[Security] Hardening Advanced Workflow resources visibility

(cherry picked from commit 2103f13)

geonode/api/resourcebase_api.py

@@ -240,13 +240,13 @@ def apply_filters(self, request, applicable_filters):
                     Q(owner__username__iexact=str(user))))
             else:
                 filtered = filtered.exclude(Q(dirty_state=True))
-
         return filtered
 
     def filter_published(self, queryset, request):
         filter_set = get_visible_resources(
             queryset,
             request.user if request else None,
+            request=request,
             admin_approval_required=settings.ADMIN_MODERATE_UPLOADS,
             unpublished_not_visible=settings.RESOURCE_PUBLISHING)
 
@@ -256,6 +256,7 @@ def filter_group(self, queryset, request):
         filter_set = get_visible_resources(
             queryset,
             request.user if request else None,
+            request=request,
             private_groups_not_visibile=settings.GROUP_PRIVATE_RESOURCES)
 
         return filter_set

geonode/security/utils.py

@@ -109,9 +109,13 @@ def get_visible_resources(queryset,
 
         if admin_approval_required or unpublished_not_visible or private_groups_not_visibile:
             _allowed_resources = []
-            for _resource in filter_set.all():
+            for _obj in filter_set.all():
                 try:
-                    if user.has_perm('base.view_resourcebase', _resource):
+                    _resource = _obj.get_self_resource()
+                    if user.has_perm('base.view_resourcebase', _resource) or \
+                    user.has_perm('view_resourcebase', _resource) or \
+                    user.has_perm('publish_resourcebase', _resource) or \
+                    user.has_perm('change_resourcebase_metadata', _resource):
                         _allowed_resources.append(_resource.id)
                 except (PermissionDenied, Exception) as e:
                     logger.debug(e)