\n"
"Language-Team: Italian (http://www.transifex.com/geonode/geonode/language/"
diff --git a/geonode/maps/views.py b/geonode/maps/views.py
index dfeda62136b..52161e0667e 100644
--- a/geonode/maps/views.py
+++ b/geonode/maps/views.py
@@ -380,10 +380,6 @@ def map_metadata(
if settings.ADMIN_MODERATE_UPLOADS:
if not request.user.is_superuser:
- if settings.RESOURCE_PUBLISHING:
- map_form.fields['is_published'].widget.attrs.update(
- {'disabled': 'true'})
-
can_change_metadata = request.user.has_perm(
'change_resourcebase_metadata',
map_obj.get_self_resource())
@@ -392,6 +388,9 @@ def map_metadata(
except Exception:
is_manager = False
if not is_manager or not can_change_metadata:
+ if settings.RESOURCE_PUBLISHING:
+ map_form.fields['is_published'].widget.attrs.update(
+ {'disabled': 'true'})
map_form.fields['is_approved'].widget.attrs.update(
{'disabled': 'true'})
diff --git a/geonode/security/models.py b/geonode/security/models.py
index c9d4c4cac65..d4f4f047fde 100644
--- a/geonode/security/models.py
+++ b/geonode/security/models.py
@@ -25,6 +25,8 @@
from django.contrib.auth import get_user_model
from django.core.exceptions import ObjectDoesNotExist
+from geonode.groups.conf import settings as groups_settings
+
from guardian.shortcuts import (
assign_perm,
get_groups_with_perms
@@ -84,7 +86,8 @@ def get_all_level_info(self):
managers = group_profile.get_managers()
if managers:
for manager in managers:
- if manager not in users and not manager.is_superuser:
+ if manager not in users and not manager.is_superuser and \
+ manager != resource.owner:
for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS:
assign_perm(perm, manager, resource)
users[manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS
@@ -146,23 +149,58 @@ def set_default_permissions(self):
remove_object_permissions(self)
# default permissions for anonymous users
+
+ def skip_registered_members_common_group(user_group):
+ if groups_settings.AUTO_ASSIGN_REGISTERED_MEMBERS_TO_REGISTERED_MEMBERS_GROUP_NAME:
+ _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME
+ if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+ _members_group_name == user_group.name:
+ return True
+ return False
+
anonymous_group, created = Group.objects.get_or_create(name='anonymous')
+ user_groups = Group.objects.filter(
+ name__in=self.owner.groupmember_set.all().values_list("group__slug", flat=True))
+ obj_group_managers = []
+ if user_groups:
+ for _user_group in user_groups:
+ if not skip_registered_members_common_group(_user_group):
+ try:
+ _group_profile = GroupProfile.objects.get(slug=_user_group.name)
+ managers = _group_profile.get_managers()
+ if managers:
+ for manager in managers:
+ if manager not in obj_group_managers and not manager.is_superuser:
+ obj_group_managers.append(manager)
+ except GroupProfile.DoesNotExist:
+ pass
if not anonymous_group:
raise Exception("Could not acquire 'anonymous' Group.")
# default permissions for resource owner
- set_owner_permissions(self)
+ set_owner_permissions(self, members=obj_group_managers)
+ # Anonymous
anonymous_can_view = settings.DEFAULT_ANONYMOUS_VIEW_PERMISSION
if anonymous_can_view:
assign_perm('view_resourcebase',
anonymous_group, self.get_self_resource())
+ else:
+ for user_group in user_groups:
+ if not skip_registered_members_common_group(user_group):
+ assign_perm('view_resourcebase',
+ user_group, self.get_self_resource())
anonymous_can_download = settings.DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION
if anonymous_can_download:
assign_perm('download_resourcebase',
anonymous_group, self.get_self_resource())
+ else:
+ for user_group in user_groups:
+ if not skip_registered_members_common_group(user_group):
+ assign_perm('download_resourcebase',
+ user_group, self.get_self_resource())
if self.__class__.__name__ == 'Layer':
# only for layer owner
@@ -171,7 +209,7 @@ def set_default_permissions(self):
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
purge_geofence_layer_rules(self.get_self_resource())
- # Owner
+ # Owner & Managers
perms = [
"view_resourcebase",
"change_layer_data",
@@ -180,16 +218,22 @@ def set_default_permissions(self):
"change_resourcebase_permissions",
"download_resourcebase"]
sync_geofence_with_guardian(self.layer, perms, user=self.owner)
+ for _group_manager in obj_group_managers:
+ sync_geofence_with_guardian(self.layer, perms, user=_group_manager)
+ for user_group in user_groups:
+ if not skip_registered_members_common_group(user_group):
+ sync_geofence_with_guardian(self.layer, perms, group=user_group)
# Anonymous
+ perms = ["view_resourcebase"]
if anonymous_can_view:
- perms = ["view_resourcebase"]
sync_geofence_with_guardian(self.layer, perms, user=None, group=None)
+
+ perms = ["download_resourcebase"]
if anonymous_can_download:
- perms = ["download_resourcebase"]
sync_geofence_with_guardian(self.layer, perms, user=None, group=None)
- def set_permissions(self, perm_spec):
+ def set_permissions(self, perm_spec, created=False):
"""
Sets an object's the permission levels based on the perm_spec JSON.
@@ -208,10 +252,11 @@ def set_permissions(self, perm_spec):
]
}
"""
- remove_object_permissions(self)
+ if not created:
+ remove_object_permissions(self)
- # default permissions for resource owner
- set_owner_permissions(self)
+ # default permissions for resource owner
+ set_owner_permissions(self)
# Anonymous User group
if 'users' in perm_spec and "AnonymousUser" in perm_spec['users']:
@@ -226,7 +271,8 @@ def set_permissions(self, perm_spec):
# Owner
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
- purge_geofence_layer_rules(self.get_self_resource())
+ if not created:
+ purge_geofence_layer_rules(self.get_self_resource())
perms = [
"view_resourcebase",
"change_layer_data",
@@ -267,11 +313,10 @@ def set_permissions(self, perm_spec):
assign_perm(perm, _group, self.get_self_resource())
# Set the GeoFence Rules
- if _group and _group.name and _group.name == 'anonymous':
- _group = None
-
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
+ if _group and _group.name and _group.name == 'anonymous':
+ _group = None
sync_geofence_with_guardian(self.layer, perms, group=_group)
# AnonymousUser
@@ -290,3 +335,44 @@ def set_permissions(self, perm_spec):
if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
if self.polymorphic_ctype.name == 'layer':
sync_geofence_with_guardian(self.layer, perms)
+
+ def set_workflow_perms(self, approved=False, published=False):
+ """
+ | N/PUBLISHED | PUBLISHED
+ --------------------------------------------
+ N/APPROVED | GM/OWR | -
+ APPROVED | registerd | all
+ --------------------------------------------
+ """
+ anonymous_group = Group.objects.get(name='anonymous')
+ if approved:
+ if groups_settings.AUTO_ASSIGN_REGISTERED_MEMBERS_TO_REGISTERED_MEMBERS_GROUP_NAME:
+ _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME
+ _members_group_group = Group.objects.get(name=_members_group_name)
+ for perm in VIEW_PERMISSIONS:
+ assign_perm(perm,
+ _members_group_group, self.get_self_resource())
+
+ # Set the GeoFence Rules (user = None)
+ if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+ if self.polymorphic_ctype.name == 'layer':
+ sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS, group=_members_group_group)
+ else:
+ for perm in VIEW_PERMISSIONS:
+ assign_perm(perm,
+ anonymous_group, self.get_self_resource())
+
+ # Set the GeoFence Rules (user = None)
+ if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+ if self.polymorphic_ctype.name == 'layer':
+ sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS)
+
+ if published:
+ for perm in VIEW_PERMISSIONS:
+ assign_perm(perm,
+ anonymous_group, self.get_self_resource())
+
+ # Set the GeoFence Rules (user = None)
+ if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+ if self.polymorphic_ctype.name == 'layer':
+ sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS)
diff --git a/geonode/security/tests.py b/geonode/security/tests.py
index 36fe85a8821..fa5f582cfad 100644
--- a/geonode/security/tests.py
+++ b/geonode/security/tests.py
@@ -1169,7 +1169,7 @@ def test_not_superuser_permissions(self):
# Check GeoFence Rules have been correctly created
geofence_rules_count = get_geofence_rules_count()
_log("1. geofence_rules_count: %s " % geofence_rules_count)
- self.assertEqual(geofence_rules_count, 9)
+ self.assertEqual(geofence_rules_count, 14)
self.assertTrue(self.client.login(username='bobby', password='bob'))
@@ -1244,7 +1244,7 @@ def test_not_superuser_permissions(self):
# Check GeoFence Rules have been correctly created
geofence_rules_count = get_geofence_rules_count()
_log("3. geofence_rules_count: %s " % geofence_rules_count)
- self.assertEqual(geofence_rules_count, 9)
+ self.assertEqual(geofence_rules_count, 14)
# 5. change_resourcebase_permissions
# should be impossible for the user without change_resourcebase_permissions
diff --git a/geonode/security/utils.py b/geonode/security/utils.py
index f5bd80ed1fa..835665578d1 100644
--- a/geonode/security/utils.py
+++ b/geonode/security/utils.py
@@ -34,48 +34,37 @@
from django.conf import settings
from django.db.models import Q
from django.contrib.auth import get_user_model
-# from django.contrib.gis.geos import GEOSGeometry
+from django.core.exceptions import PermissionDenied
from django.contrib.contenttypes.models import ContentType
-# from django.contrib.auth import login
from django.contrib.auth.models import Group, Permission
from django.core.exceptions import ObjectDoesNotExist
from guardian.utils import get_user_obj_perms_model
from guardian.shortcuts import assign_perm, get_anonymous_user
-from geonode.groups.models import GroupProfile
+
+from geonode.utils import resolve_object
from geonode.utils import get_layer_workspace
+from geonode.groups.models import GroupProfile
logger = logging.getLogger("geonode.security.utils")
def get_visible_resources(queryset,
user,
+ request=None,
admin_approval_required=False,
unpublished_not_visible=False,
private_groups_not_visibile=False):
- is_admin = False
- is_manager = False
- if user:
- is_admin = user.is_superuser if user else False
- try:
- is_manager = user.groupmember_set.all().filter(role='manager').exists()
- except Exception:
- is_manager = False
-
# Get the list of objects the user has access to
+ is_admin = False
anonymous_group = None
public_groups = GroupProfile.objects.exclude(access="private").values('group')
groups = []
group_list_all = []
- manager_groups = []
try:
group_list_all = user.group_list_all().values('group')
except Exception:
pass
- try:
- manager_groups = Group.objects.filter(
- name__in=user.groupmember_set.filter(role="manager").values_list("group__slug", flat=True))
- except Exception:
- pass
+
try:
anonymous_group = Group.objects.get(name='anonymous')
if anonymous_group and anonymous_group not in groups:
@@ -85,57 +74,56 @@ def get_visible_resources(queryset,
filter_set = queryset
- if admin_approval_required:
- if not is_admin:
- if is_manager:
- filter_set = filter_set.filter(
- Q(is_published=True) |
- Q(group__in=groups) |
- Q(group__in=manager_groups) |
- Q(group__in=group_list_all) |
- Q(group__in=public_groups) |
- Q(owner__username__iexact=str(user)))
- elif user:
- filter_set = filter_set.filter(
- Q(is_published=True) |
- Q(group__in=groups) |
- Q(group__in=group_list_all) |
- Q(group__in=public_groups) |
- Q(owner__username__iexact=str(user)))
- else:
+ if not is_admin:
+ if admin_approval_required:
+ if not user or user.is_anonymous:
filter_set = filter_set.filter(
Q(is_published=True) |
Q(group__in=public_groups) |
- Q(group__in=groups))
+ Q(group__in=groups)
+ ).exclude(Q(is_approved=False))
- if unpublished_not_visible:
- if not is_admin:
- if user:
- filter_set = filter_set.exclude(
- Q(is_published=False) & ~(
- Q(owner__username__iexact=str(user)) | Q(group__in=group_list_all)))
- else:
+ # Hide Unpublished Resources to Anonymous Users
+ if unpublished_not_visible:
+ if not user or user.is_anonymous:
filter_set = filter_set.exclude(Q(is_published=False))
- if private_groups_not_visibile:
- if not is_admin:
+ # Hide Resources Belonging to Private Groups
+ if private_groups_not_visibile:
private_groups = GroupProfile.objects.filter(access="private").values('group')
- if user:
+ if user and user.is_authenticated:
filter_set = filter_set.exclude(
Q(group__in=private_groups) & ~(
- Q(owner__username__iexact=str(user)) | Q(group__in=group_list_all)))
+ Q(owner__username__iexact=str(user)) | Q(group__in=group_list_all))
+ )
else:
filter_set = filter_set.exclude(group__in=private_groups)
- # Hide Dirty State Resources
- if not is_admin:
- if user:
+ # Hide Dirty State Resources
+ if user and user.is_authenticated:
filter_set = filter_set.exclude(
Q(dirty_state=True) & ~(
- Q(owner__username__iexact=str(user)) | Q(group__in=group_list_all)))
- else:
+ Q(owner__username__iexact=str(user)) | Q(group__in=group_list_all))
+ )
+ elif not user or user.is_anonymous:
filter_set = filter_set.exclude(Q(dirty_state=True))
- return filter_set
+
+ _allowed_resources = []
+ for _resource in filter_set.all():
+ try:
+ resolve_object(
+ request,
+ _resource.__class__,
+ {
+ 'id': _resource.id
+ },
+ 'base.view_resourcebase',
+ user=user)
+ _allowed_resources.append(_resource.id)
+ except (PermissionDenied, Exception) as e:
+ logger.debug(e)
+
+ return filter_set.filter(id__in=_allowed_resources)
def get_users_with_perms(obj):
@@ -635,16 +623,27 @@ def sync_geofence_with_guardian(layer, perms, user=None, group=None):
layer.set_dirty_state()
-def set_owner_permissions(resource):
+def set_owner_permissions(resource, members=None):
"""assign all admin permissions to the owner"""
if resource.polymorphic_ctype:
- # Set the GeoFence Owner Rule
+ # Owner & Manager Admin Perms
admin_perms = models.VIEW_PERMISSIONS + models.ADMIN_PERMISSIONS
+ for perm in admin_perms:
+ if not settings.RESOURCE_PUBLISHING and not settings.ADMIN_MODERATE_UPLOADS:
+ assign_perm(perm, resource.owner, resource.get_self_resource())
+ elif perm not in ['change_resourcebase_permissions', 'publish_resourcebase']:
+ assign_perm(perm, resource.owner, resource.get_self_resource())
+ if members:
+ for user in members:
+ assign_perm(perm, user, resource.get_self_resource())
+
+ # Set the GeoFence Owner Rule
if resource.polymorphic_ctype.name == 'layer':
for perm in models.LAYER_ADMIN_PERMISSIONS:
assign_perm(perm, resource.owner, resource.layer)
- for perm in admin_perms:
- assign_perm(perm, resource.owner, resource.get_self_resource())
+ if members:
+ for user in members:
+ assign_perm(perm, user, resource.layer)
def remove_object_permissions(instance):
@@ -705,18 +704,6 @@ def _get_geofence_payload(layer, layer_name, workspace, access, user=None, group
service_el = etree.SubElement(root_el, "service")
service_el.text = service
if service and service == "*" and geo_limit is not None and geo_limit != "":
- # if getattr(layer, 'storeType', None) == 'coverageStore' and getattr(layer, 'srid', None):
- # native_crs = layer.srid
- # if native_crs != 'EPSG:4326':
- # try:
- # _native_srid = int(native_crs[5:])
- # _wkt_wgs84 = geo_limit.split(';')[1]
- # _poly = GEOSGeometry(_wkt_wgs84, srid=4326)
- # _poly.transform(_native_srid)
- # geo_limit = _poly.ewkt
- # except Exception as e:
- # traceback.print_exc()
- # logger.exception(e)
access_el = etree.SubElement(root_el, "access")
access_el.text = "LIMIT"
limits = etree.SubElement(root_el, "limits")
diff --git a/geonode/settings.py b/geonode/settings.py
index cba07442189..d718e11b1cd 100644
--- a/geonode/settings.py
+++ b/geonode/settings.py
@@ -1810,6 +1810,9 @@ def get_geonode_catalogue_service():
# ######################################################## #
"""
- if [ RESOURCE_PUBLISHING == True ]
+ 1. "unpublished" won't be visibile to Anonymous users
+ 2. "unpublished" will be visible to registered users **IF** they have view permissions
+ 3. "unpublished" will be always visible to the owner and Group Managers
By default the uploaded resources will be "unpublished".
The owner will be able to change them to "published" **UNLESS** the ADMIN_MODERATE_UPLOADS is activated.
If the owner assigns unpublished resources to a Group, both from Metadata and Permissions, in any case
@@ -1829,13 +1832,13 @@ def get_geonode_catalogue_service():
Editor will be **FORCED** to select a Group when editing the resource metadata.
"""
-# option to enable/disable resource unpublishing for administrators
+# option to enable/disable resource unpublishing for administrators and members
RESOURCE_PUBLISHING = ast.literal_eval(os.getenv('RESOURCE_PUBLISHING', 'False'))
# Each uploaded Layer must be approved by an Admin before becoming visible
ADMIN_MODERATE_UPLOADS = ast.literal_eval(os.environ.get('ADMIN_MODERATE_UPLOADS', 'False'))
-# If this option is enabled, Resources belonging to a Group won't be
+# If this option is enabled, Resources belonging to a Group (with access private) won't be
# visible by others
GROUP_PRIVATE_RESOURCES = ast.literal_eval(os.environ.get('GROUP_PRIVATE_RESOURCES', 'False'))
diff --git a/geonode/social/views.py b/geonode/social/views.py
index 74048ae5d4a..1e2814fc611 100644
--- a/geonode/social/views.py
+++ b/geonode/social/views.py
@@ -17,33 +17,61 @@
# along with this program. If not, see .
#
#########################################################################
+import logging
from actstream.models import Action
from django.views.generic import ListView
+from django.core.exceptions import PermissionDenied
+
+from geonode.utils import resolve_object
+from geonode.base.models import ResourceBase
+
+logger = logging.getLogger(__name__)
class RecentActivity(ListView):
"""
Returns recent public activity.
"""
- context_object_name = 'action_list'
- queryset = Action.objects.filter(public=True)[:15]
+ model = Action
template_name = 'social/activity_list.html'
def get_context_data(self, *args, **kwargs):
context = super(ListView, self).get_context_data(*args, **kwargs)
+
+ def _filter_actions(action, request):
+ if action == 'all':
+ _actions = Action.objects.filter(public=True)[:1000]
+ else:
+ _actions = Action.objects.filter(
+ public=True, action_object_content_type__model=action)[:1000]
+ _filtered_actions = []
+ for _action in _actions:
+ try:
+ resolve_object(
+ request,
+ ResourceBase,
+ {
+ 'id': _action.action_object_object_id
+ },
+ 'base.view_resourcebase')
+ _filtered_actions.append(_action.id)
+ except ResourceBase.DoesNotExist:
+ _filtered_actions.append(_action.id)
+ except (PermissionDenied, Exception) as e:
+ logger.debug(e)
+ return _filtered_actions
+
+ context['action_list'] = Action.objects.filter(
+ id__in=_filter_actions('all', self.request))[:15]
context['action_list_layers'] = Action.objects.filter(
- public=True,
- action_object_content_type__model='layer')[:15]
+ id__in=_filter_actions('layer', self.request))[:15]
context['action_list_maps'] = Action.objects.filter(
- public=True,
- action_object_content_type__model='map')[:15]
+ id__in=_filter_actions('map', self.request))[:15]
context['action_list_documents'] = Action.objects.filter(
- public=True,
- action_object_content_type__model='document')[:15]
+ id__in=_filter_actions('document', self.request))[:15]
context['action_list_comments'] = Action.objects.filter(
- public=True,
- action_object_content_type__model='comment')[:15]
+ id__in=_filter_actions('comment', self.request))[:15]
return context
diff --git a/geonode/templates/search/_search_content.html b/geonode/templates/search/_search_content.html
index f4aa132e40c..ce253b8ceb4 100644
--- a/geonode/templates/search/_search_content.html
+++ b/geonode/templates/search/_search_content.html
@@ -52,7 +52,7 @@
{% elif facet_type == 'documents' %}
{% else %}
-
+
{% endif %}
{% include "search/_sort_filters.html" %}
diff --git a/geonode/templates/search/_type_filters.html b/geonode/templates/search/_type_filters.html
index 1e11b4f400e..dcf8b7ef24a 100644
--- a/geonode/templates/search/_type_filters.html
+++ b/geonode/templates/search/_type_filters.html
@@ -8,8 +8,9 @@