Skip to content
This repository has been archived by the owner on Jan 10, 2022. It is now read-only.
/ ckanext-restricted Public archive

CKAN extension for restricting access to resources

License

Notifications You must be signed in to change notification settings

EnviDat/ckanext-restricted

Repository files navigation

https://travis-ci.org/espona/ckanext-restricted.svg?branch=master Downloads Latest Version Supported Python versions Development Status License

ckanext-restricted

CKAN extension to restrict the accessibility to the resources of a dataset. This way the package metadata is accesible but not the data itself (resource). The resource access restriction level can be individualy defined for every package.

Users can request access to a dataset by pressing a button and filling up a simple form. The package owner can allow individual users to access the resource. If the users allowed individually will be notified by mail. It also includes notifying by mail on every new user registration that can be disabled (expained later in this document). The mails are generated from templates that can be extended.

All information inside the restricted fields (except 'level') is hidden for users other than the ones who can edit the dataset. We used this to keep a shared-secret key field for accessing remotely hosted resources (https://github.com/EnviDat/ckanext-envidat_theme/blob/4265ecfe90e10eb1f095e8e8d19fe43554ab6799/ckanext/envidat_theme/helpers.py#L28). The allowed usernames are hidden partially to the non-editors, in our case was critical because they were very similar to the user emails (

allowed_users += [user[0:3] + '*****' + user[-2:]]
).

restricted_resources_metadata.PNG restricted_resources_preview.PNG

Package view with restricted resources

Package view with restricted resources

Resource metadata including restriction configuration

Resource metadata including restriction configuration

Request form for restricted resources

Request form for restricted resources

Requirements

This extension has been oruginally developed for CKAN version 2.5.2 and is compatible up to 2.8.x.

Requires the following extensions: * ckanext-scheming * ckanext-repeating * ckanext-composite

YOu can find an alternative without scheming here https://github.com/olivierdalang/ckanext-restricted/commit/89693f5e4a2a4dedf2cada289d1bf46bd7991069

The resource access restriction level can be individualy defined for every package. This requires adding an extra field to package metadata with (some of) the possible values: "public", "registered", "any_organization", "same_organization" (as the package).

The allowed user list is also defined in an additional field that includes autocomplete.

If you use ckanext-scheming and ckanext-composite, this is the field definition in JSON:

{
"scheming_version": 1,
"dataset_type": "dataset",
"about": "",
"about_url": "http://github.com/ckan/ckanext-scheming",
"dataset_fields": [...],
"resource_fields": [
 [...]
  {
  "field_name": "restricted",
  "label": "Access Restriction",
  "preset": "composite",
  "subfields":
   [
     {
       "field_name": "level",
       "label": "Level",
       "preset": "select",
       "form_include_blank_choice": false,
       "required": true,
       "choices": [
         {
           "value": "public",
           "label": "Public"
         },
         {
           "value": "registered",
           "label": "Registered Users"
         },
         {
           "value": "any_organization",
           "label": "Any Organization Members (Trusted Users)"
         },
         {
           "value": "same_organization",
           "label": "Same Organization Members"
          },
          {
           "value": "only_allowed_users",
           "label": "Allowed Users Only"
         }
        ]
      },
       {
       "field_name": "allowed_users",
        "label": "Allowed Users",
        "preset": "tag_string_autocomplete",
        "data-module-source":"/api/2/util/user/autocomplete?q=?"
        }
      ]
    }
  ]
}

The usage of this extension, regarding the level "any_organization", makes more sense if the CKAN administrator sets some users as members of an organization. In our case we created an organization called "trusted_users" where the mail accounts have been double checked. Therefore this extension sends a mail to the defined 'mail_to' in the CKAN config file at every new user registration. To switch off this functionality, just comment out the code at: https://github.com/espona/ckanext-restricted/blob/master/ckanext/restricted/plugin.py#L14

It is also recommended to set up the recaptcha in the config file
# Restricted ckan.recaptcha.version = 2 ckan.recaptcha.privatekey = 6LeQxxxxxxxxxxxxxxxxxxxxxxxxdN82ojuQAgBd ckan.recaptcha.publickey = 6LeQxxxxxxxxxxxxxxxxxxxxxxxxdN82ojuQAgBd

The for mail notifications, the mail_to and smtp options in the ini file have to be configured. Please take a look to the following documentation:

Installation

To install ckanext-restricted:

  1. Activate your CKAN virtual environment, for example:

    . /usr/lib/ckan/default/bin/activate
    
  2. Install the ckanext-restricted Python package into your virtual environment:

    pip install ckanext-restricted
    
  3. Add restricted to the ckan.plugins setting in your CKAN config file (by default the config file is located at /etc/ckan/default/production.ini).

  4. Restart CKAN. For example if you've deployed CKAN with Apache on Ubuntu:

    sudo service apache2 reload
    

Config Settings

Only the scheming configuration is needed (JSON file defining your schema).

Development Installation

To install ckanext-restricted for development, activate your CKAN virtualenv and do:

git clone https://github.com/espona/ckanext-restricted.git
cd ckanext-restricted
python setup.py develop
pip install -r dev-requirements.txt

Running the Tests

To run the tests, do:

nosetests --nologcapture --with-pylons=test.ini

To run the tests and produce a coverage report, first make sure you have coverage installed in your virtualenv (pip install coverage) then run:

nosetests --nologcapture --with-pylons=test.ini --with-coverage --cover-package=ckanext.restricted --cover-inclusive --cover-erase --cover-tests

Registering ckanext-restricted on PyPI

ckanext-restricted should be availabe on PyPI as https://pypi.python.org/pypi/ckanext-restricted. If that link doesn't work, then you can register the project on PyPI for the first time by following these steps:

  1. Create a source distribution of the project:

    python setup.py sdist
    
  2. Register the project:

    python setup.py register
    
  3. Upload the source distribution to PyPI:

    python setup.py sdist upload
    
  4. Tag the first release of the project on GitHub with the version number from the setup.py file. For example if the version number in setup.py is 0.0.1 then do:

    git tag 0.0.1
    git push --tags
    

Releasing a New Version of ckanext-restricted

ckanext-restricted is availabe on PyPI as https://pypi.python.org/pypi/ckanext-restricted. To publish a new version to PyPI follow these steps:

  1. Update the version number in the setup.py file. See PEP 440 for how to choose version numbers.

  2. Create a source distribution of the new version:

    python setup.py sdist
    
  3. Upload the source distribution to PyPI:

    python setup.py sdist upload
    
  4. Tag the new release of the project on GitHub with the version number from the setup.py file. For example if the version number in setup.py is 0.0.2 then do:

    git tag 0.0.2
    git push --tags