[QOLDEV-933] add option to hide deleted datasets even when private da…

…tasets are revealed - This enables PURL handling of deleted datasets
qld-gov-au · Sep 24, 2024 · 4e8fcbf · 4e8fcbf
1 parent 1e8cef9
commit 4e8fcbf
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 12 deletions.
diff --git a/ckan/config/config_declaration.yaml b/ckan/config/config_declaration.yaml
@@ -645,6 +645,19 @@ groups:
           If False, all unauthorised requests will receive HTTP 404 Not Found.
           Default is False.
 
+      - key: ckan.auth.reveal_deleted_datasets
+        type: bool
+        default: True
+        description: |
+          Determines whether unauthorised requests for deleted datasets should have
+          the existence of the datasets revealed (True) or hidden (False).
+          This behaves similarly to ckan.auth.reveal_private_datasets; True gives
+          either HTTP 403 Forbidden (if logged in) or a redirect to the login page,
+          while False gives HTTP 404 Not Found. However, it will only take effect
+          if ckan.auth.reveal_private_datasets is already True; otherwise,
+          return HTTP 404 on unauthorised requests regardless of this value.
+          Default is True.
+
       - key: ckan.auth.enable_cookie_auth_in_api
         type: bool
         default: True

diff --git a/ckan/views/dataset.py b/ckan/views/dataset.py
@@ -451,21 +451,28 @@ def read(package_type: str, id: str) -> Union[Response, str]:
     try:
         pkg_dict = get_action(u'package_show')(context, data_dict)
         pkg = context[u'package']
+        return_code = 200
     except NotFound:
-        return base.abort(
-            404,
-            _(u'Dataset not found or you have no permission to view it')
-        )
+        return_code = 404
     except NotAuthorized:
+        return_code = 404
         if config.get(u'ckan.auth.reveal_private_datasets'):
-            if current_user.is_authenticated:
-                return base.abort(
-                    403, _(u'Unauthorized to read package %s') % id)
-            else:
-                return h.redirect_to(
-                    "user.login",
-                    came_from=h.url_for('{}.read'.format(package_type), id=id)
-                )
+            real_pkg_dict = get_action(u'package_show')(
+                {'model': model, 'ignore_auth': True},
+                data_dict)
+            if real_pkg_dict.get('state') != 'deleted' or \
+                    config.get(u'ckan.auth.reveal_deleted_datasets'):
+                if current_user.is_authenticated:
+                    return base.abort(
+                        403, _(u'Unauthorized to read package %s') % id)
+                else:
+                    return h.redirect_to(
+                        "user.login",
+                        came_from=h.url_for(
+                            '{}.read'.format(package_type), id=id)
+                    )
+
+    if return_code == 404:
         return base.abort(
             404,
             _(u'Dataset not found or you have no permission to view it')