fix: allow to restrict content visibility with config option

CHANGELOG

@@ -1,4 +1,6 @@
 0.19.2
+ - fix: allow to restrict content visibility with config option
+   ckanext.dcor_schemas.allow_content_listing_for_anon
  - enh: declare custom configuration options in IConfigDeclaration
 0.19.2
  - enh: add CLI script for moving a dataset to a different circle

README.rst

@@ -85,6 +85,9 @@ accordingly:
 
 - Configuration keywords:
 
+  - the ``ckanext.dcor_schemas.allow_content_listing_for_anon`` boolean
+    parameter can be set to False to prevent anonymous users to see
+    circles, colletions, and other content.
   - the ``ckanext.dcor_schemas.allow_public_datasets`` boolean parameter
     can be used to disable the creation of public datasets (e.g. for DCOR-med).
   - the ``ckanext.dcor_schemas.json_resource_schema_dir`` parameter

ckanext/dcor_schemas/auth.py

@@ -10,6 +10,14 @@
 from . import resource_schema_supplements as rss
 
 
+def content_listing(context, data_dict):
+    """manage access for listing all circles, groups, tags"""
+    if not config.get('ckanext.dcor_schemas.allow_content_listing_for_anon'):
+        return logic.auth.restrict_anon(context)
+    else:
+        return {'success': True}
+
+
 def dataset_purge(context, data_dict):
     """Only allow deletion of deleted datasets"""
     # original auth function

ckanext/dcor_schemas/plugin.py

@@ -4,11 +4,10 @@
 import pathlib
 import sys
 
-from ckan.common import config
 import ckan.lib.datapreview as datapreview
 from ckan.lib.plugins import DefaultPermissionLabels
 from ckan.lib.jobs import _connect as ckan_redis_connect
-from ckan import common, logic
+from ckan import config, common, logic
 import ckan.plugins as plugins
 import ckan.plugins.toolkit as toolkit
 
@@ -68,7 +67,7 @@ def get_actions(self):
                 actions.get_supported_resource_suffixes,
         }
 
-    # IAuthfunctions
+    # IAuthFunctions
     def get_auth_functions(self):
         # - `*_patch` has same authorization as `*_update`
         # - If you are wondering why group_create and organization_create
@@ -79,14 +78,20 @@ def get_auth_functions(self):
             'bulk_update_delete': dcor_auth.deny,
             'bulk_update_private': dcor_auth.deny,
             'dataset_purge': dcor_auth.dataset_purge,
+            'group_list': dcor_auth.content_listing,
+            'member_roles_list': dcor_auth.content_listing,
+            'organization_list': dcor_auth.content_listing,
             'package_create': dcor_auth.package_create,
             'package_delete': dcor_auth.package_delete,
             'package_update': dcor_auth.package_update,
             'resource_create': dcor_auth.resource_create,
             'resource_delete': dcor_auth.deny,
             'resource_update': dcor_auth.resource_update,
             'resource_upload_s3_urls':  dcor_auth.resource_upload_s3_urls,
+            'tag_list': dcor_auth.content_listing,
+            'tag_show': dcor_auth.content_listing,
             'user_create': dcor_auth.user_create,
+            'vocabulary_show': dcor_auth.content_listing,
         }
 
     # IClick
@@ -133,11 +138,11 @@ def declare_config_options(
             declaration: config.declaration.Declaration,
             key: config.declaration.Key):
 
-        group = key.ckanext.dcor_schemas.feature
+        group = key.ckanext.dcor_schemas
 
         declaration.declare(
             group.allow_public_datasets, True).set_description(
-            "Allow users to create publicly-accessible datasets"
+            "allow users to create publicly-accessible datasets"
         )
 
         declaration.declare(
@@ -146,6 +151,11 @@ def declare_config_options(
             "resource schema"
         )
 
+        declaration.declare(
+            group.allow_content_listing_for_anon, True).set_description(
+            "allow anonymous users to list all circles, groups, tags"
+        )
+
     # IDatasetForm
     def _modify_package_schema(self, schema):
         # remove default fields
@@ -391,7 +401,7 @@ def after_resource_create(self, context, resource):
             data_dict=res_data_dict)
 
         depends_on = []
-        extensions = [config.get("ckan.plugins")]
+        extensions = [common.config.get("ckan.plugins")]
 
         package_job_id = f"{resource['package_id']}_{resource['position']}_"
 

ckanext/dcor_schemas/tests/test_auth_org.py

@@ -13,6 +13,27 @@
 data_path = pathlib.Path(__file__).parent / "data"
 
 
+@pytest.mark.ckan_config('ckan.plugins', 'dcor_schemas')
+@pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context')
+def test_org_list_anon_vs_logged_in():
+    user = factories.User()
+
+    # control: a logged-in user should be able to list the organization
+    helpers.call_auth("organization_list",
+                      {'ignore_auth': False,
+                       'user': user['name'],
+                       'model': model, 'api_version': 3},
+                      )
+
+    # test: anon should be able to list the organization
+    with pytest.raises(logic.NotAuthorized):
+        helpers.call_auth("organization_list",
+                          {'ignore_auth': False,
+                           'user': None,
+                           'model': model, 'api_version': 3},
+                          )
+
+
 @pytest.mark.ckan_config('ckan.plugins', 'dcor_schemas')
 @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context')
 def test_org_admin_bulk_update_delete_forbidden(create_with_upload):

ckanext/dcor_schemas/tests/test_web.py

@@ -9,12 +9,21 @@
 data_path = pathlib.Path(__file__).parent / "data"
 
 
+def test_status(app):
+    app.get("/api/3/action/status_show",
+            status=200)
+
+
 @pytest.mark.parametrize("url", ["/dataset",
                                  "/group",
                                  "/organization",
                                  ])
 def test_homepage(url, app):
-    app.get(url, status=200)
+    user = factories.UserWithToken()
+    app.get(url,
+            params={u"id": user[u"id"]},
+            headers={u"authorization": user["token"]},
+            status=200)
 
 
 def test_homepage_bad_link(app):