ckanext-permissions 0.2.0__py3-none-any.whl

ckanext/permissions_manager/helpers.py

@@ -0,0 +1,23 @@
+from ckan.lib import munge
+
+from ckanext.permissions.utils import get_registered_roles
+
+
+def permission_munge_string(value: str) -> str:
+    """Munge a string using CKAN's munge_name function.
+
+    Args:
+        value: The string to munge
+
+    Returns:
+        The munged string
+    """
+    return munge.munge_name(value)
+
+
+def permission_get_registered_roles_options() -> list[dict[str, str]]:
+    return [
+        {"value": role_id, "text": role_label}
+        for role_id, role_label in get_registered_roles().items()
+        if role_id not in ("administrator", "anonymous")
+    ]

ckanext/permissions_manager/plugin.py

@@ -0,0 +1,48 @@
+from __future__ import annotations
+
+import ckan.plugins as p
+import ckan.plugins.toolkit as tk
+import ckan.types as types
+
+
+@tk.blanket.blueprints
+@tk.blanket.helpers
+class PermissionsManagerPlugin(p.SingletonPlugin):
+    p.implements(p.IConfigurer)
+    p.implements(p.ISignal)
+
+    # IConfigurer
+
+    def update_config(self, config_):
+        tk.add_template_directory(config_, "templates")
+        tk.add_public_directory(config_, "public")
+        tk.add_resource("assets", "permissions_manager")
+
+    # ISignal
+
+    def get_signal_subscriptions(self) -> types.SignalMapping:
+        return {
+            tk.signals.ckanext.signal("ap_main:collect_config_sections"): [self.collect_config_sections_subs],
+        }
+
+    @staticmethod
+    def collect_config_sections_subs(sender: None):
+        return {
+            "name": "Permissions",
+            "configs": [
+                {
+                    "name": "Permissions manager",
+                    "blueprint": "perm_manager.permission_list",
+                    "info": "Manage portal permissions",
+                },
+                {
+                    "name": "Roles manager",
+                    "blueprint": "perm_manager.role_list",
+                    "info": "Manage portal roles",
+                },
+                {
+                    "name": "User roles list",
+                    "blueprint": "perm_manager.user_roles_list",
+                },
+            ],
+        }

ckanext/permissions_manager/views.py

@@ -0,0 +1,351 @@
+from __future__ import annotations
+
+import logging
+from typing import Any, Union
+
+from flask import Blueprint, Response
+from flask.views import MethodView
+
+import ckan.model as model
+import ckan.plugins.toolkit as tk
+import ckan.types as types
+from ckan.lib.helpers import Page
+
+from ckanext.permissions import model as perm_model
+from ckanext.permissions import utils
+
+log = logging.getLogger(__name__)
+perm_manager = Blueprint("perm_manager", __name__, url_prefix="/permissions")
+
+
+USER_ROLES_PER_PAGE = 10
+
+
+@perm_manager.before_request
+def before_request() -> None:
+    try:
+        tk.check_access("sysadmin", {"user": tk.current_user.name})
+    except tk.NotAuthorized:
+        tk.abort(403, tk._("Need to be system administrator to administer"))
+
+
+class PermissionManagerView(MethodView):
+    def get(self) -> Union[str, Response]:
+        return tk.render(
+            "perm_manager/list.html",
+            extra_vars={
+                "permission_groups": utils.get_permission_groups(),
+            },
+        )
+
+    def post(self) -> Response:
+        try:
+            tk.get_action("permissions_update")({}, {"permissions": self._get_permissions()})
+        except tk.ValidationError as e:
+            tk.h.flash_error(str(e))
+            return tk.redirect_to("perm_manager.permission_list")
+
+        tk.h.flash_success("Permissions updated")
+
+        return tk.redirect_to("perm_manager.permission_list")
+
+    def _get_permissions(self) -> dict[str, dict[str, bool]]:
+        permissions = {}
+
+        for key in tk.request.form.keys():
+            if "|" not in key:
+                continue
+
+            values = tk.request.form.getlist(key)
+            permission, role_id = key.split("|")
+
+            if permission not in permissions:
+                permissions[permission] = {}
+
+            permissions[permission][role_id] = "set" in values
+
+        return permissions
+
+
+class RoleManagerView(MethodView):
+    def get(self) -> Union[str, Response]:
+        return tk.render(
+            "perm_manager/role_list.html",
+            extra_vars={
+                "roles": sorted(perm_model.Role.all(), key=lambda x: x["label"]),
+            },
+        )
+
+
+class RoleAdd(MethodView):
+    def get(self) -> Union[str, Response]:
+        return tk.render(
+            "perm_manager/add_role.html",
+            extra_vars={"errors": {}, "data": {}},
+        )
+
+    def post(self) -> Union[str, Response]:
+        payload = dict(tk.request.form)
+
+        tk.get_or_bust(payload, ["id", "label", "description"])
+
+        try:
+            tk.get_action("permission_role_create")({}, payload)
+        except tk.NotAuthorized as e:
+            return tk.abort(403, str(e))
+        except tk.ValidationError as e:
+            return tk.render(
+                "perm_manager/add_role.html",
+                extra_vars={"errors": e.error_dict, "data": payload},
+            )
+
+        tk.h.flash_success("Role has been created")
+
+        return tk.redirect_to("perm_manager.role_list")
+
+
+class RoleDelete(MethodView):
+    def post(self) -> Response:
+        payload = dict(tk.request.form)
+
+        tk.get_or_bust(payload, ["id"])
+
+        try:
+            tk.get_action("permission_role_delete")({}, payload)
+        except tk.ValidationError as e:
+            tk.h.flash_error(str(e))
+        else:
+            tk.h.flash_success("Role has been deleted")
+
+        return tk.redirect_to("perm_manager.role_list")
+
+
+class RoleEdit(MethodView):
+    def get(self, role_id: str) -> Union[str, Response]:
+        return tk.render(
+            "perm_manager/edit_role.html",
+            extra_vars={"role": perm_model.Role.get(role_id), "errors": {}, "data": {}},
+        )
+
+    def post(self, role_id: str) -> Union[str, Response]:
+        payload = dict(tk.request.form)
+
+        tk.get_or_bust(payload, "description")
+
+        try:
+            tk.get_action("permission_role_update")(
+                {},
+                {
+                    "id": role_id,
+                    "description": payload["description"],
+                },
+            )
+        except tk.ValidationError as e:
+            return tk.render(
+                "perm_manager/edit_role.html",
+                extra_vars={
+                    "role": perm_model.Role.get(role_id),
+                    "errors": e.error_dict,
+                    "data": payload,
+                },
+            )
+
+        tk.h.flash_success("Role has been updated")
+
+        return tk.redirect_to("perm_manager.role_list")
+
+
+class BaseUserRolesList(MethodView):
+    def _get_user_with_roles(self, scope: str = "global", scope_id: str | None = None) -> list[dict[str, Any]]:
+        """
+        Get all active users and their roles.
+        """
+        users = self._get_active_users()
+        result: list[dict[str, Any]] = []
+
+        for user in users:
+            result.append(
+                {
+                    "id": user.id,
+                    "display_name": user.display_name,
+                    "roles": tk.h.get_user_roles(user.id, scope, scope_id),
+                }
+            )
+
+        return self._apply_filters(result)
+
+    def _get_active_users(self) -> list[model.User]:
+        """
+        Get all active users and sort them by display name.
+        """
+        return sorted(
+            (model.Session.query(model.User).filter(model.User.state == model.State.ACTIVE).all()),
+            key=lambda x: x.display_name,
+        )
+
+    def _apply_filters(self, users: list[dict[str, Any]]) -> list[dict[str, Any]]:
+        """
+        Apply filters based on username and role.
+        """
+        q = tk.request.args.get("q", "").strip()
+        role_filter = tk.request.args.get("role", "").strip()
+
+        if q:
+            users = [user for user in users if q.lower() in user["display_name"].lower() or q.lower() in user["roles"]]
+
+        if role_filter:
+            users = [user for user in users if role_filter in user["roles"]]
+
+        return users
+
+
+class UserRolesList(BaseUserRolesList):
+    def get(self) -> Union[str, Response]:
+        users = self._get_user_with_roles()
+        page = Page(
+            collection=users,
+            page=tk.h.get_page_number(tk.request.args),
+            url=tk.h.pager_url,
+            item_count=len(users),
+            items_per_page=int(tk.request.args.get("limit", USER_ROLES_PER_PAGE)),
+        )
+        return tk.render("perm_manager/user_roles_list.html", extra_vars={"page": page})
+
+
+class OrganizationUserRolesList(BaseUserRolesList):
+    def get(self, org_id: str) -> Union[str, Response]:
+        users = self._get_user_with_roles(scope="organization", scope_id=org_id)
+        org_dict = _get_org_dict(org_id)
+
+        def _pager_url(**kwargs):
+            return tk.h.url_for("perm_manager.organization_user_roles_list", org_id=org_id, **kwargs)
+
+        page = Page(
+            collection=users,
+            page=tk.h.get_page_number(tk.request.args),
+            url=_pager_url,
+            item_count=len(users),
+            items_per_page=int(tk.request.args.get("limit", USER_ROLES_PER_PAGE)),
+        )
+
+        return tk.render(
+            "perm_manager/organization/user_roles_list.html",
+            extra_vars={
+                "group_dict": org_dict,
+                "group_type": "organization",
+                "page": page,
+            },
+        )
+
+
+class EditUserRole(MethodView):
+    def __init__(self):
+        self.schema = {
+            "roles": [tk.get_validator(validator) for validator in "not_missing list_of_strings roles_exists".split()]
+        }
+
+    def get(self, user_id: str) -> Union[str, Response]:
+        user = model.User.get(user_id)
+
+        if not user:
+            return tk.abort(404, "User not found")
+
+        return tk.render(
+            "perm_manager/edit_user_roles.html",
+            extra_vars={
+                "user": user,
+                "data": {"roles": ",".join(tk.h.get_user_roles(user.id))},
+                "errors": {},
+            },
+        )
+
+    def post(self, user_id: str) -> Union[str, Response]:
+        return self._update_user_roles(user_id, "global")
+
+    def _update_user_roles(self, user_id: str, scope: str, scope_id: str | None = None) -> Union[str, Response]:
+        payload = {"roles": tk.request.form.getlist("roles")}
+
+        user = model.User.get(user_id)
+
+        if not user:
+            tk.abort(404, "User not found")
+
+        data, errors = tk.navl_validate(payload, self.schema)
+
+        if errors:
+            return tk.render(
+                "perm_manager/edit_user_roles.html",
+                extra_vars={"user": user, "data": data, "errors": errors},
+            )
+
+        perm_model.UserRole.clear_user_roles(user.id, scope, scope_id)
+
+        for role in data["roles"]:
+            perm_model.UserRole.create(user_id=user.id, role=role, scope=scope, scope_id=scope_id)
+
+        model.Session.commit()
+
+        tk.h.flash_success("User roles updated")
+
+        return (
+            tk.redirect_to("perm_manager.user_roles_list")
+            if scope == "global"
+            else tk.redirect_to("perm_manager.organization_user_roles_list", org_id=scope_id)
+        )
+
+
+class OrganizationEditUserRole(EditUserRole):
+    def get(self, org_id: str, user_id: str) -> Union[str, Response]:
+        user = model.User.get(user_id)
+
+        if not user:
+            return tk.abort(404, "User not found")
+
+        org_dict = _get_org_dict(org_id)
+        scope = "organization"
+
+        return tk.render(
+            "perm_manager/organization/edit_user_roles.html",
+            extra_vars={
+                "user": user,
+                "data": {"roles": ",".join(tk.h.get_user_roles(user.id, scope, org_dict["id"]))},
+                "errors": {},
+                "group_dict": org_dict,
+                "group_type": scope,
+            },
+        )
+
+    def post(self, org_id: str, user_id: str) -> Union[str, Response]:
+        return self._update_user_roles(user_id, "organization", org_id)
+
+
+def _get_org_dict(org_id: str) -> dict[str, Any]:
+    context = types.Context(user=tk.current_user.name, for_view=True)
+
+    try:
+        return tk.get_action("organization_show")(context, {"id": org_id, "include_datasets": False})
+    except (tk.ObjectNotFound, tk.NotAuthorized):
+        tk.abort(404, tk._("Organization not found"))
+
+
+perm_manager.add_url_rule("/manage", view_func=PermissionManagerView.as_view("permission_list"))
+
+perm_manager.add_url_rule("/roles", view_func=RoleManagerView.as_view("role_list"))
+perm_manager.add_url_rule("/roles/add", view_func=RoleAdd.as_view("role_add"))
+perm_manager.add_url_rule("/roles/delete", view_func=RoleDelete.as_view("role_delete"))
+perm_manager.add_url_rule("/roles/<role_id>", view_func=RoleEdit.as_view("role_edit"))
+
+# organization user roles
+perm_manager.add_url_rule(
+    "/organization/user-roles/<org_id>",
+    view_func=OrganizationUserRolesList.as_view("organization_user_roles_list"),
+)
+perm_manager.add_url_rule(
+    "/organization/user-roles/<org_id>/<user_id>",
+    view_func=OrganizationEditUserRole.as_view("organization_edit_user_role"),
+)
+
+perm_manager.add_url_rule("/user-roles", view_func=UserRolesList.as_view("user_roles_list"))
+perm_manager.add_url_rule("/user-roles/<user_id>", view_func=EditUserRole.as_view("edit_user_role"))
+
+blueprints = [perm_manager]

ckanext_permissions-0.2.0.dist-info/METADATA

@@ -0,0 +1,104 @@
+Metadata-Version: 2.4
+Name: ckanext-permissions
+Version: 0.2.0
+Summary: Permission system for CKAN
+Author-email: DataShades <datashades@linkdigital.com.au>, Oleksandr Cherniavskyi <mutantsan@gmail.com>
+Maintainer-email: DataShades <datashades@linkdigital.com.au>
+License: AGPL
+Project-URL: Homepage, https://github.com/DataShades/ckanext-permissions
+Keywords: CKAN
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: dev
+Requires-Dist: pytest-ckan; extra == "dev"
+Requires-Dist: pytest-toolbelt; extra == "dev"
+Requires-Dist: ckanext-toolbelt; extra == "dev"
+Dynamic: license-file
+
+[![Tests](https://github.com/DataShades/ckanext-permissions/actions/workflows/test.yml/badge.svg)](https://github.com/DataShades/ckanext-permissions/actions/workflows/test.yml)
+
+# ckanext-permissions
+
+> [!WARNING]
+> This extension is still under development and not ready for production use.
+
+The extension allows you to build a Access Control List (ACL) system within CKAN.
+
+![acl.png](doc/acl.png)
+
+
+### Roles
+
+The extension has a 3 default roles: `anonymous`, `authenticated` and `administrator`. And allows you to define custom roles.
+
+![roles.png](doc/roles.png)
+
+### Assigning roles to users
+
+The extension provides a way to assign roles to users. Roles could be global and scoped to an organization.
+
+![role-assignment.png](doc/role-assignment.png)
+
+
+## Requirements
+
+Compatibility with core CKAN versions:
+
+| CKAN version    | Compatible?   |
+| --------------- | ------------- |
+| 2.9 and earlier | no            |
+| 2.10+           | yes           |
+| 2.11+           | yes           |
+
+
+## Installation
+
+Using GIT Clone:
+
+1. Activate your CKAN virtual environment, for example:
+
+     . /usr/lib/ckan/default/bin/activate
+
+2. Clone the source and install it on the virtualenv
+
+    git clone https://github.com/DataShades/ckanext-permissions.git
+
+    cd ckanext-permissions
+
+    pip install -e .
+
+3. Add `permissions permissions_manager` to the `ckan.plugins` setting in your CKAN
+   config file (by default the config file is located at
+   `/etc/ckan/default/ckan.ini`).
+
+4. Initialize DB tables:
+
+    ckan -c PATH_TO_CONFIG db upgrade
+
+5. Initialize default Roles and add Authenticated default role to all existing Users:
+
+    ckan -c PATH_TO_CONFIG permissions assign-default-user-roles
+
+7. Restart CKAN.
+
+
+## Config settings
+
+TBD
+
+
+## Tests
+
+To run the tests, do:
+
+    pytest --ckan-ini=test.ini --cov=ckanext.permissions
+
+
+## License
+
+[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)

ckanext_permissions-0.2.0.dist-info/RECORD

@@ -0,0 +1,39 @@
+ckanext/__init__.py,sha256=bA4GtkniRdq2--6cjASDLRM4gCsX_ysGJkaTMSmIQY8,202
+ckanext/permissions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ckanext/permissions/cli.py,sha256=A48-pfK2hhLWT2MrOMJwm0NNNe43GGLsbbsXq-8B9sw,2439
+ckanext/permissions/const.py,sha256=KwP1mrgb_SE_n1aEj7pdxC5jxe5rWIxPJPZSSZeJy88,191
+ckanext/permissions/helpers.py,sha256=rIRSFGLT-B_p1bOYPco2FoS_5eEBUnvOrmDrByPr0ck,1334
+ckanext/permissions/model.py,sha256=6VkUklXcte_WsSCPeMhPdBJIXrP_g00NK1X5TyMHHK0,4323
+ckanext/permissions/plugin.py,sha256=hMWhrwpED0hwFFl0lR0vxb5k9w3Qseye3RCqDqK64oA,2098
+ckanext/permissions/types.py,sha256=9MM5GJgnWbW8YZ1xOw-YQsVzGI05hlCUUtVd8O1vcQU,598
+ckanext/permissions/utils.py,sha256=FUOzW7EO5AEJNmZuQ1IdK6dQSSbvhEItaVsyHti4VGo,5300
+ckanext/permissions/implementation/__init__.py,sha256=tJ9Gz2mK8mBPXYmEwwQL8xxtCs491x5H-h8X-ZkWUZg,87
+ckanext/permissions/implementation/permission_labels.py,sha256=mwtjW8HJFXbHeTFcxQ0QsOWqjCLu6Hkw6N56mg5IZAc,1524
+ckanext/permissions/logic/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ckanext/permissions/logic/action.py,sha256=eKaq7PQT6t03BFWOatoQPdAvkNKZFBKXjx8EvNv2PEI,3598
+ckanext/permissions/logic/auth.py,sha256=0KQjIcxXbhzG9oZadWUF7YVl5n5TE6YnMCwL5ecKTDc,2452
+ckanext/permissions/logic/schema.py,sha256=u7zIjeMT60Hjcm7_x8Ch6Qjyl7aK7buUE0wqOJmf_wo,1608
+ckanext/permissions/logic/validators.py,sha256=3AQ6t-yp9bcpxLlikDhCgInwpNIKSZ_pu1EnK6Qc-Ok,2498
+ckanext/permissions/migration/permissions/alembic.ini,sha256=TjMs29GvgS6oUMdLfXbw1onzwkRBQ9pSft78UgAAUUE,1812
+ckanext/permissions/migration/permissions/env.py,sha256=LQT2UgozCI1O1gRtHRC9BSk9K3ks8wQxTW_j1pQ65Yw,2228
+ckanext/permissions/migration/permissions/script.py.mako,sha256=8_xgA-gm_OhehnO7CiIijWgnm00ZlszEHtIHrAYFJl0,494
+ckanext/permissions/migration/permissions/versions/a849104ccfdc_init_tables.py,sha256=T8TqpsPELtCRgAZp66SM-z8BnkpJbdAolh-mUaGThco,1585
+ckanext/permissions/tests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ckanext/permissions/tests/conftest.py,sha256=S8W4U9VYcOi0RIDw9bctMAjFbmdxnoIuqBfsRYAkd-w,1113
+ckanext/permissions/tests/test_autoassign.py,sha256=U_ZA4hTaERS6uYyvVq6_aMYwh72uXW5geBM-oYuEWoM,900
+ckanext/permissions/tests/test_helpers.py,sha256=vIvoF0Jfy4hE9QaM7tllD0B6iGXR7HpT3tD8Rpl-CPo,2405
+ckanext/permissions/tests/test_permission_labels.py,sha256=CV42TMQwjB5BiSnosD2m455vZCyD60qeGezB4Nc-IAk,914
+ckanext/permissions/tests/test_utils.py,sha256=V7mcswMW-Jhv26-dDcx92GJvhEXJLGFUnDUDTzggSk0,9220
+ckanext/permissions/tests/test_validators.py,sha256=hlhLWyosSi-vY-nWDcMvNDEXaaBZPHRuyjQhvoLZ8so,3499
+ckanext/permissions/tests/actions/test_permission.py,sha256=sqTvF3nbTNAZm1fzmsgUg7udQT_X19PEFcTbgjpbEuw,2540
+ckanext/permissions/tests/actions/test_role.py,sha256=RaZxAQ63pNJel0GtO2fnn1MbeaYW809g0PHQ7cs6ANI,3729
+ckanext/permissions_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ckanext/permissions_manager/helpers.py,sha256=e_DMaAohk_bV-Z1WOsgsk19m8VGcbRiY_XDo_H4MGxY,584
+ckanext/permissions_manager/plugin.py,sha256=ssESyXDbK43p6nINArBGNXWUvxxY9dSFmYk3a2WjhO0,1441
+ckanext/permissions_manager/views.py,sha256=C_nL7nTJpW8NQoWpIBVZqV6sbyRasCGE2aUcEIHfzL0,11270
+ckanext_permissions-0.2.0.dist-info/licenses/LICENSE,sha256=2lWcRAHjsQhqavGNnR30Ymxq3GJ9BaYL_dnfGO_-WFA,34500
+ckanext_permissions-0.2.0.dist-info/METADATA,sha256=dvT8tyEhY4RPdwQzbDSwmPZzjYg0ejLacvly0VOBSsY,2801
+ckanext_permissions-0.2.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+ckanext_permissions-0.2.0.dist-info/entry_points.txt,sha256=y3oO5e5vSFvReRU-bvsf6TWlKFGEM2XoMqxdjoJmTx0,213
+ckanext_permissions-0.2.0.dist-info/top_level.txt,sha256=5yjNwq-s42weaiMMUuA5lZ45g99ANsfcRBCvac1JMS4,8
+ckanext_permissions-0.2.0.dist-info/RECORD,,

ckanext_permissions-0.2.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

ckanext_permissions-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,6 @@
+[babel.extractors]
+ckan = ckan.lib.extract:extract_ckan
+
+[ckan.plugins]
+permissions = ckanext.permissions.plugin:PermissionsPlugin
+permissions_manager = ckanext.permissions_manager.plugin:PermissionsManagerPlugin