_dict):`
			`'''`
			`Authorization check for getting the status of a harvest source`

			`It forwards the checks to harvest_source_show.`
			`'''`
			`return harvest_source_show(context, data_dict)`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#77] Use auth_allow_anonymous_access decorator Starting from 2.2 you need to explicitly flag auth functions that allow anonymous access with the p.toolkit.auth_allow_anonymous_access decorator. A local version of the decorator is used to ensure we only use it on CKAN>=2.2 2014-01-20 14:47:37 +01:00			`@auth_allow_anonymous_access`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvest_source_list(context, data_dict):`
			`'''`
			`Authorization check for getting a list of harveste sources`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`Everybody can do it`
			`'''`
			`return {'success': True}`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00

[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvest_job_show(context, data_dict):`
			`'''`
			`Authorization check for getting the details of a harvest job`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#5] Change default auth for showing and listing jobs Forward auth checks to harvest_source_update instead of harvest_source_show, as job reports should only be visible to users that can manage sources. 2013-01-28 17:31:11 +01:00			`It forwards the checks to harvest_source_update, ie if the user can`
			`update the parent source (eg create new jobs), she can get the details`
			`for the job, including the reports`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`'''`
[#5] Change default auth for showing and listing jobs Forward auth checks to harvest_source_update instead of harvest_source_show, as job reports should only be visible to users that can manage sources. 2013-01-28 17:31:11 +01:00			`user = context.get('user')`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`job = get_job_object(context, data_dict)`

[#5] Change default auth for showing and listing jobs Forward auth checks to harvest_source_update instead of harvest_source_show, as job reports should only be visible to users that can manage sources. 2013-01-28 17:31:11 +01:00			`try:`
			`pt.check_access('harvest_source_update',`
			`context,`
			`{'id': job.source.id})`
			`return {'success': True}`
			`except pt.NotAuthorized:`
			`return {'success': False,`
			`'msg': pt._('User {0} not authorized to see jobs from source {1}')`
			`.format(user, job.source.id)}`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00
			`def harvest_job_list(context, data_dict):`
			`'''`
			`Authorization check for getting a list of jobs for a source`

[#5] Fix auth for harvest_job_list (should forward to harvest_source_update) 2013-02-05 17:41:29 +01:00			`It forwards the checks to harvest_source_update, ie if the user can`
			`update the parent source (eg create new jobs), she can get the list of`
			`jobs`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`'''`
[#5] Fix auth for harvest_job_list (should forward to harvest_source_update) 2013-02-05 17:41:29 +01:00			`user = context.get('user')`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`source_id = data_dict['source_id']`
[#5] Fix auth for harvest_job_list (should forward to harvest_source_update) 2013-02-05 17:41:29 +01:00
			`try:`
			`pt.check_access('harvest_source_update',`
			`context,`
			`{'id': source_id})`
			`return {'success': True}`
			`except pt.NotAuthorized:`
			`return {'success': False,`
			`'msg': pt._('User {0} not authorized to list jobs for source {1}')`
			`.format(user, source_id)}`

[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00

[#77] Use auth_allow_anonymous_access decorator Starting from 2.2 you need to explicitly flag auth functions that allow anonymous access with the p.toolkit.auth_allow_anonymous_access decorator. A local version of the decorator is used to ensure we only use it on CKAN>=2.2 2014-01-20 14:47:37 +01:00			`@auth_allow_anonymous_access`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvest_object_show(context, data_dict):`
			`'''`
			`Authorization check for getting the contents of a harvest object`

			`Everybody can do it`
			`'''`
Allow showing harvest objects by default (on the default auth profile) 2012-08-09 14:37:28 +02:00			`return {'success': True}`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00

[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvest_object_list(context, data_dict):`
			`'''`
			`TODO: remove`
			`'''`
			`return {'success': True}`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00

[#77] Use auth_allow_anonymous_access decorator Starting from 2.2 you need to explicitly flag auth functions that allow anonymous access with the p.toolkit.auth_allow_anonymous_access decorator. A local version of the decorator is used to ensure we only use it on CKAN>=2.2 2014-01-20 14:47:37 +01:00			`@auth_allow_anonymous_access`
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`def harvesters_info_show(context, data_dict):`
			`'''`
			`Authorization check for getting information about the available`
			`harvesters`
[logic,auth] Add auth logic layer The first version of the auth layer is based on the current policy, i.e. you need to be sysadmin to perform any action. TODO: the CLI is still not working. 2012-03-01 13:02:16 +01:00
[#4] Refactor authorization functions The authorization functions have been refactored to take into account both the new organizaton based authorization on CKAN core and the harvest source datasets. Basically at the source level, authorization checks are forwarded to the relevant package auth function (package_create, package_update, etc.) wich will check for organizations membership, sysadmin, etc. Also we only use functions available on the plugins toolkit whenever possible. 2013-01-09 18:26:48 +01:00			`Everybody can do it`
			`'''`
			`return {'success': True}`