Merge pull request ckan#6346 from ckan/6290-f-osorio-prevent-unauth-u…

…ser-accessing-bulk-process

[ckan#6290] prevent unauth user accessing bulk process [test fix]

ckan/tests/controllers/test_group.py

@@ -13,11 +13,13 @@
 
 @pytest.mark.usefixtures("clean_db", "with_request_context")
 class TestGroupController(object):
-    def test_bulk_process_throws_404_for_nonexistent_org(self, app):
+    def test_bulk_process_throws_403_for_nonexistent_org(self, app):
+        """Returns 403, not 404, because access check cannot be passed.
+        """
         bulk_process_url = url_for(
             "organization.bulk_process", id="does-not-exist"
         )
-        app.get(url=bulk_process_url, status=404)
+        app.get(url=bulk_process_url, status=403)
 
     def test_page_thru_list_of_orgs_preserves_sort_order(self, app):
         orgs = [factories.Organization() for _ in range(35)]

ckan/views/group.py

@@ -845,6 +845,12 @@ def _prepare(self, group_type, id=None):
             u'for_view': True,
             u'extras_as_string': True
         }
+
+        try:
+            check_access(u'bulk_update_public', context, {u'org_id': id})
+        except NotAuthorized:
+            base.abort(403, _(u'Unauthorized to access'))
+
         return context
 
     def get(self, id, group_type, is_organization):
@@ -887,10 +893,9 @@ def get(self, id, group_type, is_organization):
 
     def post(self, id, group_type, is_organization, data=None):
         set_org(is_organization)
-        context = self._prepare(group_type)
+        context = self._prepare(group_type, id)
         data_dict = {u'id': id, u'type': group_type}
         try:
-            check_access(u'bulk_update_public', context, {u'org_id': id})
             # Do not query for the group datasets when dictizing, as they will
             # be ignored and get requested on the controller anyway
             data_dict['include_datasets'] = False