ARTMXCICH-149/Fix ResourceDocsEditView to restrict access to only resources belonging to the dataset

Tome Petrovski · Tome Petrovski · commit d142adf039e5 · 2025-09-19T12:25:24.000+02:00
diff --git a/ckanext/resource_docs/views.py b/ckanext/resource_docs/views.py
@@ -20,11 +20,19 @@ def get(self, package_id: str, resource_id: str) -> str:
             )
 
             pkg_dict = tk.get_action("package_show")({}, {"id": package_id})
-            resource = tk.get_action("resource_show")({}, {"id": resource_id})
 
         except (tk.ObjectNotFound, tk.NotAuthorized):
             return tk.abort(404, tk._("Resource not found"))
 
+        resource = None
+        for res in pkg_dict.get(u'resources', []):
+            if res["id"] == resource_id:
+                resource = res
+                break
+
+        if not resource:
+            return tk.abort(404, tk._("Resource not found"))
+
         try:
             docs = tk.get_action("resource_docs_show")({}, {"resource_id": resource_id})
         except tk.ObjectNotFound:
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "ckanext-resource-docs"
-version = "0.3.0"
+version = "0.3.1"
 description = "A CKAN extension that lets you attach a flexible, schema-free data dictionary (“resource documentation”) to any resource, not just Datastore-backed ones."
 readme = "README.md"
 authors = [{ name = "Oleksandr Cherniavskiy", email = "mutantsan@gmail.com" }]
