http://localhost/ticket/648 <ul><li>copy exisiting tests, modify authz in setUp, adapt and extend tests <ul><li>Problem: default_role_actions is read by init_db </li><li>Solution: nuke db after monkey-patching </li><li>role = model.Role('Reader'), del role.actions[...] </li></ul></li></ul><blockquote> <blockquote> <p> self.PRE_MAUTHZ_RULES = copy(mauthz.default_role_actions) mauthz.default_role_actions.remove((Role.READER, Action.CREATE)) #raise Exception(mauthz.default_role_actions) model.Session.remove() model.repo.rebuild_db() </p> </blockquote> </blockquote> <ol start="3"><li>Start from the functional <ul><li>Both the api controllers and wui controllers to do </li><li>tests/function/test_authz.py extended to check CREATE in lockedDown mode. fails nicely. <a class="ext-link" href="http://bitbucket.org/pudo/ckan-authz2"><span class="icon">​</span>http://bitbucket.org/pudo/ckan-authz2</a> </li></ul></li></ol><p> is_authorized(user, Action.Create, model.Package) </p> <p> -&gt; Doing this will put 'Package' in the context field of the user_object_role table. This will trigger SQLAlchemy to attempt a join towards <a class="missing wiki">PackageRole?</a> in all queries. Since for class-level role assignments there never is a <a class="missing wiki">PackageRole?</a> join table entry, this will never return any results. </p> <ul><li>cf branch "classes": <a class="ext-link" href="http://bitbucket.org/pudo/ckan-authz2/src/6fd0475e0c66"><span class="icon">​</span>http://bitbucket.org/pudo/ckan-authz2/src/6fd0475e0c66</a> </li><li>No possibility of including "instance" column in inheritance decision. </li><li>Even if this can be cirumvented, it must happen on a per-query level and would require a major re-modelling. </li></ul><ul><li>have a ckan install that would not allow visitors to either list packages or list groups <ul><li>two paths: create the listing, but for each group/pkg decide that you cannot show this </li><li>lock down the whole page (/package/list) <ul><li>this is class-based, not object-based </li></ul></li></ul></li></ul><p> is_authorized(user, Action.Package_Create, model.System()) is_authorized(user, Action.Group_Create, model.System()) </p> <p> [Separating Package and Group roles may be useful going forward: <a class="missing wiki">PackageEditor?</a>, <a class="missing wiki">GroupEditor?</a> etc] </p> <ol start="4"><li>Find a standard way to lock down classes <ul><li>possibly add default rows in user_object_role </li><li>introduce lock-down into controllers: group new, package new, REST equivalents, </li><li>confirm tests </li></ul></li></ol> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/648 Trac 0.12.3 pudo Sun, 19 Sep 2010 09:47:36 GMT http://localhost/ticket/648#comment:1 http://localhost/ticket/648#comment:1 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> <p> introduced in ckan-authz2 cset:934b30ec84fd </p> Ticket