Ticket #129 (new enhancement) — at Version 2
Secure db access by channelling query generation through authz module
Reported by: | dread | Owned by: | rgrp |
---|---|---|---|
Priority: | awaiting triage | Milestone: | ckan-backlog |
Component: | ckan | Keywords: | |
Cc: | Repository: | ||
Theme: |
Description (last modified by dread) (diff)
Controllers and templates should not access db objects directly - they should do all access via authz module giving username. They are handed by a query that has already been filtered by the packages they are authorized to read.
(Additional idea to be discussed: When they request a package object, they are handed an copy of the db object - disconnected from the database - so it the db object can't be changed.)
A couple of tests can be reenabled when this is done: ckan.tests.functional.test_authz.TestUsage?.test_admin_list_deleted ckan.tests.functional.test_authz.TestUsage?.test_search_deleted
Change History
Note: See
TracTickets for help on using
tickets.