Private datasets without organization

We allow anyone to create an account.

We’d like to only allow datasets to be public only if they’re owned by an organization.

We control which users get added to organizations.

We’d like to allow anyone with an account to upload datasets, even before they’re part of an organization. This would encourage uploads, so that users don’t have to wait to be added to an organization by an admin and then have to come back to the site and add their datasets.

To support this, we need datasets created by people who are not authorized to add datasets to an organization, to upload private datasets.

Is there a nice way to do something like this?

I’ve tried extending package_basic_fields.html to set the dataset’s private field to false, and added a package_create and package_update auth plugin method that denies setting datasets public without an owner organization. The datasets_with_no_organization_cannot_be_private validator rejects that. I can probably modify the package schema not to use that validator, but this is turning into quite a lot of plumbing.

So I’m keen to hear if someone’s done something similar and how.

This is for a government data portal. It’s really awesome that they’re welcoming contributions from other organizations, but we don’t want just anyone to upload something malicious - the thinking is that users verified to be part of organizations will be a bit more responsible and won’t upload viruses or porn but will stick to relevant content.

One issue I just thought of with this is that anyone can namesquat dataset names/ids until they get deleted (completely, not just set inactive).

I think that’s ok for us since people need to pass a captcha or have a valid google or facebook account, so it’s not easily open to bots, and we can deal with it more seriously if it becomes a real issue.