In publisher auth mode, any member of the group can make the changes. This brings things in line with the general idea that Admins have the power to do this plus authorize other editors/admins.

This commit is contained in:
David Read 2012-05-29 15:21:34 +01:00
parent 017222afd2
commit 5151f4ee23
5 changed files with 32 additions and 23 deletions

View File

@ -1,3 +1,4 @@
import logging
from sqlalchemy import or_ from sqlalchemy import or_
from ckan.authz import Authorizer from ckan.authz import Authorizer
from ckan.model import User from ckan.model import User
@ -13,6 +14,8 @@ from ckanext.harvest.logic.dictization import (harvest_source_dictize,
harvest_job_dictize, harvest_job_dictize,
harvest_object_dictize) harvest_object_dictize)
log = logging.getLogger(__name__)
def harvest_source_show(context,data_dict): def harvest_source_show(context,data_dict):
check_access('harvest_source_show',context,data_dict) check_access('harvest_source_show',context,data_dict)
@ -147,8 +150,8 @@ def _get_sources_for_user(context,data_dict):
user_obj = User.get(user) user_obj = User.get(user)
publisher_filters = [] publisher_filters = []
publishers_for_the_user = user_obj.get_groups(u'publisher')
for publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: for publisher_id in [g.id for g in publishers_for_the_user]:
publisher_filters.append(HarvestSource.publisher_id==publisher_id) publisher_filters.append(HarvestSource.publisher_id==publisher_id)
if len(publisher_filters): if len(publisher_filters):
@ -157,6 +160,9 @@ def _get_sources_for_user(context,data_dict):
# This user does not belong to a publisher yet, no sources for him/her # This user does not belong to a publisher yet, no sources for him/her
return [] return []
log.debug('User %s with publishers %r has Harvest Sources: %r',
user, publishers_for_the_user, [(hs.id, hs.url) for hs in query])
sources = query.all() sources = query.all()
return sources return sources

View File

@ -15,7 +15,7 @@ def harvest_source_create(context,data_dict):
# Sysadmins and the rest of logged users can create sources, # Sysadmins and the rest of logged users can create sources,
# as long as they belong to a publisher # as long as they belong to a publisher
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to create harvest sources') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to create harvest sources') % str(user)}
else: else:
return {'success': True} return {'success': True}
@ -37,7 +37,7 @@ def harvest_job_create(context,data_dict):
if not source: if not source:
raise NotFound raise NotFound
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to create a job for source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to create a job for source %s') % (str(user),source.id)}
else: else:
return {'success': True} return {'success': True}

View File

@ -20,7 +20,7 @@ def harvest_source_delete(context,data_dict):
# Check if the source publisher id exists on the user's groups # Check if the source publisher id exists on the user's groups
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to delete harvest source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to delete harvest source %s') % (str(user),source.id)}
else: else:
return {'success': True} return {'success': True}

View File

@ -22,7 +22,7 @@ def harvest_source_show(context,data_dict):
# Check if the source publisher id exists on the user's groups # Check if the source publisher id exists on the user's groups
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to read harvest source %s') % (str(user),source.id)}
else: else:
return {'success': True} return {'success': True}
@ -39,13 +39,16 @@ def harvest_source_list(context,data_dict):
return {'success': False, 'msg': _('Only logged users are authorized to see their sources')} return {'success': False, 'msg': _('Only logged users are authorized to see their sources')}
else: else:
user_obj = User.get(user) user_obj = User.get(user)
assert user_obj
# Only users belonging to a publisher can list sources, # Only users belonging to a publisher can list sources,
# unless they are sysadmins # unless they are sysadmins
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0: if Authorizer().is_sysadmin(user_obj):
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest sources') % str(user)}
else:
return {'success': True} return {'success': True}
if len(user_obj.get_groups(u'publisher')) > 0:
return {'success': True}
else:
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest sources') % str(user)}
def harvest_job_show(context,data_dict): def harvest_job_show(context,data_dict):
model = context['model'] model = context['model']
@ -60,7 +63,7 @@ def harvest_job_show(context,data_dict):
return {'success': True} return {'success': True}
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not job.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not job.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest job %s') % (str(user),job.id)} return {'success': False, 'msg': _('User %s not authorized to read harvest job %s') % (str(user),job.id)}
else: else:
return {'success': True} return {'success': True}
@ -77,7 +80,7 @@ def harvest_job_list(context,data_dict):
# Checks for non sysadmin users # Checks for non sysadmin users
if not Authorizer().is_sysadmin(user): if not Authorizer().is_sysadmin(user):
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest jobs') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest jobs') % str(user)}
source_id = data_dict.get('source_id',False) source_id = data_dict.get('source_id',False)
@ -88,7 +91,7 @@ def harvest_job_list(context,data_dict):
if not source: if not source:
raise NotFound raise NotFound
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to list jobs from source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to list jobs from source %s') % (str(user),source.id)}
return {'success': True} return {'success': True}
@ -109,7 +112,7 @@ def harvest_object_show(context,data_dict):
return {'success': True} return {'success': True}
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not obj.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not obj.source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to read harvest object %s') % (str(user),obj.id)} return {'success': False, 'msg': _('User %s not authorized to read harvest object %s') % (str(user),obj.id)}
else: else:
return {'success': True} return {'success': True}
@ -126,7 +129,7 @@ def harvest_object_list(context,data_dict):
# Checks for non sysadmin users # Checks for non sysadmin users
if not Authorizer().is_sysadmin(user): if not Authorizer().is_sysadmin(user):
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest objects') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to list harvest objects') % str(user)}
source_id = data_dict.get('source_id',False) source_id = data_dict.get('source_id',False)
@ -137,7 +140,7 @@ def harvest_object_list(context,data_dict):
if not source: if not source:
raise NotFound raise NotFound
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to list objects from source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to list objects from source %s') % (str(user),source.id)}
return {'success': True} return {'success': True}
@ -153,7 +156,7 @@ def harvesters_info_show(context,data_dict):
# Sysadmins and the rest of logged users can see the harvesters info, # Sysadmins and the rest of logged users can see the harvesters info,
# as long as they belong to a publisher # as long as they belong to a publisher
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or not Authorizer().is_sysadmin(user) and len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to see the harvesters info') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to see the harvesters info') % str(user)}
else: else:
return {'success': True} return {'success': True}

View File

@ -20,7 +20,7 @@ def harvest_source_update(context,data_dict):
# Check if the source publisher id exists on the user's groups # Check if the source publisher id exists on the user's groups
user_obj = User.get(user) user_obj = User.get(user)
if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not user_obj or not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to update harvest source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to update harvest source %s') % (str(user),source.id)}
else: else:
return {'success': True} return {'success': True}
@ -37,7 +37,7 @@ def harvest_objects_import(context,data_dict):
# Checks for non sysadmin users # Checks for non sysadmin users
if not Authorizer().is_sysadmin(user): if not Authorizer().is_sysadmin(user):
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to reimport harvest objects') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to reimport harvest objects') % str(user)}
source_id = data_dict.get('source_id',False) source_id = data_dict.get('source_id',False)
@ -48,7 +48,7 @@ def harvest_objects_import(context,data_dict):
if not source: if not source:
raise NotFound raise NotFound
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to reimport objects from source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to reimport objects from source %s') % (str(user),source.id)}
return {'success': True} return {'success': True}
@ -65,7 +65,7 @@ def harvest_jobs_run(context,data_dict):
# Checks for non sysadmin users # Checks for non sysadmin users
if not Authorizer().is_sysadmin(user): if not Authorizer().is_sysadmin(user):
if not user_obj or len(user_obj.get_groups(u'publisher',u'admin')) == 0: if not user_obj or len(user_obj.get_groups(u'publisher')) == 0:
return {'success': False, 'msg': _('User %s must belong to a publisher to run harvest jobs') % str(user)} return {'success': False, 'msg': _('User %s must belong to a publisher to run harvest jobs') % str(user)}
source_id = data_dict.get('source_id',False) source_id = data_dict.get('source_id',False)
@ -76,7 +76,7 @@ def harvest_jobs_run(context,data_dict):
if not source: if not source:
raise NotFound raise NotFound
if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher',u'admin')]: if not source.publisher_id in [g.id for g in user_obj.get_groups(u'publisher')]:
return {'success': False, 'msg': _('User %s not authorized to run jobs from source %s') % (str(user),source.id)} return {'success': False, 'msg': _('User %s not authorized to run jobs from source %s') % (str(user),source.id)}
return {'success': True} return {'success': True}