Does not prevent Org-level admins from using bulk edit UI to set datasets Public #3
Labels
bug
Something isn't working
Comments
|
enhancement #2 would not make sense until this issue is fixed |
|
Based on the info provided here: https://gitter.im/ckan/chat?at=6075457bb6a4714a29bf9130 see https://github.com/ckan/ckan/search?q=bulk_update_public def bulk_update_public(context, data_dict):
org_id = data_dict.get('org_id')
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(org_id, user, 'update')
if not authorized:
return {'success': False}
return {'success': True}Could change to def bulk_update_public(context, data_dict):
org_id = data_dict.get('org_id')
user = context['user']
authorized = authz.has_user_permission_for_group_or_org(org_id, user, 'update') and authz.is_sysadmin(user)
if not authorized:
return {'success': False}
return {'success': True} |
|
And if we were to implement enhancement #2, we would just use the normal version of the |
|
See https://docs.ckan.org/en/2.9/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions for how to work this auth override into an extension. (You'll need to |
reedv
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Even though the extension is currently set to only allow sysadmins to set packages' visibility to public, I find that you can still use the bulk edit tool when managing an Org as an Org admin user to set datasets to public. This should not happen.
Note that when an Org admin user attempts to set a dataset to public individually via the regular web UI for editing individual datasets, they do get denied as expected. (Thus I do not think I have set the existing code wrong in some way that actually implies that Org admins changing visibility to public is allowed).
The text was updated successfully, but these errors were encountered: