From 36b6796f17d165f8c281c484dae8761666a7899d Mon Sep 17 00:00:00 2001 From: Mattia Date: Thu, 22 Aug 2024 14:45:15 +0200 Subject: [PATCH] [Fixes #12513] Make is_approved, is_published API fields writable --- geonode/base/api/permissions.py | 7 ++++--- geonode/base/api/serializers.py | 20 +++++++++++++++++--- geonode/security/permissions.py | 6 ++++++ 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/geonode/base/api/permissions.py b/geonode/base/api/permissions.py index c5c36534234..ca2abc0ccac 100644 --- a/geonode/base/api/permissions.py +++ b/geonode/base/api/permissions.py @@ -28,6 +28,7 @@ BASIC_MANAGE_PERMISSIONS, DOWNLOAD_PERMISSIONS, EDIT_PERMISSIONS, + USER_CAN_PERMISSIONS, VIEW_PERMISSIONS, ) from distutils.util import strtobool @@ -219,9 +220,9 @@ def filter_queryset(self, request, queryset, view): class UserHasPerms(DjangoModelPermissions): perms_map = { "GET": [f"base.{x}" for x in VIEW_PERMISSIONS + DOWNLOAD_PERMISSIONS], - "POST": ["base.add_resourcebase"] + [f"base.{x}" for x in EDIT_PERMISSIONS], - "PUT": [f"base.{x}" for x in EDIT_PERMISSIONS], - "PATCH": [f"base.{x}" for x in EDIT_PERMISSIONS], + "POST": ["base.add_resourcebase"] + [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS], + "PUT": [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS], + "PATCH": [f"base.{x}" for x in EDIT_PERMISSIONS + USER_CAN_PERMISSIONS], "DELETE": [f"base.{x}" for x in BASIC_MANAGE_PERMISSIONS], } diff --git a/geonode/base/api/serializers.py b/geonode/base/api/serializers.py index d95ee77bc61..fb5cd3f5b9e 100644 --- a/geonode/base/api/serializers.py +++ b/geonode/base/api/serializers.py @@ -552,6 +552,20 @@ def to_representation(self, instance): return ret +class MetadataBooleanField(serializers.BooleanField): + MAPPING = {"is_approved": "can_approve", "is_published": "can_publish", "featured": "can_feature"} + + def to_internal_value(self, data): + new_val = super().to_internal_value(data) + user = self.context["request"].user + user_action = self.MAPPING.get(self.field_name) + if getattr(user, user_action)(self.root.instance): + return new_val + else: + logger.warning(f"The user does not have the perms to update the value of {self.field_name}") + return getattr(self.root.instance, self.field_name) + + class ResourceBaseSerializer(DynamicModelSerializer): pk = serializers.CharField(read_only=True) uuid = serializers.CharField(read_only=True) @@ -592,10 +606,10 @@ class ResourceBaseSerializer(DynamicModelSerializer): popular_count = serializers.CharField(required=False) share_count = serializers.CharField(required=False) rating = serializers.CharField(required=False) - featured = serializers.BooleanField(required=False) + featured = MetadataBooleanField(required=False, read_only=False) advertised = serializers.BooleanField(required=False) - is_published = serializers.BooleanField(required=False, read_only=True) - is_approved = serializers.BooleanField(required=False, read_only=True) + is_published = MetadataBooleanField(required=False, read_only=False) + is_approved = MetadataBooleanField(required=False, read_only=False) detail_url = DetailUrlField(read_only=True) created = serializers.DateTimeField(read_only=True) last_updated = serializers.DateTimeField(read_only=True) diff --git a/geonode/security/permissions.py b/geonode/security/permissions.py index 4d8b2e0bf1f..0ced492f2b2 100644 --- a/geonode/security/permissions.py +++ b/geonode/security/permissions.py @@ -90,6 +90,12 @@ "change_resourcebase_metadata", ] +USER_CAN_PERMISSIONS = [ + "publish_resourcebase", + "approve_resourcebase", + "feature_resourcebase", +] + BASIC_MANAGE_PERMISSIONS = [ "delete_resourcebase", "change_resourcebase_permissions",