Ticket #460 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

State field changed by non-sysadmin

Reported by: johnbywater Owned by: pudo
Priority: critical Milestone:
Component: ckan Keywords:
Cc: Repository: ckan
Theme: none

Description (last modified by rgrp) (diff)

This package:

http://ckan.net/package/dbtune-audioscrobbler

was:

  1. created by Richard (logged-in)
  2. edited by Richard (logged-in)

(According to the logs, at this point the state was changed from 'active' to 'deleted') -- RP was it set to 'deleted' or just ?

  1. pudo changed the state back to active

Similarly an incident with bibbase package where field set to (see http://ckan.net/revision/diff/bibbase?diff=702bb0a3-03b7-49ac-87ad-e489c414962f&oldid=5447842d-b6ed-41d9-9cfd-8bb73b85c409)

Need to investigate how this got changed, fix if necessary and report back to Richard. Note that package 'admins' as well as sysadmins can change the state of a package (though note that bibbase did not appear to have an owner).

Suggested solution (for setting to ):

  • Ensure in ckan/forms.py that there is a validator for state field that ensures only set to valid values.
  • Check that we do not allow state to be changed in the api except by package owner or sysadmin

Change History

comment:1 Changed 4 years ago by dread

  • remaining_time set to 1

comment:2 Changed 4 years ago by dread

  • Type changed from task to defect
  • Description modified (diff)
  • Summary changed from Investigate Richard Cyganiak issue to State field changed by non-sysadmin

comment:3 Changed 4 years ago by richard@…

Note, I'm not a sysadmin but I can see the Status dropdown for this package, with values "active" and "deleted". Not knowing much about the permission system, I was assuming that's because I created the package.

I am however certain that I did not modify (or even notice) this dropdown in the mysterious edit that led to the state change from "active" to "None".

comment:4 Changed 4 years ago by richard@…

I believe the initial report is incorrect. It states that the status was changed from "active" to "deleted". I believe that it was actually changed from "active" to "None".

This might indicate a bug in the code: The value of the status field is lost.

comment:5 Changed 4 years ago by rgrp

To add to this ticket I note that package 'owners' are entitled to see State not just system sysadmins (this allows owners to delete packages).

comment:6 Changed 4 years ago by rgrp

  • Owner set to pudo
  • Priority changed from awaiting triage to critical
  • Description modified (diff)
  • Milestone set to ckan v1.3

comment:7 Changed 3 years ago by dread

  • Component set to ckan

comment:8 Changed 3 years ago by shevski

  • Repository set to ckan
  • Theme set to none
  • Milestone ckan-v1.5 deleted

comment:9 Changed 3 years ago by thejimmyg

  • Status changed from new to closed
  • Resolution set to fixed

This is most likely fixed in the new logic layer refactor but is more than 6 months old anyway so closing in line with our new ticketing policy.

Note: See TracTickets for help on using tickets.