wri
diff --git a/‎ckan-backend-dev/.env.example
Lines changed: 1 addition & 1 deletion b/‎ckan-backend-dev/.env.example
Lines changed: 1 addition & 1 deletion
diff --git a/‎ckan-backend-dev/ckan/Dockerfile.dev
Lines changed: 1 addition & 1 deletion b/‎ckan-backend-dev/ckan/Dockerfile.dev
Lines changed: 1 addition & 1 deletion
diff --git a/‎ckan-backend-dev/ckan/patches/ckan/01_roles.patch
Lines changed: 1 addition & 1 deletion b/‎ckan-backend-dev/ckan/patches/ckan/01_roles.patch
Lines changed: 1 addition & 1 deletion
diff --git a/‎ckan-backend-dev/docker-compose.dev.yml
Lines changed: 2 additions & 0 deletions b/‎ckan-backend-dev/docker-compose.dev.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎ckan-backend-dev/docker-compose.test.yml
Lines changed: 2 additions & 0 deletions b/‎ckan-backend-dev/docker-compose.test.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/get.py
Lines changed: 38 additions & 34 deletions b/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/get.py
Lines changed: 38 additions & 34 deletions
diff --git a/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/update.py
Lines changed: 1 addition & 0 deletions b/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/update.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/auth/auth.py
Lines changed: 12 additions & 6 deletions b/‎ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/auth/auth.py
Lines changed: 12 additions & 6 deletions
diff --git a/‎datapusher/main.py
Lines changed: 8 additions & 2 deletions b/‎datapusher/main.py
Lines changed: 8 additions & 2 deletions
diff --git a/‎deployment/ckan/Dockerfile
Lines changed: 3 additions & 1 deletion b/‎deployment/ckan/Dockerfile
Lines changed: 3 additions & 1 deletion
@@ -59,7 +59,7 @@ CKAN_SMTP_PASSWORD=testpassword
 CKAN_SMTP_MAIL_FROM=ckan@localhost
 TZ=UTC
 CKAN_INI=/srv/app/production.ini
-CKAN__AUTH__CREATE_UNOWNED_DATASET=True
+CKAN__AUTH__CREATE_UNOWNED_DATASET=False
 CKAN__AUTH__ALLOW_DATASET_COLLABORATORS=True
 CKAN__AUTH__ALLOW_ADMIN_COLLABORATORS=True
 CKAN__AUTH__ALLOW_COLLABORATORS_TO_CHANGE_OWNER_ORG=True
 
@@ -34,7 +34,7 @@ RUN pip3 install -e 'git+https://github.com/ckan/ckanext-scheming.git@5ce30cf285
     pip3 install httpretty && \
     pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@okta#egg=ckanext-auth' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-auth/okta/requirements.txt' && \
-    pip3 install -e 'git+https://github.com/datopian/ckanext-hierarchy.git@wri#egg=ckanext-hierarchy' && \
+    pip3 install -e 'git+https://github.com/datopian/ckanext-hierarchy.git@5d069a5d032ba384f43d266fc397a0aa0a4b444c#egg=ckanext-hierarchy' && \
     pip3 install -e 'git+https://github.com/datopian/[email protected]#egg=ckanext-issues' && \
     # Required by ckanext-issues, but it's no longer included in any of the requirements files or the subdependencies
     pip3 install mock && \
 
@@ -7,7 +7,7 @@ diff --git a/ckan/ckan/authz.py b/ckan/ckan/authz.py
      if _has_user_permission_for_groups(user_id, permission, [group_id]):
          return True
 -    capacities = check_config_permission('roles_that_cascade_to_sub_groups')
-+    capacities = ['admin']
++    capacities = ['admin', 'editor']
      assert isinstance(capacities, list)
      # Handle when permissions cascade. Check the user's roles on groups higher
      # in the group hierarchy for permission.
 
@@ -69,6 +69,7 @@ services:
       - PREFECT_API_URL=http://127.0.0.1:4200/api
       - PREFECT_SERVER_API_HOST=0.0.0.0
       - PREFECT_API_DATABASE_CONNECTION_URL=postgresql+asyncpg://ckandbuser:ckandbpassword@db/prefect
+      - FLOW_DEPLOYMENT_ENV=dev
     ports:
       - "0.0.0.0:4200:4200"
     healthcheck:
@@ -92,6 +93,7 @@ services:
       - S3_SECRET_KEY_ID=${MINIO_ROOT_PASSWORD}
       - S3_BUCKET_NAME=ckan
       - S3_BUCKET_REGION=us-east-1
+      - FLOW_DEPLOYMENT_ENV=dev
     depends_on:
       prefect:
         condition: service_healthy
 
@@ -94,6 +94,7 @@ services:
       - PREFECT_API_URL=http://prefect:4200/api
       - PREFECT_SERVER_API_HOST=0.0.0.0
       - PREFECT_API_DATABASE_CONNECTION_URL=postgresql+asyncpg://ckandbuser:ckandbpassword@db/prefect
+      - FLOW_DEPLOYMENT_ENV=test
     ports:
       - "0.0.0.0:4200:4200"
     healthcheck:
@@ -120,6 +121,7 @@ services:
       - S3_SECRET_KEY_ID=${MINIO_ROOT_PASSWORD}
       - S3_BUCKET_NAME=ckan
       - S3_BUCKET_REGION=us-east-1
+      - FLOW_DEPLOYMENT_ENV=test
     depends_on:
       prefect:
         condition: service_healthy
 
@@ -1007,11 +1007,9 @@ def organization_list_wri(context: Context, data_dict: DataDict):
     user_orgs = None
     if not user:
        private_orgs = get_private_organizations(context)
-       log.warning(f"Private orgs: {private_orgs} \n\n {orgs}")
 
     if user:
         user_orgs = orgs
-        log.warning(f"User orgs: {user_orgs} \n\n {orgs}")
     results = get_hierarchy_group(context, orgs, "organization", q, private_orgs, user_orgs)
     return results
 
@@ -1409,24 +1407,49 @@ def organization_list_for_user(context: Context,
             .filter(model.Member.state == 'active') \
             .join(model.Group)
 
-        group_ids: set[str] = set()
+        
         roles_that_cascade = cast(
             "list[str]",
             authz.check_config_permission('roles_that_cascade_to_sub_groups')
         )
+        group_extra_alias = aliased(model.GroupExtra)
+        public_groups_query = (
+            model.Session.query(model.Group.id)
+            .outerjoin(group_extra_alias, model.Group.id == group_extra_alias.group_id)
+            .filter(
+                _or_(
+                    _and_(
+                        group_extra_alias.key == 'visibility',
+                        group_extra_alias.value == 'public'
+                    ),
+                    group_extra_alias.key == None
+                )
+            )
+        )
+        public_group_ids = {gid for gid, in public_groups_query.all()}
+        group_ids: set[str] = set()
         group_ids_to_capacities: dict[str, str] = {}
         for member, group in q.all():
+            group_ids.add(group.id)
+            group_ids_to_capacities[group.id] = member.capacity
+            children_group_ids = [
+                grp_tuple[0] for grp_tuple
+                in group.get_children_group_hierarchy(type='organization')
+            ]
             if member.capacity in roles_that_cascade:
-                children_group_ids = [
-                    grp_tuple[0] for grp_tuple
-                    in group.get_children_group_hierarchy(type='organization')
-                ]
+                
                 for group_id in children_group_ids:
+                    group_ids.add(group_id)
                     group_ids_to_capacities[group_id] = member.capacity
-                group_ids |= set(children_group_ids)
+            else:
+                for group_id in children_group_ids:
+                    if group_id in public_group_ids:
+                        group_ids.add(group_id)
+                        group_ids_to_capacities[group_id] = member.capacity
 
-            group_ids_to_capacities[group.id] = member.capacity
-            group_ids.add(group.id)
+
+            # group_ids_to_capacities[group.id] = member.capacity
+            # group_ids.add(group.id)
 
         if not group_ids:
             return []
@@ -1449,6 +1472,8 @@ def organization_list_for_user(context: Context,
 
 
 
+
+
 @logic.side_effect_free
 def organization_list(context: Context,
                       data_dict: DataDict) -> ActionResult.OrganizationList:
@@ -1782,21 +1807,10 @@ def organization_patch(context, data_dict):
     if not isSysadmin:
         temp_context = {"model": context["model"], "session": context["session"], "user": context["user"]}
         old_org = get_action("organization_show")(temp_context, data_dict)
-        old_parent = old_org.get("groups", [])
-        if len(old_parent) == 0 or data_dict.get("parent") is None:
-            raise ValidationError({"message": _("You can't edit or create a Parent Team")})
         if old_org.get("visibility", "public") == "private" and visibility == "public":
             raise ValidationError({"message": 
-                                   _("Team has private visibility and cannot be updated; Only sysadmin can update private team")
+                                   _("Team has private visibility and cannot be updated; Only sysadmin can switch private to public")
                                    })
-
-        if visibility == "private":
-            users = old_org.get("users", [])
-            if users:
-                c_user = str(user)
-                user_capacity = [user.get("capacity") for user in users if user.get("name") == c_user]
-                if "admin" not in user_capacity:
-                    raise ValidationError({"message": _("You can't update visibility of a team")})
 
 
     if visibility == "public":
@@ -1824,22 +1838,12 @@ def validate_visibility(context, data_dict):
 
     visibility = data_dict.get('visibility_type', "public")
     owner_org = data_dict.get('owner_org', None)
-    id = data_dict.get('id', None)
-    if visibility in ["public", "internal"] and id:
-        package_show = get_action("package_show")(context, {"id": id})
-        id_org = package_show.get("owner_org", None)
-        if id_org:
-            org = get_action("organization_show")(context, {"id": id_org})
-            org_visibility = org.get("visibility", "public")
-            if org_visibility == "public":
-                raise ValidationError({"message": _("Organization has private visibility and cannot be made public")})
-        
-    elif visibility in ["public", "internal"] and owner_org:
+    if visibility in ["public", "internal"] and  owner_org:
         org = get_action("organization_show")(context, {"id": owner_org})
         org_visibility = org.get("visibility", "public")
         if org_visibility == "private":
             raise ValidationError({"message": _("Organization has private visibility and cannot create public datasets")})
-
+        
 
 
 
 
@@ -468,6 +468,7 @@ def old_package_patch(context: Context, data_dict: DataDict) -> ActionResult.Pac
     You must be authorized to edit the dataset and the groups that it belongs
     to.
     """
+    validate_visibility(context, data_dict)
     _before_dataset_create_or_update(context, data_dict)
     _check_access("package_patch", context, data_dict)
 
 
@@ -105,12 +105,18 @@ def package_update(up_func, context, data_dict):
         if package.owner_org:
             # if there is an owner org then we must have update_dataset
             # permission for that organization
-            if authz.users_role_for_group_or_org(package.owner_org, user) != "admin":
-                return {
-                    "success": False,
-                    "msg": _("User %s not authorized to edit package %s")
-                    % (str(user), package.id),
-                }
+            if authz.users_role_for_group_or_org(package.owner_org, user) not in ["admin", "editor"]:
+                 if not  (authz.has_user_permission_for_group_or_org(
+                    package.owner_org, user, "admin"
+                ) or authz.has_user_permission_for_group_or_org(
+                    package.owner_org, user, "editor"
+                )):
+                    return {
+                        "success": False,
+                        "msg": _("User %s not authorized to edit package %s")
+                        % (str(user), package.id),
+                    }
+
         else:
             if authz.check_config_permission("allow_dataset_collaborators"):
                 # if org-level auth failed, check dataset-level auth
 
@@ -19,7 +19,7 @@
 from tasks.sort_and_dedup import sort_and_dedup
 from tasks.validate_csv import validate_csv
 from tasks.data_to_file import data_to_file
-from tasks.s3_upload import s3_upload, s3_upload_zip
+from tasks.s3_upload import s3_upload
 from tasks.zip_files import download_keys, zip_files
 
 from tasks.send_callback import send_callback
@@ -33,6 +33,8 @@
     "resource_update": "{ckan_url}/api/action/resource_patch",
 }
 
+DEPLOYMENT_ENV = os.environ["FLOW_DEPLOYMENT_ENV"]
+
 
 @flow(log_prints=True)
 def push_to_datastore(resource_id, api_key):
@@ -269,7 +271,7 @@ async def download_resources_zipped(
             logger.info("Zipped data to {}".format(zipped_file))
             tmp_filepath = os.path.join(temp_dir, zipped_file)
             logger.info("Uploading data...")
-            url = s3_upload_zip(
+            url = s3_upload(
                 tmp_filepath, "_downloads_cache/{}".format(f"{filename}.zip"), f"{download_filename}.zip"
             )
         send_callback(
@@ -311,6 +313,7 @@ async def download_resources_zipped(
         parameters={"resource_id": "test_id", "api_key": "api_key"},
         enforce_parameter_schema=False,
         is_schedule_active=False,
+        tags=[DEPLOYMENT_ENV]
     )
     download_zipped_deployment = download_resources_zipped.to_deployment(
         name=config.get("DEPLOYMENT_NAME"),
@@ -324,6 +327,7 @@ async def download_resources_zipped(
         },
         enforce_parameter_schema=False,
         is_schedule_active=False,
+        tags=[DEPLOYMENT_ENV]
     )
     conversion_deployment = convert_store_to_file.to_deployment(
         name=config.get("DEPLOYMENT_NAME"),
@@ -341,6 +345,7 @@ async def download_resources_zipped(
         },
         enforce_parameter_schema=False,
         is_schedule_active=False,
+        tags=[DEPLOYMENT_ENV]
     )
     download_subset_deployment = download_subset_of_data.to_deployment(
         name=config.get("DEPLOYMENT_NAME"),
@@ -359,6 +364,7 @@ async def download_resources_zipped(
         },
         enforce_parameter_schema=False,
         is_schedule_active=False,
+        tags=[DEPLOYMENT_ENV]
     )
     serve(
         datastore_deployment,
 
@@ -14,7 +14,7 @@ RUN pip3 install -e 'git+https://github.com/ckan/ckanext-scheming.git@5ce30cf285
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-s3filestore/wri/signed-url/dev-requirements.txt' && \
     pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@a9e42702b797eaf3ffe967040867519219d32224#egg=ckanext-auth' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-auth/okta/requirements.txt' && \
-    pip3 install -e 'git+https://github.com/datopian/ckanext-hierarchy.git@wri#egg=ckanext-hierarchy' && \
+    pip3 install -e 'git+https://github.com/datopian/ckanext-hierarchy.git@5d069a5d032ba384f43d266fc397a0aa0a4b444c#egg=ckanext-hierarchy' && \
     pip3 install -e 'git+https://github.com/datopian/ckanext-issues.git@ea2b3cbace924a162de009fd8e5626052ebc99e1#egg=ckanext-issues' && \
     # Required by ckanext-issues, but it's no longer included in any of the requirements files or the subdependencies
     pip3 install mock && \
@@ -34,6 +34,7 @@ RUN apk --update add build-base libxslt-dev python3-dev
 RUN apk update
 RUN apk add git=2.40.4-r0
 
+
 RUN pip install --force-reinstall -v "Pillow==11.0.0"
 
 RUN apk add --virtual .build-deps \
@@ -92,6 +93,7 @@ RUN ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 RUN ckan config-tool ${CKAN_INI} "ckan.auth.create_user_via_web = false"
 RUN ckan config-tool ${CKAN_INI} "ckan.root_path = /private-admin/{{LANG}}"
 RUN ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
+RUN ckan config-tool ${CKAN_INI} "ckan.auth.create_unowned_dataset = false"
 
 RUN if [ "$GITHUB_ACTIONS" = "true" ]; then ckan config-tool ${CKAN_INI} "ckan.cors.origin_allow_all = True"; fi