Chained auth functions lose anonymous access #5751
Assignees
Comments
|
There is a related issue with partial solutions in #4597 |
5 tasks
1 task
|
+1 to this issue. We're running into this with Data.gov. |
I have a fix in here: #5756 but need to add tests so that it will get accepted. I'll try and get on that this week! |
5 tasks
amercader
added a commit
that referenced
this issue
Feb 4, 2021
Same as #5873 but without the helpers, which are not chained in this version
amercader
added a commit
that referenced
this issue
Feb 4, 2021
Same as #5873 but without the helpers, which are not chained in this version
espona
added a commit
to EnviDat/ckan-forked
that referenced
this issue
Feb 27, 2021
Merge commit '1b6d91790cfa668a6226f366b91dde68ae5d84b9' into 2.9 * commit '1b6d91790cfa668a6226f366b91dde68ae5d84b9': (76 commits) Update version number for 2.9.2 Changelog for 2.9.2 Coding standards Remove 2.9 changelog fragments Frontend build [i18n] Compile mo files [i18n] Update po files from transifex pytest-ckan support on py2/py3 pep8 [ckan#5670] pep8 [ckan#5670] Add test [ckan#5670] Return content-type header on downloads if mimetype is present [ckan#5785] Solve encoding error by simplifying changes templates Add towncrierr fragment Reduce line length Format with black PEP8 Add API Token CLI commands [ckan#5751] Persist attributes in chained functions Allow list for functions in datastore_search_sql ... # Conflicts: # ckan/views/group.py
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CKAN version
All
Describe the bug
If an auth function is marked as chained, it is transformed into a functools partial. In doing so, no function attributes are persisted to the new function - leaving
auth_allow_anonymous_accessflags out. This means that there is no way for developers to specify that an auth function is both chained and allowed to be accessed anonymously.Steps to reproduce
Create a plugin implementing
IAuthFunctions, and use both the@toolkit.auth_allow_anonymous_accessand@toolkit.chained_auth_functiondecorators. The function will be chained, but will return403before ever running your function.Expected behavior
The function doesn't automatically get 403'd.
Additional details
The error is in the
_buildfunction for theAuthFunctionsclass inckan/ckan/authz.py. Specifically theauth_allow_anonymous_accessattributes are managed here, but then the chained auth functions are transformed into partials here. I don't have my dev environment set up for contributing back at the moment (it's in a private fork) but have this fixed in my local 2.8 version and will get this into master this weekend.The text was updated successfully, but these errors were encountered: