[QCDP24-26] fix facet issue and access issue (#8)

salsadigitalauorg · Sep 6, 2024 · 7c7bb91 · 7c7bb91
1 parent 591335d
commit 7c7bb91
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 9 deletions.
diff --git a/ckanext/datarequests/auth.py b/ckanext/datarequests/auth.py
@@ -21,7 +21,7 @@
 from ckan.plugins.toolkit import current_user, h
 from ckan.plugins.toolkit import asbool, auth_allow_anonymous_access, config, get_action
 
-from . import constants, db
+from . import constants, db, request_helpers
 from .actions import _dictize_datarequest
 
 
@@ -41,21 +41,34 @@ def _is_any_group_member(context):
     return user_name and authz.has_user_permission_for_some_org(user_name, 'read')
 
 
-@auth_allow_anonymous_access
-def show_datarequest(context, data_dict):
+def _check_organization_access(data_dict, is_listing=False):
     # Sysadmins can see all data requests, other users can only see their own organization's data requests.
     if not current_user.sysadmin:
-        result = db.DataRequest.get(id=data_dict.get('id'))
-        data_req = result[0]
-        data_dict = _dictize_datarequest(data_req)
+        if is_listing:
+            organization_name = request_helpers.get_first_query_param('organization')
+            if not organization_name:
+                return {'success': True}
+
+            organization = get_action('organization_show')({'ignore_auth': True}, {'id': organization_name})
+            organization_id = organization.get('id', None)
+        else:
+            result = db.DataRequest.get(id=data_dict.get('id'))
+            data_req = result[0]
+            data_dict = _dictize_datarequest(data_req)
+            organization_id = data_dict.get('organization_id', None)
 
         current_user_orgs = [org['id'] for org in h.organizations_available('read')] or []
-        if data_dict.get('requesting_organisation', None) not in current_user_orgs:
+        if organization_id not in current_user_orgs:
             return {'success': False}
 
     return {'success': True}
 
 
+@auth_allow_anonymous_access
+def show_datarequest(context, data_dict):
+    return _check_organization_access(data_dict)
+
+
 def auth_if_creator(context, data_dict, show_function):
     # Sometimes data_dict only contains the 'id'
     if 'user_id' not in data_dict:
@@ -91,7 +104,7 @@ def update_datarequest(context, data_dict):
 
 @auth_allow_anonymous_access
 def list_datarequests(context, data_dict):
-    return {'success': True}
+    return _check_organization_access(data_dict, True)
 
 
 def delete_datarequest(context, data_dict):

diff --git a/ckanext/datarequests/db.py b/ckanext/datarequests/db.py
@@ -81,10 +81,12 @@ def get_ordered_by_date(cls, organization_id=None, user_id=None, closed=None, q=
 
         # For sysadmins, we show all the data requests.
         restricted_org_id = None
+
+        # If it is regular user, and the organization_id is not provided, filter it based on current user's organizations.
         if not current_user.sysadmin and organization_id is None:
             current_user_orgs = h.organizations_available('read') or []
             restricted_org_id = [org['id'] for org in current_user_orgs]
-            query = query.filter(cls.requesting_organisation.in_(restricted_org_id))
+            query = query.filter(cls.organization_id.in_(restricted_org_id))
 
         current_user_id = current_user.id if current_user else None
         if current_user_id: