refactors auth.py

1c4d9979 · Benjamin Becker · 3aad1524 · 1c4d9979 · 1c4d9979
Commit 1c4d9979 authored 4 years ago by Benjamin Becker
--- a/ckanext/odsh/logic/auth.py
+++ b/ckanext/odsh/logic/auth.py
-import ckan.logic.auth
+import ckan.logic.auth.get as get
+import ckan.logic.auth.update as update
+import ckan.logic.auth.delete as delete
+import ckan.logic.auth.create as create
 import ckan.plugins as p


 def _is_sysadmin(context):
    return context["auth_user_obj"].sysadmin

-
-def user_list(context, data_dict):
+def allow_sysadmin_only(original_auth_function):
+    def _decorator(func):
+        def wrapped_auth_function(context, data_dict=None):
            if not _is_sysadmin(context):
                return {"success": False}
-    return ckan.logic.auth.get.user_list(context, data_dict)
+            return original_auth_function(context, data_dict=data_dict)
+        
+        return wrapped_auth_function
        
+    return _decorator
+
+
+@allow_sysadmin_only(get.user_list)
+def user_list(context, data_dict):
+    pass
+
+@allow_sysadmin_only(update.user_update)
 def user_update(context, data_dict):
-    if not _is_sysadmin(context):
-        return {"success": False}
-    return ckan.logic.auth.update.user_update(context, data_dict)
+    pass
+
+@allow_sysadmin_only(create.user_create)
+def user_create(context, data_dict):
+    pass
+
+@allow_sysadmin_only(create.user_invite)
+def user_invite(context, data_dict):
+    pass

 def get_auth_functions():
    return {
        "user_list": user_list,
        "user_update": user_update,
+        "user_create": user_create,
+        "user_invite": user_invite,
    }
\ No newline at end of file
--- a/ckanext/odsh/tests_tpsh/test_auth.py
+++ b/ckanext/odsh/tests_tpsh/test_auth.py
@@ -23,13 +23,19 @@ class TestAuthorization:
        assert response.status_code == 403
        assert "Zugriff nicht erlaubt" in response
    
-    def test_user_list_not_accessible_by_regular_user(self):
+    def test_user_actions_not_accessible_by_regular_user(self):
+        def assert_not_authorized(action, context, data_dict):
+            with pytest.raises(NotAuthorized):
+                logic.check_access(action, context, data_dict=data_dict)
+
        user = factories.User()
        username = user["name"]
-        with pytest.raises(NotAuthorized):
-            logic.check_access("user_list", {"user": username}, {})
-        with pytest.raises(NotAuthorized):
-            logic.check_access("user_update", {"user": username}, {"id": username})
+
+        assert_not_authorized("user_list", {"user": username}, {})
+        assert_not_authorized("user_update", {"user": username}, {"id": username})
+        assert_not_authorized("user_delete", {"user": username}, {"id": username})
+        assert_not_authorized("user_create", {"user": username}, {"name": "foo"})
+        assert_not_authorized("user_invite", {"user": username}, {})
    
    def test_user_list_accessible_for_sysadmin(self):
        adminuser = factories.Sysadmin()
@@ -38,6 +44,9 @@ class TestAuthorization:
        username = user["name"]
        logic.check_access("user_list", {"user": adminusername}, {})
        logic.check_access("user_update", {"user": adminusername}, {"id": username})
+        logic.check_access("user_delete", {"user": adminusername}, {"id": username})
+        logic.check_access("user_create", {"user": adminusername}, {"name": "foo"})
+        logic.check_access("user_invite", {"user": adminusername}, {})