From b16e21df3fcd88518f4c5eefdabdc8742e1b782f Mon Sep 17 00:00:00 2001 From: Dan Mihaila Date: Wed, 11 Dec 2024 14:12:59 +0200 Subject: [PATCH] HDX-10398 only sysadmins can access the url --- .../ckanext/hdx_org_group/actions/authorize.py | 3 +++ .../ckanext/hdx_org_group/actions/get.py | 3 +++ .../ckanext/hdx_org_group/plugin.py | 1 + .../hdx_org_group/tests/test_data_completeness.py | 15 ++++++++++++--- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/authorize.py b/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/authorize.py index 1fcc170795..5a232d9aac 100644 --- a/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/authorize.py +++ b/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/authorize.py @@ -40,3 +40,6 @@ def hdx_organization_follower_list(context, data_dict): # if authz.auth_is_anon_user(context): # return {'success': False, 'msg': _('Only logged in users can join an organization')} # return {'success': True} + +def hdx_datagrid_show(context, data_dict): + return {'success': False, 'msg': _('Only sysadmins can see the datagrid for location')} diff --git a/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/get.py b/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/get.py index d2bb0c87de..2955050760 100644 --- a/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/get.py +++ b/ckanext-hdx_org_group/ckanext/hdx_org_group/actions/get.py @@ -338,6 +338,9 @@ def _user_list_dictize(obj_list, context, @side_effect_free def hdx_datagrid_show(context, data_dict): + + _check_access('hdx_datagrid_show', context, data_dict) + id = _get_or_bust(data_dict, 'id') if id: grp_dict = get_action('hdx_light_group_show')(context, {'id':id}) diff --git a/ckanext-hdx_org_group/ckanext/hdx_org_group/plugin.py b/ckanext-hdx_org_group/ckanext/hdx_org_group/plugin.py index fe0007b6cd..19b5b50bd7 100644 --- a/ckanext-hdx_org_group/ckanext/hdx_org_group/plugin.py +++ b/ckanext-hdx_org_group/ckanext/hdx_org_group/plugin.py @@ -80,6 +80,7 @@ def get_auth_functions(self): 'member_delete': authorize.member_delete, 'invalidate_data_completeness_for_location': authorize.invalidate_data_completeness_for_location, 'hdx_organization_follower_list': authorize.hdx_organization_follower_list, + 'hdx_datagrid_show': authorize.hdx_datagrid_show, # 'hdx_org_join_request': authorize.hdx_org_join_request, } diff --git a/ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_data_completeness.py b/ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_data_completeness.py index 8c8c216f93..075a126377 100644 --- a/ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_data_completeness.py +++ b/ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_data_completeness.py @@ -17,6 +17,8 @@ USER = 'some_user' +SYSADMIN = 'test_sysadmin' +SYSADMIN_EMAIL = 'test_sysadmin@email.com' LOCATION = 'some_location' LOCATION_DISPLAY_NAME = LOCATION_TITLE = 'Some Location' ORG = 'org_name_4_completeness' @@ -91,6 +93,7 @@ def _generate_dataset_dict(dataset_name, org_id, group_name, review_date, user=U @pytest.fixture() def setup_data(): factories.User(name=USER, email='some_user@hdx.hdxtest.org') + factories.Sysadmin(name=SYSADMIN, email=SYSADMIN_EMAIL, fullname='Sysadmin User') group = factories.Group(name=LOCATION, title=LOCATION_TITLE, display_name=LOCATION_DISPLAY_NAME) factories.Organization( name=ORG, @@ -245,9 +248,15 @@ def test_data_completeness_dataset_up_to_date(self, patched_DataCompleteness): @mock.patch('ckanext.hdx_org_group.helpers.data_completeness.DataCompleteness') def test_data_completeness_datagrid_show(self, patched_DataCompleteness): data = self.__compute_data_completeness(_generate_test_yaml_dict(), patched_DataCompleteness) - # datagrid_dict = grp_h.hdx_replace_datagrid_labels(data, {'name':LOCATION, 'title': LOCATION_TITLE, 'display_name': LOCATION_DISPLAY_NAME}) - context = {'model': model, 'session': model.Session, 'user': USER, 'ignore_auth': True} - datagrid_dict = _get_action('hdx_datagrid_show')(context, {'id':LOCATION}) + context_sysadmin = {'model': model, 'session': model.Session, 'user': SYSADMIN} + context_user = {'model': model, 'session': model.Session, 'user': USER} + try: + datagrid_dict = _get_action('hdx_datagrid_show')(context_user, {'id': LOCATION}) + assert False + except Exception: + assert True + datagrid_dict = _get_action('hdx_datagrid_show')(context_sysadmin, {'id':LOCATION}) + assert datagrid_dict['iso3'] == LOCATION assert datagrid_dict['title'] == LOCATION_TITLE assert 'date' in datagrid_dict