In publisher auth mode, any member of the group can make the changes. This brings things in line with the general idea that Admins have the power to do this plus authorize other editors/admins.
This commit is contained in:
David Read
parent
017222afd2
commit
5151f4ee23
|
|
@ -1,3 +1,4 @@
|
|||
import logging
|
||||
from sqlalchemy import or_
|
||||
from ckan.authz import Authorizer
|
||||
from ckan.model import User
|
||||
|
|
@ -13,6 +14,8 @@ from ckanext.harvest.logic.dictization import (harvest_source_dictize,
|
|||
harvest_job_dictize,
|
||||
harvest_object_dictize)
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
def harvest_source_show(context,data_dict):
|
||||
|
||||
check_access('harvest_source_show',context,data_dict)
|
||||
|
|
@ -147,8 +150,8 @@ def _get_sources_for_user(context,data_dict):
|
|||
user_obj = User.get(user)
|
||||
|
||||
publisher_filters = []
|
||||
|
||||
for publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
publishers_for_the_user = user_obj.get_groups(u'publisher')
|
||||
for publisher_id in [g.id for g in publishers_for_the_user]:
|
||||
publisher_filters.append(HarvestSource.publisher_id==publisher_id)
|
||||
|
||||
if len(publisher_filters):
|
||||
|
|
@ -157,6 +160,9 @@ def _get_sources_for_user(context,data_dict):
|
|||
# This user does not belong to a publisher yet, no sources for him/her
|
||||
return []
|
||||
|
||||
log.debug('User %s with publishers %r has Harvest Sources: %r',
|
||||
user, publishers_for_the_user, [(hs.id, hs.url) for hs in query])
|
||||
|
||||
sources = query.all()
|
||||
|
||||
return sources
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ def harvest_source_create(context,data_dict):
|
|||
# Sysadmins and the rest of logged users can create sources,
|
||||
# as long as they belong to a publisher
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to create harvest sources') % str(user)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
@ -37,7 +37,7 @@ def harvest_job_create(context,data_dict):
|
|||
if not source:
|
||||
raise NotFound
|
||||
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to create a job for source %s') % (str(user),source.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ def harvest_source_delete(context,data_dict):
|
|||
|
||||
source = get_source_object(context,data_dict)
|
||||
|
||||
# Non-logged users can not delete this source
|
||||
# Non-logged users cannot delete this source
|
||||
if not user:
|
||||
return {'success': False, 'msg': _('Non-logged in users are not authorized to delete harvest sources')}
|
||||
|
||||
|
|
@ -20,7 +20,7 @@ def harvest_source_delete(context,data_dict):
|
|||
|
||||
# Check if the source publisher id exists on the user's groups
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to delete harvest source %s') % (str(user),source.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ def harvest_source_show(context,data_dict):
|
|||
|
||||
# Check if the source publisher id exists on the user's groups
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to read harvest source %s') % (str(user),source.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
@ -39,13 +39,16 @@ def harvest_source_list(context,data_dict):
|
|||
return {'success': False, 'msg': _('Only logged users are authorized to see their sources')}
|
||||
else:
|
||||
user_obj = User.get(user)
|
||||
assert user_obj
|
||||
|
||||
# Only users belonging to a publisher can list sources,
|
||||
# unless they are sysadmins
|
||||
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest sources') % str(user)}
|
||||
else:
|
||||
if Authorizer().is_sysadmin(user_obj):
|
||||
return {'success': True}
|
||||
|
||||
if len(user_obj.get_groups(u'publisher')) > 0:
|
||||
return {'success': True}
|
||||
else:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest sources') % str(user)}
|
||||
|
||||
def harvest_job_show(context,data_dict):
|
||||
model = context['model']
|
||||
|
|
@ -60,7 +63,7 @@ def harvest_job_show(context,data_dict):
|
|||
return {'success': True}
|
||||
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not job.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not job.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to read harvest job %s') % (str(user),job.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
@ -77,7 +80,7 @@ def harvest_job_list(context,data_dict):
|
|||
|
||||
# Checks for non sysadmin users
|
||||
if not Authorizer().is_sysadmin(user):
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest jobs') % str(user)}
|
||||
|
||||
source_id = data_dict.get('source_id',False)
|
||||
|
|
@ -88,7 +91,7 @@ def harvest_job_list(context,data_dict):
|
|||
if not source:
|
||||
raise NotFound
|
||||
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to list jobs from source %s') % (str(user),source.id)}
|
||||
|
||||
return {'success': True}
|
||||
|
|
@ -109,7 +112,7 @@ def harvest_object_show(context,data_dict):
|
|||
return {'success': True}
|
||||
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not obj.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not obj.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to read harvest object %s') % (str(user),obj.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
@ -126,7 +129,7 @@ def harvest_object_list(context,data_dict):
|
|||
|
||||
# Checks for non sysadmin users
|
||||
if not Authorizer().is_sysadmin(user):
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest objects') % str(user)}
|
||||
|
||||
source_id = data_dict.get('source_id',False)
|
||||
|
|
@ -137,7 +140,7 @@ def harvest_object_list(context,data_dict):
|
|||
if not source:
|
||||
raise NotFound
|
||||
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to list objects from source %s') % (str(user),source.id)}
|
||||
|
||||
return {'success': True}
|
||||
|
|
@ -153,7 +156,7 @@ def harvesters_info_show(context,data_dict):
|
|||
# Sysadmins and the rest of logged users can see the harvesters info,
|
||||
# as long as they belong to a publisher
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to see the harvesters info') % str(user)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ def harvest_source_update(context,data_dict):
|
|||
|
||||
# Check if the source publisher id exists on the user's groups
|
||||
user_obj = User.get(user)
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to update harvest source %s') % (str(user),source.id)}
|
||||
else:
|
||||
return {'success': True}
|
||||
|
|
@ -37,7 +37,7 @@ def harvest_objects_import(context,data_dict):
|
|||
|
||||
# Checks for non sysadmin users
|
||||
if not Authorizer().is_sysadmin(user):
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to reimport harvest objects') % str(user)}
|
||||
|
||||
source_id = data_dict.get('source_id',False)
|
||||
|
|
@ -48,7 +48,7 @@ def harvest_objects_import(context,data_dict):
|
|||
if not source:
|
||||
raise NotFound
|
||||
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to reimport objects from source %s') % (str(user),source.id)}
|
||||
|
||||
return {'success': True}
|
||||
|
|
@ -65,7 +65,7 @@ def harvest_jobs_run(context,data_dict):
|
|||
|
||||
# Checks for non sysadmin users
|
||||
if not Authorizer().is_sysadmin(user):
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0:
|
||||
if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
|
||||
return {'success': False, 'msg': _('User %s must belong to a publisher to run harvest jobs') % str(user)}
|
||||
|
||||
source_id = data_dict.get('source_id',False)
|
||||
|
|
@ -76,7 +76,7 @@ def harvest_jobs_run(context,data_dict):
|
|||
if not source:
|
||||
raise NotFound
|
||||
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]:
|
||||
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
|
||||
return {'success': False, 'msg': _('User %s not authorized to run jobs from source %s') % (str(user),source.id)}
|
||||
|
||||
return {'success': True}
|
||||
|
|
|
|||
Loading…
Reference in New Issue