Launch Week Day 5: Introducing Reachability for PHP.Learn More →
ckanext-dcor-schemas
Artifacts are distributable versions of a package. It typically includes the source code and metadata
Advanced tools
ckanext-dcor-schemas - pypi Package Compare versions
+3
-0
@@ -0,1 +1,4 @@ | ||
| 1.0.1 | ||
| - fix: deny user listing for non-admins | ||
| - enh: add auth function for "user_autocomplete" | ||
| 1.0.0 | ||
@@ -2,0 +5,0 @@ - feat: send email to maintainer for new users (#36) |
| Metadata-Version: 2.4 | ||
| Name: ckanext-dcor_schemas | ||
| Version: 1.0.0 | ||
| Version: 1.0.1 | ||
| Summary: Introduces or lifts restrictions (authorization) for managing data and metadata on DCOR | ||
@@ -5,0 +5,0 @@ Author: Paul Müller |
@@ -31,5 +31,5 @@ # file generated by setuptools-scm | ||
| __version__ = version = '1.0.0' | ||
| __version_tuple__ = version_tuple = (1, 0, 0) | ||
| __version__ = version = '1.0.1' | ||
| __version_tuple__ = version_tuple = (1, 0, 1) | ||
| __commit_id__ = commit_id = 'gbc4a1739b' | ||
| __commit_id__ = commit_id = 'gd5d8ace35' |
@@ -24,3 +24,3 @@ from email.utils import parseaddr | ||
| def dataset_purge(context, data_dict): | ||
| """Only allow deletion of deleted datasets""" | ||
| """Only allow purging of deleted datasets""" | ||
| # original auth function | ||
@@ -462,2 +462,20 @@ # (usually, only sysadmins are allowed to purge, so we test against | ||
| def user_autocomplete(context, data_dict=None): | ||
| """Allow logged-in users to fetch a list of usernames | ||
| In contrast to `user_list`, this does not return details of the | ||
| user (such as recent activity). Data protection is thus not such | ||
| a big issue, and we can just check whether the user exists. | ||
| Note that this method should probably not be used as a chained | ||
| auth function, because the original auth function just checks | ||
| against `user_list` which will always be forbidden. | ||
| """ | ||
| requester = context.get('user') | ||
| if requester: | ||
| return {'success': True} | ||
| return {'success': False, | ||
| 'msg': "Only logged-in users may use autocomplete."} | ||
| @logic.auth_allow_anonymous_access | ||
@@ -541,50 +559,9 @@ def user_create(context, data_dict=None): | ||
| # User authentication methods copied from | ||
| # https://github.com/qld-gov-au/ckanext-qgov | ||
| def _has_user_permission_for_some_group(user_name, permission): | ||
| """Check if the user has the given permission for any group. | ||
| """ | ||
| user_id = authz.get_user_id_for_username(user_name, allow_none=True) | ||
| if not user_id: | ||
| return False | ||
| roles = authz.get_roles_with_permission(permission) | ||
| if not roles: | ||
| return False | ||
| # get any groups the user has with the needed role | ||
| q = model.Session.query(model.Member) \ | ||
| .filter(model.Member.table_name == 'user') \ | ||
| .filter(model.Member.state == 'active') \ | ||
| .filter(model.Member.capacity.in_(roles)) \ | ||
| .filter(model.Member.table_id == user_id) | ||
| group_ids = [] | ||
| for row in q.all(): | ||
| group_ids.append(row.group_id) | ||
| # if not in any groups has no permissions | ||
| if not group_ids: | ||
| return False | ||
| # see if any of the groups are active | ||
| q = model.Session.query(model.Group) \ | ||
| .filter(model.Group.state == 'active') \ | ||
| .filter(model.Group.id.in_(group_ids)) | ||
| return bool(q.count()) | ||
| def _requester_is_admin(context): | ||
| """Check whether the current user has admin privileges in some group | ||
| or organisation. | ||
| This is based on the 'update' privilege; see eg | ||
| ckan.logic.auth.update.group_edit_permissions. | ||
| """ | ||
| requester = context.get('user') | ||
| return _has_user_permission_for_some_group(requester, 'admin') | ||
| def user_list(context, data_dict=None): | ||
| """Check whether access to the user list is authorised. | ||
| Restricted to organisation admins as per QOL-5710. | ||
| Restricted to site admins. | ||
| """ | ||
| return {'success': _requester_is_admin(context)} | ||
| return {"success": False, | ||
| "msg": "Listing users is forbidden."} | ||
@@ -595,10 +572,8 @@ | ||
| """Check whether access to individual user details is authorised. | ||
| Restricted to organisation admins or self, as per QOL-5710. | ||
| Restricted to site admins or self | ||
| """ | ||
| if _requester_is_admin(context): | ||
| return {'success': True} | ||
| requester = context.get('user') | ||
| id = data_dict.get('id', None) | ||
| if id: | ||
| user_obj = model.User.get(id) | ||
| user_id = data_dict.get('id', None) | ||
| if user_id: | ||
| user_obj = model.User.get(user_id) | ||
| else: | ||
@@ -609,3 +584,4 @@ user_obj = data_dict.get('user_obj', None) | ||
| return {'success': False} | ||
| return {'success': False, | ||
| 'msg': "Users may only view their own details"} | ||
@@ -612,0 +588,0 @@ |
@@ -96,2 +96,3 @@ import logging | ||
| 'tag_show': dcor_auth.content_listing, | ||
| 'user_autocomplete': dcor_auth.user_autocomplete, | ||
| 'user_create': dcor_auth.user_create, | ||
@@ -98,0 +99,0 @@ 'user_list': dcor_auth.user_list, |
@@ -11,3 +11,3 @@ import pytest | ||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_auth_group_show_list_users(): | ||
| def test_auth_group_show(): | ||
| """Anonymous user not allowed to list group with users""" | ||
@@ -52,2 +52,35 @@ user = factories.User() | ||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_auth_user_autocomplete(): | ||
| """Logged-in users may fetch a list of usernames""" | ||
| user = factories.User() | ||
| admin = factories.Sysadmin() | ||
| # valid user | ||
| assert helpers.call_auth( | ||
| "user_autocomplete", | ||
| context={'ignore_auth': False, | ||
| 'user': user['name'], | ||
| 'model': model, | ||
| 'api_version': 3}, | ||
| ) | ||
| # anonymous user | ||
| with pytest.raises(logic.NotAuthorized): | ||
| helpers.call_auth( | ||
| "user_autocomplete", | ||
| context={'ignore_auth': False, | ||
| 'user': None, | ||
| 'model': model, | ||
| 'api_version': 3}, | ||
| ) | ||
| # admin | ||
| assert helpers.call_auth( | ||
| "user_autocomplete", | ||
| context={'ignore_auth': False, | ||
| 'user': admin['name'], | ||
| 'model': model, | ||
| 'api_version': 3}, | ||
| ) | ||
| @pytest.mark.ckan_config('ckan.plugins', 'dcor_schemas') | ||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_auth_user_show(): | ||
@@ -99,2 +132,7 @@ """Anonymous user not allowed to list users""" | ||
| user = factories.User() | ||
| # create an organization of which the user is an admin | ||
| factories.Organization(users=[{ | ||
| 'name': user['id'], | ||
| 'capacity': 'admin' | ||
| }]) | ||
| admin = factories.Sysadmin() | ||
@@ -101,0 +139,0 @@ # valid user |
+1
-1
| Metadata-Version: 2.4 | ||
| Name: ckanext-dcor_schemas | ||
| Version: 1.0.0 | ||
| Version: 1.0.1 | ||
| Summary: Introduces or lifts restrictions (authorization) for managing data and metadata on DCOR | ||
@@ -5,0 +5,0 @@ Author: Paul Müller |
Alert delta unavailable
Currently unable to show alert delta for PyPI packages.
Improved metrics
- Total package byte prevSize
1247601
0.04%- Lines of code
6343
0.24%