[Fixes #12513] Make is_approved, is_published API fields writable

GeoNode · Aug 26, 2024 · 36b6796 · 36b6796
1 parent f8dabd5
commit 36b6796
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 6 deletions.
diff --git a/geonode/base/api/permissions.py b/geonode/base/api/permissions.py
@@ -28,6 +28,7 @@
     BASIC_MANAGE_PERMISSIONS,
     DOWNLOAD_PERMISSIONS,
     EDIT_PERMISSIONS,
+    USER_CAN_PERMISSIONS,
     VIEW_PERMISSIONS,
 )
 from distutils.util import strtobool
@@ -219,9 +220,9 @@ def filter_queryset(self, request, queryset, view):
 class UserHasPerms(DjangoModelPermissions):
     perms_map = {
         "GET": [f"base.{x}" for x in VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS],
-        "POST": ["base.add_resourcebase"] + [f"base.{x}" for x in EDIT_PERMISSIONS],
-        "PUT": [f"base.{x}" for x in EDIT_PERMISSIONS],
-        "PATCH": [f"base.{x}" for x in EDIT_PERMISSIONS],
+        "POST": ["base.add_resourcebase"] + [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS],
+        "PUT": [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS],
+        "PATCH": [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS],
         "DELETE": [f"base.{x}" for x in BASIC_MANAGE_PERMISSIONS],
     }
 

diff --git a/geonode/base/api/serializers.py b/geonode/base/api/serializers.py
@@ -552,6 +552,20 @@ def to_representation(self, instance):
         return ret
 
 
+class MetadataBooleanField(serializers.BooleanField):
+    MAPPING = {"is_approved": "can_approve", "is_published": "can_publish", "featured": "can_feature"}
+
+    def to_internal_value(self, data):
+        new_val = super().to_internal_value(data)
+        user = self.context["request"].user
+        user_action = self.MAPPING.get(self.field_name)
+        if getattr(user, user_action)(self.root.instance):
+            return new_val
+        else:
+            logger.warning(f"The user does not have the perms to update the value of {self.field_name}")
+            return getattr(self.root.instance, self.field_name)
+
+
 class ResourceBaseSerializer(DynamicModelSerializer):
     pk = serializers.CharField(read_only=True)
     uuid = serializers.CharField(read_only=True)
@@ -592,10 +606,10 @@ class ResourceBaseSerializer(DynamicModelSerializer):
     popular_count = serializers.CharField(required=False)
     share_count = serializers.CharField(required=False)
     rating = serializers.CharField(required=False)
-    featured = serializers.BooleanField(required=False)
+    featured = MetadataBooleanField(required=False, read_only=False)
     advertised = serializers.BooleanField(required=False)
-    is_published = serializers.BooleanField(required=False, read_only=True)
-    is_approved = serializers.BooleanField(required=False, read_only=True)
+    is_published = MetadataBooleanField(required=False, read_only=False)
+    is_approved = MetadataBooleanField(required=False, read_only=False)
     detail_url = DetailUrlField(read_only=True)
     created = serializers.DateTimeField(read_only=True)
     last_updated = serializers.DateTimeField(read_only=True)

diff --git a/geonode/security/permissions.py b/geonode/security/permissions.py
@@ -90,6 +90,12 @@
     "change_resourcebase_metadata",
 ]
 
+USER_CAN_PERMISSIONS = [
+    "publish_resourcebase",
+    "approve_resourcebase",
+    "feature_resourcebase",
+]
+
 BASIC_MANAGE_PERMISSIONS = [
     "delete_resourcebase",
     "change_resourcebase_permissions",