IATI / ckanext-iati

CKAN extension for the IATI Registry
http://iatiregistry.org
9 stars 6 forks source link

Diagnose authorisation error when calling the IATI Registry 'dataset_purge' API #463

Open emmajclegg opened 1 month ago

emmajclegg commented 1 month ago

Which IATI Registry user roles have the necessary permission to use the action 'dataset_purge' ? We have received feedback that the following steps work for a sysadmin user, but not for a non sysadmin user (on the IATI Registry staging site).

Steps to reproduce:

These steps are in the context of an IATI publishing tool trying to unpublish activity data from the IATI Registry when a user requests it within the tool.

This relates to the support ticket: https://iati.zendesk.com/agent/tickets/44459 (cc' @siwhitehouse @robredpath)

cormachallinanderilinx commented 1 month ago

By default, only sysadmins can execute this action.

Non-sysadmin users do not have permission to perform the dataset_purge action. Even if a user is an admin of a dataset or an organization, they can only delete a dataset, which means it is marked as deleted but not purged from the database. The dataset would remain in the system and could be restored by an admin or sysadmin.

Therefore, the above is the expected behaviour for a non sysadmin user in a default CKAN set up. However, if required the dataset_purge function can be overridden but it is no reccomended to do so unless absolutely necessary as dataset_purge action is considered a high-level action due to being irreversible.

Also see ckan code for dataset_purge: https://github.com/ckan/ckan/blob/ckan-2.9.11/ckan/logic/auth/delete.py#L22

emmajclegg commented 1 month ago

Thank you @cormachallinanderilinx - I will pass this information on and keep this issue open for the time being (in case I receive follow up questions)