State field changed by non-sysadmin

[johnbywater]

This package:

​http://ckan.net/package/dbtune-audioscrobbler

was:

1. created by Richard (logged-in)
2. edited by Richard (logged-in)

(According to the logs, at this point the state was changed from 'active' to 'deleted') -- RP was it set to 'deleted' or just ?

3. pudo changed the state back to active

Similarly an incident with bibbase package where field set to (see ​http://ckan.net/revision/diff/bibbase?diff=702bb0a3-03b7-49ac-87ad-e489c414962f&oldid=5447842d-b6ed-41d9-9cfd-8bb73b85c409)

Need to investigate how this got changed, fix if necessary and report back to Richard. Note that package 'admins' as well as sysadmins can change the state of a package (though note that bibbase did not appear to have an owner).

Suggested solution (for setting to ):

• Ensure in ckan/forms.py that there is a validator for state field that ensures only set to valid values.
• Check that we do not allow state to be changed in the api except by package owner or sysadmin

[richard@…]

Note, I'm not a sysadmin but I can see the Status dropdown for this package, with values "active" and "deleted". Not knowing much about the permission system, I was assuming that's because I created the package.

I am however certain that I did not modify (or even notice) this dropdown in the mysterious edit that led to the state change from "active" to "None".

[richard@…]

I believe the initial report is incorrect. It states that the status was changed from "active" to "deleted". I believe that it was actually changed from "active" to "None".

This might indicate a bug in the code: The value of the status field is lost.

[rgrp]

To add to this ticket I note that package 'owners' are entitled to see State not just system sysadmins (this allows owners to delete packages).

[thejimmyg]

This is most likely fixed in the new logic layer refactor but is more than 6 months old anyway so closing in line with our new ticketing policy.