How to enforce Private setting for a Dataset against Editor members

[Reed Villanueva]

I'm trying to remove Editor users ability to interact with the Visibility of a package/dataset. For my purposes, this would make CKAN's functionality closer to the marketing as described here: https://docs.ckan.org/en/2.9/user-guide.html#users-organizations-and-authorization

An organization’s administrators can add individual users to it, with different roles depending on the level of authorization needed. A user in an organization can create a dataset owned by that organization. In the default setup, this dataset is initially private, and visible only to other users in the same organization. When it is ready for publication, it can be published at the press of a button. This may require a higher authorization level within the organization.

Any ideas on how this could be done?

One workaround I can think of is to modify the file(s) that present the Edit UI/form to Editor users to remove the Private/Public (Visibility) switch.

Found 3 places so far

```

$ # based on inspecting the Visibility switch html code on the dataset/package editing form in the ckan UI...

$ grep -rnw /usr/ckan/default/src/ckan -e 'field-private'

/usr/ckan/default/src/ckan/ckan/public/base/javascript/modules/dataset-visibility.js: ...

/usr/ckan/default/src/ckan/ckan/public/base/javascript/modules/dataset-visibility.min.js: ...

/usr/ckan/default/src/ckan/ckan/templates/package/snippets/package_basic_fields.html: ... 

```

but not sure how exactly they should be changed atm.

I can hide the option from Editors by changing the line https://github.com/ckan/ckan/blob/master/ckan/templates/package/snippets/package_basic_fields.html#L72 to look like 

```

{% set show_visibility_selector = user_is_sysadmin %}

```

but 1) new datasets still default to Public (whereas I'd want them to start as Private) and 2) this does not solve the problem of Editor users changing the the Visibility status via API. Not sure how to address these issues atm (could not quite understand the working/interaction of .js files that grep listed). 

Any ideas on how this could be done? Is there a way to diable API tokens for non-Sysadmins or somewhere where I can just remove Member and Editor users from interacting with the Visibility setting totally?

[Reed Villanueva]

This (https://github.com/ckan/ckan/blob/420595d3190dded516672ef58a964c286bd2cb5f/ckan/model/package.py#L55) seems like a good candidate to look at for defaulting packages/datasets to Private

[Reed Villanueva]

Also both the remaining issues could be addressed/merged by adding sysadmin auth checking to the API calls for creating/updating the Private True/False values of pkgs/datasets (as well as resources?)

See

https://docs.ckan.org/en/2.9/contributing/architecture.html?highlight=architecture#logic

https://docs.ckan.org/en/2.9/contributing/architecture.html?highlight=architecture#action-functions-are-exposed-in-the-api

https://github.com/ckan/ckan/tree/master/ckan/logic

https://github.com/ckan/ckan/blob/cc000d3acf7401957d8321be53e8cabc2d9ebf3a/ckan/authz.py#L139

[Reed Villanueva]

That is, we could try modifying the code here (https://github.com/ckan/ckan/blob/master/ckan/logic/auth/create.py#L10) and here (https://github.com/ckan/ckan/blob/master/ckan/logic/auth/update.py#L13) to check that the user is a sysadmin user when the package Visibility property is being set to Public. Which (I think) should take care of both API and web-UI package create/update situations (based on my interpretation of the architecture doc).

[Reed Villanueva]

Note that if you set the default private status of packages to True (https://github.com/ckan/ckan/blob/420595d3190dded516672ef58a964c286bd2cb5f/ckan/model/package.py#L55), then doing somethign like...

```

data_dict = data_dict or {}

is_private = data_dict.get('private')

if not is_private and not authz.is_sysadmin(user):

    return {'success': False, 'msg': _('Something about how you need to be a sysadmin to set packages public')}

```

in https://github.com/ckan/ckan/blob/master/ckan/logic/auth/create.py#L10 hides the Add Dataset button from non-sysadmin users in the CKAN web UI in an organization, since the template html for displaying that button uses the auth logic (https://github.com/ckan/ckan/blob/master/ckan/templates/organization/read.html#L4) and the *default* package is now set to private=True (I think that's what's happening).

[Reed Villanueva]

Nmv, the model private default value does not seem to be the problem, but the logic in that conditional code snippet example itself.

Logging per https://github.com/NaturalHistoryMuseum/ckanext-ldap/issues/71#issuecomment-801767801, I can see that the is_private variable in the code snippet is being assigned as None when the CKAN organization page is loaded in the web UI (which in this case, I'd expect).

On Monday, March 22, 2021 at 6:24:49 PM UTC-10 Reed Villanueva wrote:

Nmv, the model private default value does not seem to be the problem, but the logic in that conditional code snippet example itself.

[Reed Villanueva]

Apparently the docs on the architecture are misleading, there may be a better way to enforce restrictions on the visibility/private field for packages that works in both the UI and API, see https://gitter.im/ckan/chat?at=6059d4163b9278255bca2a23