[Fixes GeoNode#10055] Modify Metadata form with permissions check (GeoNode#10057) (GeoNode#10076)

github-actions[bot] · marthamareal · giohappy · ridoo · commit 81d91538db9d · 2022-10-26T08:32:35.000+02:00
* -[Fixes GeoNode#10055] Modify Metadata form with permissions check * - check user in form * - update tests * - add tests Co-authored-by: Giovanni Allegri <giohappy@gmail.com> Co-authored-by: NAGGINDA MARTHA <marthamareal@gmail.com> Co-authored-by: Giovanni Allegri <giohappy@gmail.com>
diff --git a/geonode/base/forms.py b/geonode/base/forms.py
@@ -484,7 +484,9 @@ def __init__(self, *args, **kwargs):
         self.user = kwargs.pop('user', None)
         super().__init__(*args, **kwargs)
         self.fields['regions'].choices = get_tree_data()
-
+        self.can_change_perms = self.user and self.user.has_perm(
+            'change_resourcebase_permissions', self.instance.get_self_resource()
+        )
         if self.instance and self.instance.id and self.instance.metadata.exists():
             self.fields['extra_metadata'].initial = [x.metadata for x in self.instance.metadata.all()]
 
@@ -501,6 +503,9 @@ def __init__(self, *args, **kwargs):
                         'data-container': 'body',
                         'data-html': 'true'})
 
+            if field in ['poc', 'owner'] and not self.can_change_perms:
+                self.fields[field].disabled = True
+
     def disable_keywords_widget_for_non_superuser(self, user):
         if settings.FREETEXT_KEYWORDS_READONLY and not user.is_superuser:
             self['keywords'].field.disabled = True
diff --git a/geonode/geoapps/tests.py b/geonode/geoapps/tests.py
@@ -136,7 +136,7 @@ def test_resource_form_is_valid_extra_metadata(self):
             "date_type": "creation",
             "language": "eng",
             "extra_metadata": '[{"id": 1, "filter_header": "object", "field_name": "object", "field_label": "object", "field_value": "object"}]'
-        })
+        }, user=self.user)
         self.assertTrue(form.is_valid())
 
     def test_geoapp_category_is_correctly_assigned_in_metadata_upload(self):
diff --git a/geonode/layers/tests.py b/geonode/layers/tests.py
@@ -1877,6 +1877,62 @@ def test_resource_form_is_invalid_extra_metadata_not_json_format(self):
         expected = {"success": False, "errors": ["extra_metadata: The value provided for the Extra metadata field is not a valid JSON"]}
         self.assertDictEqual(expected, response.json())
 
+    def test_change_owner_in_metadata(self):
+        try:
+            test_user = get_user_model().objects.create_user(
+                username='non_auth',
+                email="non_auth@geonode.org",
+                password='password')
+            norman = get_user_model().objects.get(username='norman')
+            dataset = Dataset.objects.first()
+            data = {
+                "resource-title": "geoapp_title",
+                "resource-date": "2022-01-24 16:38 pm",
+                "resource-date_type": "creation",
+                "resource-language": "eng",
+                'dataset_attribute_set-TOTAL_FORMS': 0,
+                'dataset_attribute_set-INITIAL_FORMS': 0
+            }
+            perm_spec = {
+                "users": {
+                    "non_auth": [
+                        'change_resourcebase_metadata',
+                        'change_resourcebase',
+                    ],
+                    "norman": [
+                        'change_resourcebase_metadata',
+                        'change_resourcebase_permissions'
+                    ],
+                }
+            }
+            self.assertTrue(dataset.set_permissions(perm_spec))
+            self.assertFalse(test_user.has_perm('change_resourcebase_permissions', dataset.get_self_resource()))
+
+            url = reverse("dataset_metadata", args=(dataset.alternate,))
+            # post as non-authorised user
+            self.client.login(username="non_auth", password="password")
+            data["resource-owner"] = test_user.id
+            response = self.client.post(url, data=data)
+            self.assertEqual(response.status_code, 200)
+            self.assertNotEqual(dataset.owner, test_user)
+            # post as admin
+            self.client.login(username="admin", password="admin")
+            response = self.client.post(url, data=data)
+            dataset.refresh_from_db()
+            self.assertEqual(response.status_code, 200)
+            self.assertEqual(dataset.owner, test_user)
+            # post as an authorised user
+            self.client.login(username="norman", password="norman")
+            self.assertTrue(norman.has_perm('change_resourcebase_permissions', dataset.get_self_resource()))
+            data["resource-owner"] = norman.id
+            response = self.client.post(url, data=data)
+            dataset.refresh_from_db()
+            self.assertEqual(response.status_code, 200)
+            self.assertEqual(dataset.owner, norman)
+        finally:
+            get_user_model().objects.filter(username='non_auth').delete
+            Dataset.objects.filter(name='dataset_name').delete()
+
     @override_settings(EXTRA_METADATA_SCHEMA={"key": "value"})
     def test_resource_form_is_invalid_extra_metadata_not_schema_in_settings(self):
         self.client.login(username="admin", password="admin")
diff --git a/geonode/maps/tests.py b/geonode/maps/tests.py
@@ -710,7 +710,7 @@ def test_resource_form_is_invalid_extra_metadata_invalids_schema_entry(self):
         self.assertIn(expected, response.json()['errors'][0])
 
     def test_resource_form_is_valid_extra_metadata(self):
-        form = self.sut(data={
+        form = self.sut(user=self.user, data={
             "owner": self.map.owner.id,
             "title": "map_title",
             "date": "2022-01-24 16:38 pm",
