[Fixes #13578] Implementation of permissions to control public and registered members permissions management

geonode/base/api/tests.py

@@ -366,7 +366,15 @@ def test_user_resources_shows_related_permissions(self):
         response = self.client.get(url, format="json")
         self.assertEqual(response.status_code, 200)
         perms = response.json().get("resources", [])[0].get("perms")
-        self.assertSetEqual({"view_resourcebase", "change_resourcebase"}, set(perms))
+        self.assertSetEqual(
+            {
+                "view_resourcebase",
+                "change_resourcebase",
+                "can_manage_anonymous_permissions",
+                "can_manage_registered_member_permissions",
+            },
+            set(perms),
+        )  # if user has edit permission/owner, By default it("can_manage_anonymous_permissions","can_manage_registered_member_permissions") will get this permission unless rule changed on settings.
 
     def test_get_self_user_details_outside_registered_member(self):
         try:
@@ -3511,6 +3519,8 @@ def test_simple_resourcebase_can_be_created_by_resourcemanager(self):
                         "view_resourcebase",
                         "change_resourcebase_metadata",
                         "change_resourcebase",
+                        "can_manage_anonymous_permissions",  # dynamic permission added from SpecialGroupPermissionsHandler
+                        "can_manage_registered_member_permissions",  # dynamic permission added from SpecialGroupPermissionsHandler
                     ]
                 )
             },

geonode/layers/tests.py

@@ -1178,6 +1178,8 @@ def test_user_get_the_edit_permissions_for_the_selected_dataset(self):
                 "change_resourcebase_metadata",
                 "change_dataset_data",
                 "change_resourcebase",
+                "can_manage_anonymous_permissions",  # if user has edit permission/owner, By default it will get this permission unless rule changed on settings.
+                "can_manage_registered_member_permissions",  # if user has edit permission/onwer, By default it will get this permission unless rule changed on settings.
             }
 
             dataset, args, username, opts = self._create_arguments(perms_type="edit")
@@ -1205,6 +1207,8 @@ def test_user_get_the_manage_permissions_for_the_selected_dataset(self):
                 "publish_resourcebase",
                 "change_dataset_data",
                 "download_resourcebase",
+                "can_manage_anonymous_permissions",  # if user has edit permission/owner, By default it will get this permission unless rule changed on settings.
+                "can_manage_registered_member_permissions",  # if user has edit permission/onwer, By default it will get this permission unless rule changed on settings.
             }
 
             dataset, args, username, opts = self._create_arguments(perms_type="manage")

geonode/security/handlers.py

@@ -17,6 +17,7 @@
 #
 #########################################################################
 from abc import ABC
+from django.conf import settings
 
 
 class BasePermissionsHandler(ABC):
@@ -46,6 +47,53 @@ def get_perms(instance, perms_payload, user, include_virtual, *args, **kwargs):
         return perms_payload
 
 
+class SpecialGroupsPermissionsHandler(BasePermissionsHandler):
+    """
+    Adds two computed permissions to the user's permissions list for a resource:
+    - can_manage_anonymous_permissions
+    - can_manage_registered_member_permissions
+    """
+
+    @staticmethod
+    def get_perms(instance, perms_payload, user=None, include_virtual=True, *args, **kwargs):
+        from geonode.security.permissions import EDIT_PERMISSIONS
+
+        if not include_virtual:
+            return perms_payload
+
+        perms_copy = perms_payload.copy()
+        users = perms_payload.get("users", {})
+
+        def _has_edit(perms_list, u):
+            if not perms_list:
+                return False
+            # Basic check via explicit change permissions or ownership
+            if u == instance.owner:
+                return True
+            edit_markers = EDIT_PERMISSIONS
+            return any(p in edit_markers for p in perms_list)
+
+        for u, perms in users.items():
+            updated = set(perms or [])
+            # CONDITIONS
+            allow_editors_anonymous = getattr(settings, "EDITORS_CAN_MANAGE_ANONYMOUS_PERMISSIONS", True)
+            allow_editors_registered = getattr(settings, "EDITORS_CAN_MANAGE_REGISTERED_MEMBERS_PERMISSIONS", True)
+            is_admin_or_staff = getattr(u, "is_superuser", False) or getattr(u, "is_staff", False)
+            can_edit = _has_edit(perms, u)
+
+            grant_anonymous = is_admin_or_staff or (allow_editors_anonymous and can_edit)
+            grant_registered = is_admin_or_staff or (allow_editors_registered and can_edit)
+
+            if grant_anonymous:
+                updated.add("can_manage_anonymous_permissions")
+            if grant_registered:
+                updated.add("can_manage_registered_member_permissions")
+
+            perms_copy["users"][u] = list(updated)
+
+        return perms_copy
+
+
 class AdvancedWorkflowPermissionsHandler(BasePermissionsHandler):
     """
     Handler that takes care of adjusting the permissions for the advanced workflow