Skip to content

Commit

Permalink
[QCDP24-26] fix facet issue and access issue
Browse files Browse the repository at this point in the history
  • Loading branch information
awset committed Sep 5, 2024
1 parent 591335d commit daa1708
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 9 deletions.
29 changes: 21 additions & 8 deletions ckanext/datarequests/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
from ckan.plugins.toolkit import current_user, h
from ckan.plugins.toolkit import asbool, auth_allow_anonymous_access, config, get_action

from . import constants, db
from . import constants, db, request_helpers
from .actions import _dictize_datarequest


Expand All @@ -41,21 +41,34 @@ def _is_any_group_member(context):
return user_name and authz.has_user_permission_for_some_org(user_name, 'read')


@auth_allow_anonymous_access
def show_datarequest(context, data_dict):
def _check_organization_access(data_dict, is_listing=False):
# Sysadmins can see all data requests, other users can only see their own organization's data requests.
if not current_user.sysadmin:
result = db.DataRequest.get(id=data_dict.get('id'))
data_req = result[0]
data_dict = _dictize_datarequest(data_req)
if is_listing:
organization_name = request_helpers.get_first_query_param('organization')
if not organization_name:
return {'success': True}

organization = get_action('organization_show')({'ignore_auth': True}, {'id': organization_name})
organization_id = organization.get('id', None)
else:
result = db.DataRequest.get(id=data_dict.get('id'))
data_req = result[0]
data_dict = _dictize_datarequest(data_req)
organization_id = data_dict.get('organization_id', None)

current_user_orgs = [org['id'] for org in h.organizations_available('read')] or []
if data_dict.get('requesting_organisation', None) not in current_user_orgs:
if organization_id not in current_user_orgs:
return {'success': False}

return {'success': True}


@auth_allow_anonymous_access
def show_datarequest(context, data_dict):
return _check_organization_access(data_dict)


def auth_if_creator(context, data_dict, show_function):
# Sometimes data_dict only contains the 'id'
if 'user_id' not in data_dict:
Expand Down Expand Up @@ -91,7 +104,7 @@ def update_datarequest(context, data_dict):

@auth_allow_anonymous_access
def list_datarequests(context, data_dict):
return {'success': True}
return _check_organization_access(data_dict, True)


def delete_datarequest(context, data_dict):
Expand Down
4 changes: 3 additions & 1 deletion ckanext/datarequests/db.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,12 @@ def get_ordered_by_date(cls, organization_id=None, user_id=None, closed=None, q=

# For sysadmins, we show all the data requests.
restricted_org_id = None

# If it is regular user, and the organization_id is not provided, filter it based on current user's organizations.
if not current_user.sysadmin and organization_id is None:
current_user_orgs = h.organizations_available('read') or []
restricted_org_id = [org['id'] for org in current_user_orgs]
query = query.filter(cls.requesting_organisation.in_(restricted_org_id))
query = query.filter(cls.organization_id.in_(restricted_org_id))

current_user_id = current_user.id if current_user else None
if current_user_id:
Expand Down

0 comments on commit daa1708

Please sign in to comment.