Skip to content

Commit 904728c

Browse files
authored
[Fixes #13578] Implementation of permissions to control public and registered members permissions management (#13582)
* [Fixes #13578] added hander to dynamically logic for public and registered group * [Fixes #13578] Adpoted test case and also change default to True for flags * [Fixes #13578] correct the old test case after the additional of new handler as 2 permission will be added based on setting * [Fixes #13578] Correct the old test cases to support the dynamic permission * [Fixes #13578] corrected old failed test case due to new added permission
1 parent 6867ab1 commit 904728c

File tree

5 files changed

+234
-4
lines changed

5 files changed

+234
-4
lines changed

geonode/base/api/tests.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -366,7 +366,15 @@ def test_user_resources_shows_related_permissions(self):
366366
response = self.client.get(url, format="json")
367367
self.assertEqual(response.status_code, 200)
368368
perms = response.json().get("resources", [])[0].get("perms")
369-
self.assertSetEqual({"view_resourcebase", "change_resourcebase"}, set(perms))
369+
self.assertSetEqual(
370+
{
371+
"view_resourcebase",
372+
"change_resourcebase",
373+
"can_manage_anonymous_permissions",
374+
"can_manage_registered_member_permissions",
375+
},
376+
set(perms),
377+
) # if user has edit permission/owner, By default it("can_manage_anonymous_permissions","can_manage_registered_member_permissions") will get this permission unless rule changed on settings.
370378

371379
def test_get_self_user_details_outside_registered_member(self):
372380
try:
@@ -3511,6 +3519,8 @@ def test_simple_resourcebase_can_be_created_by_resourcemanager(self):
35113519
"view_resourcebase",
35123520
"change_resourcebase_metadata",
35133521
"change_resourcebase",
3522+
"can_manage_anonymous_permissions", # dynamic permission added from SpecialGroupPermissionsHandler
3523+
"can_manage_registered_member_permissions", # dynamic permission added from SpecialGroupPermissionsHandler
35143524
]
35153525
)
35163526
},

geonode/layers/tests.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1178,6 +1178,8 @@ def test_user_get_the_edit_permissions_for_the_selected_dataset(self):
11781178
"change_resourcebase_metadata",
11791179
"change_dataset_data",
11801180
"change_resourcebase",
1181+
"can_manage_anonymous_permissions", # if user has edit permission/owner, By default it will get this permission unless rule changed on settings.
1182+
"can_manage_registered_member_permissions", # if user has edit permission/onwer, By default it will get this permission unless rule changed on settings.
11811183
}
11821184

11831185
dataset, args, username, opts = self._create_arguments(perms_type="edit")
@@ -1205,6 +1207,8 @@ def test_user_get_the_manage_permissions_for_the_selected_dataset(self):
12051207
"publish_resourcebase",
12061208
"change_dataset_data",
12071209
"download_resourcebase",
1210+
"can_manage_anonymous_permissions", # if user has edit permission/owner, By default it will get this permission unless rule changed on settings.
1211+
"can_manage_registered_member_permissions", # if user has edit permission/onwer, By default it will get this permission unless rule changed on settings.
12081212
}
12091213

12101214
dataset, args, username, opts = self._create_arguments(perms_type="manage")

geonode/security/handlers.py

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
#
1818
#########################################################################
1919
from abc import ABC
20+
from django.conf import settings
2021

2122

2223
class BasePermissionsHandler(ABC):
@@ -46,6 +47,53 @@ def get_perms(instance, perms_payload, user, include_virtual, *args, **kwargs):
4647
return perms_payload
4748

4849

50+
class SpecialGroupsPermissionsHandler(BasePermissionsHandler):
51+
"""
52+
Adds two computed permissions to the user's permissions list for a resource:
53+
- can_manage_anonymous_permissions
54+
- can_manage_registered_member_permissions
55+
"""
56+
57+
@staticmethod
58+
def get_perms(instance, perms_payload, user=None, include_virtual=True, *args, **kwargs):
59+
from geonode.security.permissions import EDIT_PERMISSIONS
60+
61+
if not include_virtual:
62+
return perms_payload
63+
64+
perms_copy = perms_payload.copy()
65+
users = perms_payload.get("users", {})
66+
67+
def _has_edit(perms_list, u):
68+
if not perms_list:
69+
return False
70+
# Basic check via explicit change permissions or ownership
71+
if u == instance.owner:
72+
return True
73+
edit_markers = EDIT_PERMISSIONS
74+
return any(p in edit_markers for p in perms_list)
75+
76+
for u, perms in users.items():
77+
updated = set(perms or [])
78+
# CONDITIONS
79+
allow_editors_anonymous = getattr(settings, "EDITORS_CAN_MANAGE_ANONYMOUS_PERMISSIONS", True)
80+
allow_editors_registered = getattr(settings, "EDITORS_CAN_MANAGE_REGISTERED_MEMBERS_PERMISSIONS", True)
81+
is_admin_or_staff = getattr(u, "is_superuser", False) or getattr(u, "is_staff", False)
82+
can_edit = _has_edit(perms, u)
83+
84+
grant_anonymous = is_admin_or_staff or (allow_editors_anonymous and can_edit)
85+
grant_registered = is_admin_or_staff or (allow_editors_registered and can_edit)
86+
87+
if grant_anonymous:
88+
updated.add("can_manage_anonymous_permissions")
89+
if grant_registered:
90+
updated.add("can_manage_registered_member_permissions")
91+
92+
perms_copy["users"][u] = list(updated)
93+
94+
return perms_copy
95+
96+
4997
class AdvancedWorkflowPermissionsHandler(BasePermissionsHandler):
5098
"""
5199
Handler that takes care of adjusting the permissions for the advanced workflow

0 commit comments

Comments
 (0)