From ec57d07410e422503ca3ca813dba7d53de6aeb33 Mon Sep 17 00:00:00 2001 From: mattiagiupponi <51856725+mattiagiupponi@users.noreply.github.com> Date: Wed, 7 Sep 2022 10:47:42 +0200 Subject: [PATCH] [#Fixes #9970] Fix users has perms (#9973) * [#Fixes #9970] Fix users has perms * [Fixes #9970] made the model being dynamic --- geonode/base/api/permissions.py | 30 ++++++++++++++---------------- geonode/base/api/views.py | 6 +++--- geonode/resource/api/views.py | 4 ++-- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/geonode/base/api/permissions.py b/geonode/base/api/permissions.py index c76e7678c10..10103963ff7 100644 --- a/geonode/base/api/permissions.py +++ b/geonode/base/api/permissions.py @@ -17,7 +17,6 @@ # ######################################################################### import logging -from django.conf import settings from django.contrib.auth import get_user_model from django.shortcuts import get_object_or_404 @@ -27,8 +26,7 @@ from geonode.security.utils import ( get_users_with_perms, - get_resources_with_perms, - get_visible_resources) + get_resources_with_perms) from geonode.groups.models import GroupProfile from rest_framework.permissions import DjangoModelPermissions from guardian.shortcuts import get_objects_for_user @@ -234,20 +232,17 @@ def __call__(self): return self def has_permission(self, request, view): - from geonode.base.models import ResourceBase - queryset = self._queryset(view) - perms = self.perms_dict.get(request.method, None) or self.get_required_permissions(request.method, queryset.model) if request.user.is_superuser: return True if view.kwargs.get('pk'): # if a single resource is called, we check the perms for that resource - res = get_object_or_404(ResourceBase, pk=view.kwargs.get('pk')) + res = get_object_or_404(queryset.model, pk=view.kwargs.get('pk')) # if the request is for a single resource, we take the specific or the default. If none is defined we keep the original one defined above resource_type_specific_perms = self.perms_dict.get(res.get_real_instance().resource_type, self.perms_dict.get('default', {})) - perms = resource_type_specific_perms.get(request.method, []) or perms + perms = resource_type_specific_perms.get(request.method, []) or self.get_required_permissions(request.method, queryset.model) # getting the user permission for that resource resource_perms = list(res.get_user_perms(request.user)) @@ -268,13 +263,16 @@ def has_permission(self, request, view): rule = resource_type_specific_perms.get("rule", any) return rule([_perm in available_perms for _perm in perms_without_base]) - if not get_visible_resources( - queryset, - request.user if request else None, - admin_approval_required=settings.ADMIN_MODERATE_UPLOADS, - unpublished_not_visible=settings.RESOURCE_PUBLISHING, - private_groups_not_visibile=settings.GROUP_PRIVATE_RESOURCES).exists(): - # there are not resource in the db, needed usually for fresh installations - return request.method in permissions.SAFE_METHODS + if request.method in permissions.SAFE_METHODS: + return True + + _default_defined_perms = self.perms_dict.get("default", {}) + if _default_defined_perms.get(request.method): + _defined_perms = _default_defined_perms.get(request.method) + rule = _default_defined_perms.get("rule", any) + return rule([request.user.has_perm(_perm) for _perm in _defined_perms]) + + perms = self.perms_dict.get(request.method, None) or self.get_required_permissions(request.method, queryset.model) + # check if the user have one of the perms in all the resource available return get_objects_for_user(request.user, perms).exists() diff --git a/geonode/base/api/views.py b/geonode/base/api/views.py index c0004e802ae..a2fac993e55 100644 --- a/geonode/base/api/views.py +++ b/geonode/base/api/views.py @@ -1079,13 +1079,13 @@ def resource_service_update(self, request, pk): IsAuthenticated, UserHasPerms( perms_dict={ "dataset": { - "PUT": ['add_resourcebase', 'download_resourcebase'], "rule": all + "PUT": ['base.add_resourcebase', 'base.download_resourcebase'], "rule": all }, "document": { - "PUT": ['add_resourcebase', 'download_resourcebase'], "rule": all + "PUT": ['base.add_resourcebase', 'base.download_resourcebase'], "rule": all }, "default": { - "PUT": ['add_resourcebase'] + "PUT": ['base.add_resourcebase'] } } ) diff --git a/geonode/resource/api/views.py b/geonode/resource/api/views.py index e07bd02e94c..2401602df0a 100644 --- a/geonode/resource/api/views.py +++ b/geonode/resource/api/views.py @@ -23,7 +23,7 @@ from dynamic_rest.viewsets import WithDynamicViewSetMixin from geonode.base.api.filters import DynamicSearchFilter from geonode.base.api.pagination import GeoNodeApiPagination -from geonode.base.api.permissions import IsSelfOrAdminOrReadOnly +from geonode.base.api.permissions import IsOwnerOrReadOnly from geonode.resource.api.exceptions import ExecutionRequestException from geonode.resource.api.serializer import ExecutionRequestSerializer from geonode.resource.manager import resource_manager @@ -131,7 +131,7 @@ class ExecutionRequestViewset(WithDynamicViewSetMixin, ListModelMixin, RetrieveM API endpoint that allows users to be viewed or edited. """ authentication_classes = [SessionAuthentication, BasicAuthentication, OAuth2Authentication] - permission_classes = [IsAuthenticated, IsSelfOrAdminOrReadOnly, ] + permission_classes = [IsAuthenticated, IsOwnerOrReadOnly] filter_backends = [ DynamicFilterBackend, DynamicSortingFilter, DynamicSearchFilter ]