From db972f1ca53b847acac2fcca8dc9278c28dd6963 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 17 Aug 2022 12:51:54 +0200
Subject: [PATCH] Add test on extra metadta (#9859) (#9860)

[Fixes #9842] Extra metadata endpoint return 403 even if the user has view perms, add new test

Co-authored-by: mattiagiupponi <51856725+mattiagiupponi@users.noreply.github.com>
---
 geonode/base/api/tests.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/geonode/base/api/tests.py b/geonode/base/api/tests.py
index 9e1567e56ce..af909791bbe 100644
--- a/geonode/base/api/tests.py
+++ b/geonode/base/api/tests.py
@@ -2471,3 +2471,18 @@ def test_delete_will_delete_single_metadata(self):
         response = self.client.delete(url, data=[self.mdata.id], content_type='application/json')
         self.assertTrue(200, response.status_code)
         self.assertEqual([], response.json())
+
+    def test_user_without_view_perms_cannot_see_the_endpoint(self):
+        from geonode.resource.manager import resource_manager
+
+        self.client.login(username='bobby', password='bob')
+        resource_manager.remove_permissions(self.layer.uuid, instance=self.layer.get_self_resource())
+        url = reverse('base-resources-extra-metadata', args=[self.layer.id])
+        response = self.client.get(url, content_type='application/json')
+        self.assertTrue(403, response.status_code)
+
+        perm_spec = {"users": {"bobby": ['view_resourcebase']}, "groups": {}}
+        self.layer.set_permissions(perm_spec)
+        url = reverse('base-resources-extra-metadata', args=[self.layer.id])
+        response = self.client.get(url, content_type='application/json')
+        self.assertTrue(200, response.status_code)