CKAN user_role_update API call

Question

Hope someone can explain me how CKAN Api call user_role_update work? I run this API successfully with no error and can see that the users' permissions are granted according to planned. However this doesnt change anything on the application.

For example I got a user who is a member of an organisation, she cant add a new dataset nor can she amend any dataset within the organisation....so I used API user_role_update and grant her permission with Editor, nothing changes on the front end.

However, when I granted her permission Editor (on the web interface not via API) she now could see Manage button to add / edit datasets. HOWEVER, I only want her to be able to edit / manage just one dataset like how I did via API.

What do I miss here? Do I require extra extensions for this to work or do I need to amend configuration option etc...?

Answer 1

"user roles" have not been involved in authentication in CKAN since v2.0. They were erased from the web interface and have only been left in the model and API in versions to v2.4 merely to help sites transition. So that's why user_role_update does nothing.

The auth system for CKAN 2.x is organization based - a User can create/edit datasets in an organization iff they are an Editor/Admin of that organization. You can't configure a User edit access to a particular dataset - you do it for an entire organization.

That is because users in the same organization tend to trust each other, and it's simplest to administer. There is also a full audit trail, if someone does vandalize or delete stuff.

However the auth system is very customizable. You could override the package_create/package_update auth functions to allow the user edit just this dataset.

This is all documented here: http://docs.ckan.org/en/latest/maintaining/authorization.html