Advanced workflow: remove change_permissions to the owner if not a ma…

…nager
GeoNode · Oct 21, 2020 · 9a1552a · 9a1552a
1 parent aceaf13
commit 9a1552a
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 25 deletions.
diff --git a/geonode/base/models.py b/geonode/base/models.py
@@ -879,6 +879,10 @@ def save(self, notify=False, *args, **kwargs):
                 if settings.ADMIN_MODERATE_UPLOADS:
                     if self.is_approved and not self.is_published and \
                     self.__is_approved != self.is_approved:
+                        # Set "approved" workflow permissions
+                        self.set_workflow_perms(approved=True)
+
+                        # Send "approved" notification
                         notice_type_label = '%s_approved' % self.class_name.lower()
                         recipients = get_notification_recipients(notice_type_label)
                         send_notification(recipients, notice_type_label, {'resource': self})
@@ -888,6 +892,10 @@ def save(self, notify=False, *args, **kwargs):
                 if not _notification_sent and settings.RESOURCE_PUBLISHING:
                     if self.is_approved and self.is_published and \
                     self.__is_published != self.is_published:
+                        # Set "published" workflow permissions
+                        self.set_workflow_perms(published=True)
+
+                        # Send "published" notification
                         notice_type_label = '%s_published' % self.class_name.lower()
                         recipients = get_notification_recipients(notice_type_label)
                         send_notification(recipients, notice_type_label, {'resource': self})

diff --git a/geonode/base/utils.py b/geonode/base/utils.py
@@ -180,14 +180,20 @@ def _disable_owner_write_permissions(self):
             remove_perm(perm, self.resource.owner, self.resource)
 
         for perm in self.resource.BASE_PERMISSIONS.get('read') + self.resource.BASE_PERMISSIONS.get('download'):
-            assign_perm(perm, self.resource.owner, self.resource.get_self_resource())
+            if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+            perm not in ['change_resourcebase_permissions', 'publish_resourcebase']:
+                assign_perm(perm, self.resource.owner, self.resource.get_self_resource())
 
     def _restore_owner_permissions(self):
 
         for perm_list in self.resource.BASE_PERMISSIONS.values():
             for perm in perm_list:
-                assign_perm(perm, self.resource.owner, self.resource.get_self_resource())
+                if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+                perm not in ['change_resourcebase_permissions', 'publish_resourcebase']:
+                    assign_perm(perm, self.resource.owner, self.resource.get_self_resource())
 
         for perm_list in self.resource.PERMISSIONS.values():
             for perm in perm_list:
-                assign_perm(perm, self.resource.owner, self.resource)
+                if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+                perm not in ['change_resourcebase_permissions', 'publish_resourcebase']:
+                    assign_perm(perm, self.resource.owner, self.resource)
diff --git a/geonode/security/models.py b/geonode/security/models.py
@@ -25,6 +25,8 @@
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
 
+from geonode.groups.conf import settings as groups_settings
+
 from guardian.shortcuts import (
     assign_perm,
     get_groups_with_perms
@@ -84,7 +86,8 @@ def get_all_level_info(self):
                     managers = group_profile.get_managers()
                     if managers:
                         for manager in managers:
-                            if manager not in users and not manager.is_superuser:
+                            if manager not in users and not manager.is_superuser and \
+                            manager != resource.owner:
                                 for perm in ADMIN_PERMISSIONS + VIEW_PERMISSIONS:
                                     assign_perm(perm, manager, resource)
                                 users[manager] = ADMIN_PERMISSIONS + VIEW_PERMISSIONS
@@ -152,6 +155,11 @@ def set_default_permissions(self):
         obj_group_managers = []
         if user_groups:
             for _user_group in user_groups:
+                if groups_settings.AUTO_ASSIGN_REGISTERED_MEMBERS_TO_REGISTERED_MEMBERS_GROUP_NAME:
+                    _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME
+                    if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+                    _members_group_name == _user_group.name:
+                        continue
                 try:
                     _group_profile = GroupProfile.objects.get(slug=_user_group.name)
                     managers = _group_profile.get_managers()
@@ -209,12 +217,12 @@ def set_default_permissions(self):
                     sync_geofence_with_guardian(self.layer, perms, group=user_group)
 
                 # Anonymous
+                perms = ["view_resourcebase"]
                 if anonymous_can_view:
-                    perms = ["view_resourcebase"]
                     sync_geofence_with_guardian(self.layer, perms, user=None, group=None)
 
+                perms = ["download_resourcebase"]
                 if anonymous_can_download:
-                    perms = ["download_resourcebase"]
                     sync_geofence_with_guardian(self.layer, perms, user=None, group=None)
 
     def set_permissions(self, perm_spec, created=False):
@@ -319,3 +327,44 @@ def set_permissions(self, perm_spec, created=False):
                 if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
                     if self.polymorphic_ctype.name == 'layer':
                         sync_geofence_with_guardian(self.layer, perms)
+
+    def set_workflow_perms(self, approved=False, published=False):
+        """
+                          |  N/PUBLISHED   | PUBLISHED
+          --------------------------------------------
+            N/APPROVED    |     GM/OWR     |     -
+            APPROVED      |   registerd    |    all
+          --------------------------------------------
+        """
+        anonymous_group = Group.objects.get(name='anonymous')
+        if approved:
+            if groups_settings.AUTO_ASSIGN_REGISTERED_MEMBERS_TO_REGISTERED_MEMBERS_GROUP_NAME:
+                _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME
+                _members_group_group = Group.objects.get(name=_members_group_name)
+                for perm in VIEW_PERMISSIONS:
+                    assign_perm(perm,
+                                _members_group_group, self.get_self_resource())
+
+                # Set the GeoFence Rules (user = None)
+                if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+                    if self.polymorphic_ctype.name == 'layer':
+                        sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS, group=_members_group_group)
+            else:
+                for perm in VIEW_PERMISSIONS:
+                    assign_perm(perm,
+                                anonymous_group, self.get_self_resource())
+
+                # Set the GeoFence Rules (user = None)
+                if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+                    if self.polymorphic_ctype.name == 'layer':
+                        sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS)
+
+        if published:
+            for perm in VIEW_PERMISSIONS:
+                assign_perm(perm,
+                            anonymous_group, self.get_self_resource())
+
+            # Set the GeoFence Rules (user = None)
+            if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+                if self.polymorphic_ctype.name == 'layer':
+                    sync_geofence_with_guardian(self.layer, VIEW_PERMISSIONS)
diff --git a/geonode/security/utils.py b/geonode/security/utils.py
@@ -618,7 +618,9 @@ def set_owner_permissions(resource, members=None):
                     for user in members:
                         assign_perm(perm, user, resource.layer)
         for perm in admin_perms:
-            assign_perm(perm, resource.owner, resource.get_self_resource())
+            if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and \
+            perm not in ['change_resourcebase_permissions', 'publish_resourcebase']:
+                assign_perm(perm, resource.owner, resource.get_self_resource())
             if members:
                 for user in members:
                     assign_perm(perm, user, resource.get_self_resource())
@@ -682,18 +684,6 @@ def _get_geofence_payload(layer, layer_name, workspace, access, user=None, group
         service_el = etree.SubElement(root_el, "service")
         service_el.text = service
     if service and service == "*" and geo_limit is not None and geo_limit != "":
-        # if getattr(layer, 'storeType', None) == 'coverageStore' and getattr(layer, 'srid', None):
-        #     native_crs = layer.srid
-        #     if native_crs != 'EPSG:4326':
-        #         try:
-        #             _native_srid = int(native_crs[5:])
-        #             _wkt_wgs84 = geo_limit.split(';')[1]
-        #             _poly = GEOSGeometry(_wkt_wgs84, srid=4326)
-        #             _poly.transform(_native_srid)
-        #             geo_limit = _poly.ewkt
-        #         except Exception as e:
-        #             traceback.print_exc()
-        #             logger.exception(e)
         access_el = etree.SubElement(root_el, "access")
         access_el.text = "LIMIT"
         limits = etree.SubElement(root_el, "limits")

diff --git a/geonode/utils.py b/geonode/utils.py
@@ -929,8 +929,7 @@ def resolve_object(request, model, query, permission='base.view_resourcebase',
             if not request.user or request.user.is_anonymous:
                 raise Http404
             elif not is_admin:
-                if is_owner or (
-                        is_manager and request.user in obj_group_managers):
+                if is_manager and request.user in obj_group_managers:
                     if (not request.user.has_perm('publish_resourcebase', obj_to_check)) and (
                         not request.user.has_perm('view_resourcebase', obj_to_check)) and (
                             not request.user.has_perm('change_resourcebase_metadata', obj_to_check)) and (
@@ -957,10 +956,6 @@ def resolve_object(request, model, query, permission='base.view_resourcebase',
                                 'change_resourcebase', request.user, obj_to_check)
                             assign_perm(
                                 'delete_resourcebase', request.user, obj_to_check)
-                            assign_perm(
-                                'change_resourcebase_permissions',
-                                request.user,
-                                obj_to_check)
 
     allowed = True
     if permission.split('.')[-1] in ['change_layer_data',