Merge pull request #7210 from ckan/change-user-creation-defaults-2.9

kowh-ai · web-flow · commit 33bc69eac822 · 2022-11-18T16:13:32.000+01:00
Change user creation defaults [2.9]
diff --git a/ckan/authz.py b/ckan/authz.py
@@ -478,7 +478,7 @@ def user_is_collaborator_on_dataset(user_id, dataset_id, capacity=None):
     'user_delete_groups': True,
     'user_delete_organizations': True,
     'create_user_via_api': False,
-    'create_user_via_web': True,
+    'create_user_via_web': False,
     'roles_that_cascade_to_sub_groups': 'admin',
     'public_activity_stream_detail': False,
     'allow_dataset_collaborators': False,
diff --git a/ckan/config/deployment.ini_tmpl b/ckan/config/deployment.ini_tmpl
@@ -76,7 +76,7 @@ ckan.auth.user_create_organizations = false
 ckan.auth.user_delete_groups = true
 ckan.auth.user_delete_organizations = true
 ckan.auth.create_user_via_api = false
-ckan.auth.create_user_via_web = true
+ckan.auth.create_user_via_web = false
 ckan.auth.roles_that_cascade_to_sub_groups = admin
 ckan.auth.public_user_details = true
 ckan.auth.public_activity_stream_detail = true
diff --git a/ckan/lib/uploader.py b/ckan/lib/uploader.py
@@ -204,10 +204,18 @@ def verify_type(self):
             return
 
         mimetypes = aslist(
-            config.get("ckan.upload.{}.mimetypes".format(self.object_type)))
+            config.get(
+                "ckan.upload.{}.mimetypes".format(self.object_type),
+                ["image/png", "image/gif", "image/jpeg"]
+            )
+        )
 
         types = aslist(
-            config.get("ckan.upload.{}.types".format(self.object_type)))
+            config.get(
+                "ckan.upload.{}.types".format(self.object_type),
+                ["image"]
+            )
+        )
 
         if not mimetypes and not types:
             return
diff --git a/ckan/logic/action/create.py b/ckan/logic/action/create.py
@@ -1156,7 +1156,8 @@ def user_invite(context, data_dict):
     data['name'] = name
     data['password'] = password
     data['state'] = ckan.model.State.PENDING
-    user_dict = _get_action('user_create')(context, data)
+    create_context = dict(context, ignore_auth=True)
+    user_dict = _get_action('user_create')(create_context, data)
     user = ckan.model.User.get(user_dict['id'])
     member_dict = {
         'username': user.id,
diff --git a/ckan/tests/controllers/test_user.py b/ckan/tests/controllers/test_user.py
@@ -26,6 +26,8 @@ def _get_user_edit_page(app):
 
 @pytest.mark.usefixtures("clean_db", "with_request_context")
 class TestUser(object):
+
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
     def test_register_a_user(self, app):
         url = url_for("user.register")
         response = app.post(url=url, data={
@@ -44,6 +46,7 @@ def test_register_a_user(self, app):
         assert user["fullname"] == "New User"
         assert not (user["sysadmin"])
 
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
     def test_register_user_bad_password(self, app):
         response = app.post(url_for("user.register"), data={
             "save": "",
diff --git a/ckan/tests/legacy/functional/api/test_user.py b/ckan/tests/legacy/functional/api/test_user.py
@@ -175,6 +175,7 @@ class TestUserActions(object):
     def initial_data(self, clean_db):
         CreateTestData.create()
 
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
     def test_user_create_simple(self):
         """Simple creation of a new user by a non-sysadmin user."""
         context = {"model": model, "session": model.Session, "user": "tester"}
diff --git a/ckan/tests/lib/test_uploader.py b/ckan/tests/lib/test_uploader.py
@@ -71,9 +71,18 @@ def test_group_upload(self, monkeypatch, tmpdir, make_app, ckan_config):
         """
         monkeypatch.setitem(ckan_config, u'ckan.storage_path', str(tmpdir))
         monkeypatch.setattr(ckan.lib.uploader, u'_storage_path', str(tmpdir))
+        some_png = """
+        89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
+        00 00 00 01 00 00 00 01 08 02 00 00 00 90 77 53
+        DE 00 00 00 0C 49 44 41 54 08 D7 63 F8 CF C0 00
+        00 03 01 01 00 18 DD 8D B0 00 00 00 00 49 45 4E
+        44 AE 42 60 82"""
+        some_png = some_png.replace(u' ', u'').replace(u'\n', u'')
+        some_png_bytes = bytes(bytearray.fromhex(some_png))
+
         group = {u'clear_upload': u'',
                  u'upload': FileStorage(
-                     six.BytesIO(six.ensure_binary(u'hello')),
+                     six.BytesIO(some_png_bytes),
                      filename=u'logo.png',
                      content_type=u'PNG'
                  ),
@@ -87,4 +96,8 @@ def test_group_upload(self, monkeypatch, tmpdir, make_app, ckan_config):
         app = make_app()
         resp = app.get(u'/uploads/group/' + group[u'url'])
         assert resp.status_code == 200
-        assert resp.body == u'hello'
+        # PNG signature
+        if six.PY3:
+            assert resp.data.hex()[:16].upper() == u'89504E470D0A1A0A'
+        else:
+            assert resp.data.encode(u"hex")[:16].upper() == u'89504E470D0A1A0A'
diff --git a/ckan/tests/logic/action/test_create.py b/ckan/tests/logic/action/test_create.py
@@ -1068,6 +1068,7 @@ def test_create_organization_custom_type(self):
 
 
 @pytest.mark.usefixtures("clean_db", "with_request_context")
+@pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
 class TestUserCreate(object):
     def test_user_create_with_password_hash(self):
         sysadmin = factories.Sysadmin()
@@ -1381,6 +1382,7 @@ def test_create_user_not_found(self):
 
 
 @pytest.mark.usefixtures("clean_db")
+@pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
 class TestUserPluginExtras(object):
 
     def test_stored_on_create_if_sysadmin(self):
@@ -1479,7 +1481,7 @@ def test_external_picture(self):
             user_dict["image_display_url"] == "https://example.com/mypic.png"
         )
 
-    def test_upload_non_picture_works_without_extra_config(
+    def test_upload_non_picture_not_works_without_extra_config(
             self, create_with_upload):
         params = {
             "name": "test_user_1",
@@ -1488,7 +1490,35 @@ def test_upload_non_picture_works_without_extra_config(
             "action": "user_create",
             "upload_field_name": "image_upload",
         }
-        assert create_with_upload("hello world", "file.txt", **params)
+        with pytest.raises(
+                logic.ValidationError, match="Unsupported upload type"):
+            assert create_with_upload("hello world", "file.txt", **params)
+
+    def test_upload_svg_fails_without_extra_config(
+            self, create_with_upload):
+        params = {
+            "name": "test_user_1",
+            "email": "test1@example.com",
+            "password": "12345678",
+            "action": "user_create",
+            "upload_field_name": "image_upload",
+        }
+        with pytest.raises(
+                logic.ValidationError, match="Unsupported upload type"):
+            create_with_upload('<svg xmlns="http://www.w3.org/2000/svg"></svg>', "file.svg", **params)
+
+    def test_upload_svg_wrong_extension_fails_without_extra_config(
+            self, create_with_upload):
+        params = {
+            "name": "test_user_1",
+            "email": "test1@example.com",
+            "password": "12345678",
+            "action": "user_create",
+            "upload_field_name": "image_upload",
+        }
+        with pytest.raises(
+                logic.ValidationError, match="Unsupported upload type"):
+            create_with_upload('<svg xmlns="http://www.w3.org/2000/svg"></svg>', "file.png", **params)
 
     @pytest.mark.ckan_config("ckan.upload.user.types", "image")
     def test_upload_non_picture(self, create_with_upload):
@@ -1517,7 +1547,6 @@ def test_upload_non_picture_with_png_extension(
                 logic.ValidationError, match="Unsupported upload type"):
             create_with_upload("hello world", "file.png", **params)
 
-    @pytest.mark.ckan_config("ckan.upload.user.types", "image")
     def test_upload_picture(self, create_with_upload):
         params = {
             "name": "test_user_1",
diff --git a/ckan/tests/logic/auth/test_create.py b/ckan/tests/logic/auth/test_create.py
@@ -509,3 +509,32 @@ def test_create_unowned_datasets(self):
         context = self._get_context(user)
         assert helpers.call_auth(
             'package_collaborator_create', context=context, id=dataset['id'])
+
+
+@pytest.mark.usefixtures("clean_db")
+class TestUserCreate:
+    def test_sysadmin_can_create_via_api(self):
+        sysadmin = factories.Sysadmin()
+        context = {"user": sysadmin["name"], "model": core_model, "api_version": 3}
+        assert helpers.call_auth("user_create", context)
+
+    def test_anon_can_not_create_via_web(self):
+        context = {"user": None, "model": core_model}
+        with pytest.raises(logic.NotAuthorized):
+            helpers.call_auth("user_create", context)
+
+    def test_anon_cannot_create_via_api(self):
+        context = {"user": None, "model": core_model, "api_version": 3}
+        with pytest.raises(logic.NotAuthorized):
+            helpers.call_auth("user_create", context)
+
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_web", False)
+    def test_anon_cannot_create_via_forbidden_web(self):
+        context = {"user": None, "model": core_model}
+        with pytest.raises(logic.NotAuthorized):
+            helpers.call_auth("user_create", context)
+
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_api", True)
+    def test_anon_not_create_via_allowed_api(self):
+        context = {"user": None, "model": core_model, "api_version": 3}
+        assert helpers.call_auth("user_create", context)
diff --git a/ckan/tests/pytest_ckan/test_fixtures.py b/ckan/tests/pytest_ckan/test_fixtures.py
@@ -3,6 +3,7 @@
 import os
 
 import pytest
+import six
 from six.moves.urllib.parse import urlparse
 
 import ckan.plugins as plugins
@@ -80,8 +81,17 @@ def test_create_organization(self, create_with_upload, ckan_config):
         context = {
             u"user": user["name"]
         }
+        some_png = """
+        89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
+        00 00 00 01 00 00 00 01 08 02 00 00 00 90 77 53
+        DE 00 00 00 0C 49 44 41 54 08 D7 63 F8 CF C0 00
+        00 03 01 01 00 18 DD 8D B0 00 00 00 00 49 45 4E
+        44 AE 42 60 82"""
+        some_png = some_png.replace(u' ', u'').replace(u'\n', u'')
+        some_png_bytes = bytes(bytearray.fromhex(some_png))
+
         org = create_with_upload(
-            b"\0\0\0", u"image.png",
+            some_png_bytes, u"image.png",
             context=context,
             action=u"organization_create",
             upload_field_name=u"image_upload",
@@ -96,7 +106,11 @@ def test_create_organization(self, create_with_upload, ckan_config):
         assert os.path.isfile(image_path)
         with open(image_path, u"rb") as image:
             content = image.read()
-            assert content == b"\0\0\0"
+            # PNG signature
+            if six.PY3:
+                assert content.hex()[:16].upper() == u'89504E470D0A1A0A'
+            else:
+                assert content.encode(u"hex")[:16].upper() == u'89504E470D0A1A0A'
 
     def test_create_resource(self, create_with_upload):
         dataset = factories.Dataset()
diff --git a/ckanext/datastore/tests/test_chained_auth_functions.py b/ckanext/datastore/tests/test_chained_auth_functions.py
@@ -92,6 +92,8 @@ def get_auth_functions(self):
 )
 @pytest.mark.usefixtures(u"with_plugins", u"clean_db", u"with_request_context")
 class TestChainedAuthBuiltInFallback(object):
+
+    @pytest.mark.ckan_config(u"ckan.auth.create_user_via_web", True)
     def test_user_create_chained_auth(self):
         ctd.CreateTestData.create()
         # check if chained auth fallbacks to built-in user_create
diff --git a/ckanext/example_itranslation/tests/test_plugin.py b/ckanext/example_itranslation/tests/test_plugin.py
@@ -41,6 +41,7 @@ def test_translated_string_in_core_templates(self, app):
         assert helpers.body_contains(response, "Einloggen")
         assert not helpers.body_contains(response, "Overwritten string in ckan.mo")
 
+    @pytest.mark.ckan_config("ckan.auth.create_user_via_web", True)
     def test_english_translation_replaces_default_english_string(self, app):
         response = app.get(url=plugins.toolkit.url_for(u"home.index"),)
         assert helpers.body_contains(response, "Replaced")
diff --git a/test-core.ini b/test-core.ini
@@ -43,7 +43,7 @@ ckan.redis.url = redis://localhost:6379/1
 ckan.auth.user_create_organizations = true
 ckan.auth.user_create_groups = true
 ckan.auth.create_user_via_api = false
-ckan.auth.create_user_via_web = true
+ckan.auth.create_user_via_web = false
 ckan.auth.create_dataset_if_not_in_organization = true
 ckan.auth.anon_create_dataset = false
 ckan.auth.user_delete_groups=true
