Grace period for resources
Opened this issue · 3 comments
Plugin for CKAN in the CREA extension.
Resource data should be available after the dataset is created and made public.
- Add a new date field "available since" in resources (model, edit, view)
- Modify resource data access so that only admin and owners user can view/download the data before the "available since" date
Quick recap for @korotkin
When you create a resource and upload the data, the data can be downloaded as it was uploaded (zip file, xsl, csv, whatever). And that is one of the endpoints that should be controlled by the grace period check.
datastore / datapusher are optional plugins (that we are going to install anyway)
https://docs.ckan.org/en/2.9/maintaining/datastore.html#datastore-extension
the datapusher is split in 2: a plugin inside ckan, and a standalone webapp
- the plugin is meant to send to the standalone webapp a link to the data. the link is sent whenever new data is uploaded, or when a button "send to datapusher" is pressed in the resource maange page
- the standalone webapp will read the file containing tabular data, and store the data in a new table in the datastore db.
the datastore is a plugin on ckan side that reads from the datastore table and allows access to data in a fine grained way: you can retrieve single rows or pages of data, not only the whole data a single file
So, the datapusher should be able to read the data, bc it's a backend work
Grace persiod checks should be performed on the datastore entrypoints anyway, bc datastore returns the data, even if sliced
Datastore doc reports:
The DataStore is integrated into the CKAN API and authorization system
Doc about authorization interface
https://docs.ckan.org/en/2.9/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions
Default resource_show
auth only checks for auth at package level (package = dataset more or less).
It's to be checked if that function blocks access to the resource data or also the resource metadata (title, name, description, etc)
https://github.com/ckan/ckan/blob/2.9/ckanext/datastore/logic/auth.py#L49
Datastore auth is based on resource_show
indeed.
I guess the way to go is
- Implement IAuthFunctions
- declare a "
resource_show
" auth function - implement the function so it checks :
- if the grace persiod is set and the user is not owner or an admin --> do not allow access
if you extend the model via extra you have to customize the editing form
you have to create a file in template/package/snippets/resource_form.html
this will override the file in the same path with the same name
start the file with {% ckan_extends %}
so that all from the override file is imported
create a block called
{% block metadata_fields %}
in order to override it
inside the block call {% super %}
to include all from the overriden block
https://docs.ckan.org/en/2.9/extensions/adding-custom-fields.html#adding-custom-fields-to-resources
When navigating datasets, the resource list may appear like this
without the "request access" button, and with "available starting from " instead of "not authorized".
(Image taken from https://github.com/EnviDat/ckanext-restricted)