Skip to content

Commit

Permalink
[QCDP24-26] implemented custom data request access rules (#5)
Browse files Browse the repository at this point in the history
  • Loading branch information
@awset
awset authored Aug 27, 2024
1 parent e3db4bd commit c83134d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 4 deletions.
15 changes: 13 additions & 2 deletions ckanext/datarequests/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@
# along with CKAN Data Requests Extension. If not, see <http://www.gnu.org/licenses/>.

from ckan import authz
from ckan.plugins.toolkit import current_user
from ckan.plugins.toolkit import current_user, h
from ckan.plugins.toolkit import asbool, auth_allow_anonymous_access, config, get_action

from . import constants
from . import constants, db
from .actions import _dictize_datarequest


def create_datarequest(context, data_dict):
Expand All @@ -42,6 +43,16 @@ def _is_any_group_member(context):

@auth_allow_anonymous_access
def show_datarequest(context, data_dict):
# Sysadmins can see all data requests, other users can only see their own organization's data requests.
if not current_user.sysadmin:
result = db.DataRequest.get(id=data_dict.get('id'))
data_req = result[0]
data_dict = _dictize_datarequest(data_req)

current_user_orgs = [org['id'] for org in h.organizations_available('read')] or []
if data_dict.get('requesting_organisation', None) not in current_user_orgs:
return {'success': False}

return {'success': True}


Expand Down
11 changes: 9 additions & 2 deletions ckanext/datarequests/db.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import logging

from ckan import model
from ckan.plugins.toolkit import current_user
from ckan.plugins.toolkit import current_user, h
from ckanext.datarequests import constants

from sqlalchemy import func, MetaData, DDL
Expand Down Expand Up @@ -79,9 +79,16 @@ def get_ordered_by_date(cls, organization_id=None, user_id=None, closed=None, q=

order_by_filter = cls.open_time.desc() if desc else cls.open_time.asc()

current_user_id = current_user.id if current_user else None
# For sysadmins, we show all the data requests.
restricted_org_id = None
if not current_user.sysadmin and organization_id is None:
current_user_orgs = h.organizations_available('read') or []
restricted_org_id = [org['id'] for org in current_user_orgs]
query = query.filter(cls.requesting_organisation.in_(restricted_org_id))

current_user_id = current_user.id if current_user else None
if current_user_id:
# Pinned the datarequest to the top of the list if current user is the author.
current_user_order = case(
[(cls.user_id == current_user_id, 1)],
else_=0
Expand Down

0 comments on commit c83134d

Please sign in to comment.