From 11d9e84e5221b4181d71688dee474417941be608 Mon Sep 17 00:00:00 2001 From: Awang Setyawan Date: Sun, 26 Apr 2026 23:07:22 +0700 Subject: [PATCH 1/2] [DATAVIC-953] hide add new member button and added auth function --- ckanext/datavic_odp_theme/logic/__init__.py | 1 + ckanext/datavic_odp_theme/logic/auth/get.py | 14 +++++++++++++- .../templates/organization/manage_members.html | 10 ++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 ckanext/datavic_odp_theme/templates/organization/manage_members.html diff --git a/ckanext/datavic_odp_theme/logic/__init__.py b/ckanext/datavic_odp_theme/logic/__init__.py index 1646628..f95ec46 100644 --- a/ckanext/datavic_odp_theme/logic/__init__.py +++ b/ckanext/datavic_odp_theme/logic/__init__.py @@ -9,6 +9,7 @@ def auth_functions(): package_activity_list=get.vic_package_activity_list, organization_activity_list=get.vic_organization_activity_list, user_activity_list=get.vic_user_activity_list, + organization_member_create=get.organization_member_create, ) diff --git a/ckanext/datavic_odp_theme/logic/auth/get.py b/ckanext/datavic_odp_theme/logic/auth/get.py index 8b5cf31..fc6f5de 100644 --- a/ckanext/datavic_odp_theme/logic/auth/get.py +++ b/ckanext/datavic_odp_theme/logic/auth/get.py @@ -103,4 +103,16 @@ def vic_organization_activity_list( def vic_datatables_view_prioritize(context, data_dict): - return {"success": False} \ No newline at end of file + return {"success": False} + +@tk.chained_auth_function +def organization_member_create(next_auth, context, data_dict): + user_obj = context.get('auth_user_obj') + + if not user_obj or not user_obj.sysadmin: + return { + 'success': False, + 'msg': 'Only sysadmins can manage organization members' + } + + return next_auth(context, data_dict) diff --git a/ckanext/datavic_odp_theme/templates/organization/manage_members.html b/ckanext/datavic_odp_theme/templates/organization/manage_members.html new file mode 100644 index 0000000..7d49f9f --- /dev/null +++ b/ckanext/datavic_odp_theme/templates/organization/manage_members.html @@ -0,0 +1,10 @@ +{% ckan_extends %} + +{% block page_primary_action %} + {% if h.check_access('organization_update', {'id': organization.id}) %} + {% if g.userobj.sysadmin %} + {% link_for _('Add Member'), named_route=group_type+'.member_new', id=group_dict.id, class_='btn btn-primary', icon='plus-square' %} + {% endif %} + {% link_for _('CSV'), named_route=group_type+'.member_dump', id=group_dict.id, class_='btn btn-primary', icon='download' %} + {% endif %} +{% endblock %} From 4994b8dba5a400f8ec0c9e58cea79012f6c5a39d Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Tue, 28 Apr 2026 09:22:19 +1000 Subject: [PATCH 2/2] [DATAVIC-953] update organization member creation authorization Refactored the organization_member_create function to clarify that only sysadmins can manage organization members, returning a consistent failure message when access is denied. --- ckanext/datavic_odp_theme/logic/auth/get.py | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/ckanext/datavic_odp_theme/logic/auth/get.py b/ckanext/datavic_odp_theme/logic/auth/get.py index fc6f5de..ec935b3 100644 --- a/ckanext/datavic_odp_theme/logic/auth/get.py +++ b/ckanext/datavic_odp_theme/logic/auth/get.py @@ -105,14 +105,11 @@ def vic_organization_activity_list( def vic_datatables_view_prioritize(context, data_dict): return {"success": False} + @tk.chained_auth_function def organization_member_create(next_auth, context, data_dict): - user_obj = context.get('auth_user_obj') - - if not user_obj or not user_obj.sysadmin: - return { - 'success': False, - 'msg': 'Only sysadmins can manage organization members' - } - - return next_auth(context, data_dict) + """Only sysadmins may add organisation members (core allows org admins).""" + return { + "success": False, + "msg": "Only sysadmins can manage organisation members", + }