How to disable CKAN package_relationship_create API function execution without API key?

Question

I'm trying to create relationship between CKAN datasets (packages) from my linux command line with following command

curl -v http://192.168.1.200/ckan/api/action/package_relationship_create -d '{"subject":"rkb-explorer-irit","object":"rkb-explorer-wiki","type":"dependency_of","comment":"some comment"}' -H "Authorization:76985a7a-f550-4b8d-8352-d7b828460fdc"

and with following PHP code

        $postFields = array("subject" => $subject, "object" => $object, "type" => $type, "comment" => $comment);

        $ch = curl_init($url);

        $options = array( 
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER => array('Content-type: application/json'),
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => json_encode($postFields),
        CURLOPT_HTTPAUTH => $apiKey
        );

        curl_setopt_array( $ch, $options ); 

        $result =  curl_exec($ch); 

and it works. But I have a authorization problem. Whether I supply API key or not, the relationship is created anyway!

So, how to configure my CKAN to disable such situation? When I try to create dataset from command line without API key it refuses me, and this situation is OK.

As I said, I want to disable any create, update or delete action with wrong API and without API. How I can do this?

Answer 1

You can write an IAuthFunctions plugin to change the authorization behavior to what you want. See the writing CKAN extensions section in the docs, it contains an example IAuthFunctions plugin.