Diagnose authorisation error when calling the IATI Registry 'dataset_purge' API

[emmajclegg]

Which IATI Registry user roles have the necessary permission to use the action 'dataset_purge' ? We have received feedback that the following steps work for a sysadmin user, but not for a non sysadmin user (on the IATI Registry staging site).

Steps to reproduce:

• Login to IATI Registry
• Create an API token
• Use this API token to hit the 'action/dataset_purge' api
• Works for sysadmin, but "Exception: 403: Not Authorised" received for a non-sysadmin

These steps are in the context of an IATI publishing tool trying to unpublish activity data from the IATI Registry when a user requests it within the tool.

This relates to the support ticket: https://iati.zendesk.com/agent/tickets/44459
(cc' @siwhitehouse @robredpath)

[cormachallinanderilinx]

By default, only sysadmins can execute this action.

Non-sysadmin users do not have permission to perform the dataset_purge action.
Even if a user is an admin of a dataset or an organization, they can only delete a dataset, which means it is marked as deleted but not purged from the database.
The dataset would remain in the system and could be restored by an admin or sysadmin.

Therefore, the above is the expected behaviour for a non sysadmin user in a default CKAN set up.
However, if required the dataset_purge function can be overridden but it is no reccomended to do so unless absolutely necessary as dataset_purge action is considered a high-level action due to being irreversible.

Also see ckan code for dataset_purge: https://github.com/ckan/ckan/blob/ckan-2.9.11/ckan/logic/auth/delete.py#L22

[emmajclegg]

Thank you @cormachallinanderilinx - I will pass this information on and keep this issue open for the time being (in case I receive follow up questions)