How to customize authz.py file in CKAN extension?

3
votes

I want to add new role in CKAN. And I can do this in authz.py file. I defined a new role and give some action to the role and it worked. But i did this in baseline. I want to do this in extension. So i created new extension that named "customroles". And i copied the authz.py from "/usr/lib/ckan/default/src/ckan/ckan" to the custom folder "/usr/lib/ckan/default/src/ckanext-customroles/ckanext/customroles". Then i added new role(Super) as you can see below code. 

ROLE_PERMISSIONS = OrderedDict([
    ('admin', ['admin']),
    ('editor', ['read', 'delete_dataset', 'create_dataset', 'update_dataset', 'manage_group']),
    ('member', ['read', 'manage_group']),
    **('super', ['read', 'delete_dataset', 'create_dataset', 'manage_group']),**
])


def _trans_role_admin():
    return _('Admin')


def _trans_role_editor():
    return _('Editor')


def _trans_role_member():
    return _('Member')

def _trans_role_super():
    return _('Super')

But I couldn't see the new role while i am adding the new member in organization page. When i modify the base code, i saw the new role. But in extension it did not work.

Do i need to do anything else to modify authz.py file in extension? Do you know how can i solve this problem?

Thanks,

1
pythonckan

1 Answers

0
votes

As far as I know, this is currently not possible in an extension.

There are some parts of CKAN's authorization architecture that can be modified and extended via plugins, for example via the IAuthFunctions, IAuthenticator, and IPermissionLabels interfaces. The roles in ckan.authz, however, are hard-coded.

You could try to use IAuthFunctions to override CKAN's built-in auth functions to create a similar effect. In particular, you could use that approach to remove some privileges from certain editor members, making them into the "super" users that you're trying to implement. (Note that adding privileges to member users will probably not work, since those users will fail the checks based on their role even if your modified auth functions would grant them access)

It won't solve your immediate problem, but I do think that it would be nice for CKAN to support what you're trying to do. I've therefore created a ticket in CKAN's feature-discussion-tracker. Feel free to add further information about your use case to it.