[Fixes #12713] Permissions Registry and permissions handler (#12714)

* Add handler for permissions workflow

* [Fixes #12713] Add tests

* [Fixes #12713] Add tests

* [Fixes #12713] Refactor permissions handler

* [Fixes #12713] Usage of permissions registry

* [Fixes #12713] fix black and flake8

* [Fixes #12713] fix black and flake8

* [Fixes #12713] Usage of permissions registry, fix tests

* [Fixes #12713] Usage of permissions registry, fix tests

* [Fixes #12713] Usage of permissions registry also for user perms

* [Fixes #12713] make UserHasPerm user the registry

* [Fixes #12713] fix tests

* [Fixes #12713] fix tests

* [Fixes #12713] fix tests

* [Fixes #12713] fix tests

* [Fixes #12713] fix tests

* [Fixes #12713] Add remove function in permissions registry

* [Fixes #12713] fix PR comments

* [Fixes #12713] fix PR comments

* [Fixes #12713] fix PR comments

* [Fixes #12713] fix PR comments

* [Fixes #12713] fix formatting

---------

Co-authored-by: Giovanni Allegri <[email protected]>

Author: mattiagiupponi

geonode/base/api/permissions.py

@@ -35,8 +35,7 @@
 from geonode.groups.models import GroupProfile
 from rest_framework.permissions import DjangoModelPermissions
 from guardian.shortcuts import get_objects_for_user
-from itertools import chain
-from guardian.shortcuts import get_groups_with_perms
+from geonode.security.registry import permissions_registry
 
 logger = logging.getLogger(__name__)
 
@@ -251,19 +250,10 @@ def has_permission(self, request, view):
             )
 
             # getting the user permission for that resource
-            resource_perms = res.get_user_perms(request.user)
-
-            groups = get_groups_with_perms(res, attach_perms=True)
-            # we are making this because the request.user.groups sometimes returns empty si is not fully reliable
-            for group, perm in groups.items():
-                # checking if the user is in that group
-                if group.user_set.filter(username=request.user).exists():
-                    resource_perms = list(chain(resource_perms, perm))
-
-            if request.user.has_perm("base.add_resourcebase"):
-                resource_perms.append("add_resourcebase")
-            # merging all available permissions into a single list
-            available_perms = list(set(resource_perms))
+            available_perms = permissions_registry.get_perms(
+                instance=res, user=request.user, include_user_add_resource=True
+            )
+
             # fixup the permissions name
             perms_without_base = [x.replace("base.", "") for x in perms]
             # if at least one of the permissions is available the request is True

geonode/base/api/serializers.py

@@ -69,6 +69,7 @@
 from geonode.security.utils import get_resources_with_perms, get_geoapp_subtypes
 from geonode.resource.models import ExecutionRequest
 from django.contrib.gis.geos import Polygon
+from geonode.security.registry import permissions_registry
 
 logger = logging.getLogger(__name__)
 
@@ -523,7 +524,11 @@ class Meta:
     def to_representation(self, instance):
         request = self.context.get("request", None)
         resource = ResourceBase.objects.get(pk=instance)
-        return resource.get_user_perms(request.user) if request and request.user and resource else []
+        return (
+            permissions_registry.get_perms(instance=resource, user=request.user)
+            if request and request.user and resource
+            else []
+        )
 
 
 class LinksSerializer(DynamicModelSerializer):

geonode/base/api/tests.py

@@ -94,6 +94,7 @@
 )
 from geonode.resource.api.tasks import resouce_service_dispatcher
 from guardian.shortcuts import assign_perm
+from geonode.security.registry import permissions_registry
 
 logger = logging.getLogger(__name__)
 
@@ -2374,7 +2375,9 @@ def test_resource_service_copy_with_perms_dataset_set_default_perms(self):
             }
             resource.set_permissions(_perms)
             # checking that bobby is in the original dataset perms list
-            self.assertTrue("bobby" in "bobby" in [x.username for x in resource.get_all_level_info().get("users", [])])
+            self.assertIn(
+                "bobby", [x.username for x in permissions_registry.get_perms(instance=resource).get("users", [])]
+            )
             # copying the resource, should remove the perms for bobby
             # only the default perms should be available
             copy_url = reverse("importer_resource_copy", kwargs={"pk": resource.pk})
@@ -2389,8 +2392,14 @@ def test_resource_service_copy_with_perms_dataset_set_default_perms(self):
         self.assertEqual("finished", self.client.get(response.json().get("status_url")).json().get("status"))
         _resource = Dataset.objects.filter(title__icontains="test_copy_with_perms").last()
         self.assertIsNotNone(_resource)
-        self.assertNotIn("bobby", [x.username for x in _resource.get_all_level_info().get("users", [])])
-        self.assertIn("admin", [x.username for x in _resource.get_all_level_info().get("users", [])])
+        self.assertNotIn(
+            "bobby",
+            [x.username for x in permissions_registry.get_perms(instance=_resource).get("users", [])],
+        )
+        self.assertIn(
+            "admin",
+            [x.username for x in permissions_registry.get_perms(instance=_resource).get("users", [])],
+        )
 
     def test_resource_service_copy_with_perms_doc(self):
         files = os.path.join(gisdata.GOOD_DATA, "vector/single_point.shp")
@@ -3428,7 +3437,7 @@ def test_simple_resourcebase_can_be_created_by_resourcemanager(self):
             "groups": {anonymous_group: set(["view_resourcebase"])},
         }
 
-        actual_perms = resource.get_all_level_info().copy()
+        actual_perms = permissions_registry.get_perms(instance=resource).copy()
         self.assertIsNotNone(actual_perms)
         self.assertTrue(self.user in actual_perms["users"].keys())
         self.assertTrue(anonymous_group in actual_perms["groups"].keys())

geonode/base/views.py

@@ -72,6 +72,7 @@
 
 from geonode.base.forms import CategoryForm, TKeywordForm, ThesaurusAvailableForm
 from geonode.base.models import Thesaurus, TopicCategory
+from geonode.security.registry import permissions_registry
 
 from .forms import ResourceBaseForm
 
@@ -509,8 +510,7 @@ def resourcebase_embed(request, resourcebaseid, template="base/base_edit.html"):
 
     # Call this first in order to be sure "perms_list" is correct
     permissions_json = _perms_info_json(resourcebase_obj)
-
-    perms_list = resourcebase_obj.get_user_perms(request.user)
+    perms_list = permissions_registry.get_perms(instance=resourcebase_obj, user=request.user)
 
     group = None
     if resourcebase_obj.group:

geonode/documents/tests.py

@@ -60,6 +60,7 @@
 from geonode.upload.api.exceptions import FileUploadLimitException
 
 from .forms import DocumentCreateForm
+from geonode.security.registry import permissions_registry
 
 
 TEST_GIF = os.path.join(os.path.dirname(__file__), "tests/data/img.gif")
@@ -401,8 +402,8 @@ def test_set_document_permissions(self):
         self.assertFalse(self.anonymous_user.has_perm("view_resourcebase", document.get_self_resource()))
 
         # Test that previous permissions for users other than ones specified in
-        # the perm_spec (and the document owner) were removed
-        current_perms = document.get_all_level_info()
+        # the perm_spec (and the document owner) were
+        current_perms = permissions_registry.get_perms(instance=document)
         self.assertEqual(len(current_perms["users"]), 1)
 
         # Test that the User permissions specified in the perm_spec were

geonode/geoapps/views.py

@@ -46,6 +46,7 @@
 from geonode.base.forms import CategoryForm, TKeywordForm, ThesaurusAvailableForm
 from geonode.base.models import Thesaurus, TopicCategory
 from geonode.utils import resolve_object
+from geonode.security.registry import permissions_registry
 
 from .forms import GeoAppForm
 
@@ -106,7 +107,7 @@ def geoapp_edit(request, geoappid, template="apps/app_edit.html"):
     # Call this first in order to be sure "perms_list" is correct
     permissions_json = _perms_info_json(geoapp_obj)
 
-    perms_list = geoapp_obj.get_user_perms(request.user)
+    perms_list = permissions_registry.get_perms(instance=geoapp_obj, user=request.user)
 
     group = None
     if geoapp_obj.group:

geonode/geoserver/security.py

@@ -37,6 +37,7 @@
 from geonode.geoserver.helpers import geofence, gf_utils, gs_catalog
 from geonode.groups.models import GroupProfile
 from geonode.utils import get_dataset_workspace
+from geonode.security.registry import permissions_registry
 
 
 logger = logging.getLogger(__name__)
@@ -349,8 +350,7 @@ def sync_resources_with_guardian(resource=None, force=False):
                 batch = AutoPriorityBatch(gf_utils.get_first_available_priority(), f"Sync resources {dataset}")
 
                 gf_utils.collect_delete_layer_rules(get_dataset_workspace(dataset), dataset.name, batch)
-
-                perm_spec = dataset.get_all_level_info()
+                perm_spec = permissions_registry.get_perms(instance=dataset)
                 # All the other users
                 if "users" in perm_spec:
                     for user, perms in perm_spec["users"].items():

geonode/geoserver/tests/integration.py

@@ -42,6 +42,7 @@
 from geonode.decorators import on_ogc_backend
 from geonode.base.models import TopicCategory, Link
 from geonode.geoserver.helpers import set_attributes_from_geoserver
+from geonode.security.registry import permissions_registry
 
 LOCAL_TIMEOUT = 300
 
@@ -351,4 +352,4 @@ def test_default_anonymous_permissions(self):
             saved_dataset.delete()
 
     def get_user_resource_perms(self, instance, user):
-        return list(instance.get_user_perms(user).union(instance.get_self_resource().get_user_perms(user)))
+        return permissions_registry.get_perms(instance=instance, user=user)

geonode/groups/tests.py

@@ -37,6 +37,7 @@
 from geonode.groups.models import GroupProfile, GroupMember, GroupCategory
 
 from geonode.base.populate_test_data import all_public, create_models, remove_models, create_single_dataset
+from geonode.security.registry import permissions_registry
 
 logger = logging.getLogger(__name__)
 
@@ -334,7 +335,7 @@ def test_perms_info(self):
         # Add test to test perms being sent to the front end.
         layer = Dataset.objects.first()
         layer.set_default_permissions()
-        perms_info = layer.get_all_level_info()
+        perms_info = permissions_registry.get_perms(instance=layer)
 
         # Ensure there is only one group 'anonymous' by default
         self.assertEqual(len(perms_info["groups"].keys()), 1)
@@ -695,7 +696,7 @@ def test_group_activity_pages_render(self):
         try:
             # Add test to test perms being sent to the front end.
             dataset.set_default_permissions()
-            perms_info = dataset.get_all_level_info()
+            perms_info = permissions_registry.get_perms(instance=dataset)
 
             # Ensure there is only one group 'anonymous' by default
             self.assertEqual(len(perms_info["groups"].keys()), 1)

geonode/layers/tests.py

@@ -76,6 +76,7 @@
 
 from geonode.base.populate_test_data import all_public, create_models, remove_models, create_single_dataset
 from geonode.layers.download_handler import DatasetDownloadHandler
+from geonode.security.registry import permissions_registry
 
 logger = logging.getLogger(__name__)
 
@@ -641,7 +642,7 @@ def test_assign_change_dataset_data_perm(self):
         layer = Dataset.objects.first()
         user = get_anonymous_user()
         layer.set_permissions({"users": {user.username: ["change_dataset_data"]}})
-        perms = layer.get_all_level_info()
+        perms = permissions_registry.get_perms(instance=layer)
         self.assertNotIn(user, perms["users"])
         self.assertNotIn(user.username, perms["users"])
 
@@ -736,13 +737,13 @@ def test_surrogate_escape_string(self):
     def test_assign_remove_permissions(self):
         # Assing
         layer = Dataset.objects.all().first()
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         self.assertNotIn(get_user_model().objects.get(username="norman"), perm_spec["users"])
 
         utils.set_datasets_permissions(
             "edit", resources_names=[layer.name], users_usernames=["norman"], delete_flag=False, verbose=True
         )
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         _c = 0
         if "users" in perm_spec:
             for _u in perm_spec["users"]:
@@ -755,7 +756,7 @@ def test_assign_remove_permissions(self):
         utils.set_datasets_permissions(
             "read", resources_names=[layer.name], users_usernames=["norman"], delete_flag=True, verbose=True
         )
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         _c = 0
         if "users" in perm_spec:
             for _u in perm_spec["users"]:
@@ -768,15 +769,15 @@ def test_assign_remove_permissions(self):
     def test_assign_remove_permissions_for_groups(self):
         # Assing
         layer = Dataset.objects.all().first()
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         group_profile = GroupProfile.objects.create(slug="group1", title="group1", access="public")
         self.assertNotIn(group_profile, perm_spec["groups"])
 
         # giving manage permissions to the group
         utils.set_datasets_permissions(
             "manage", resources_names=[layer.name], groups_names=["group1"], delete_flag=False, verbose=True
         )
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         expected = {
             "change_dataset_data",
             "change_dataset_style",
@@ -795,7 +796,7 @@ def test_assign_remove_permissions_for_groups(self):
         utils.set_datasets_permissions(
             "view", resources_names=[layer.name], groups_names=["group1"], delete_flag=False, verbose=True
         )
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         expected = {"view_resourcebase"}
         # checking the perms list
         self.assertSetEqual(expected, set(perm_spec["groups"][group_profile.group]))
@@ -804,7 +805,7 @@ def test_assign_remove_permissions_for_groups(self):
         utils.set_datasets_permissions(
             "view", resources_names=[layer.name], groups_names=["group1"], delete_flag=True, verbose=True
         )
-        perm_spec = layer.get_all_level_info()
+        perm_spec = permissions_registry.get_perms(instance=layer)
         # checking the perms list
         self.assertTrue(group_profile.group not in perm_spec["groups"])
 
@@ -1851,7 +1852,7 @@ def _create_arguments(self, perms_type, mode="set"):
     def _assert_perms(self, expected_perms, dataset, username, assertion=True):
         dataset.refresh_from_db()
 
-        perms = dataset.get_all_level_info()
+        perms = permissions_registry.get_perms(instance=dataset)
         if assertion:
             self.assertTrue(username in [user.username for user in perms["users"]])
             actual = set(