Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User defined permissions will break the permissions exposed by the API #12639

Open
ridoo opened this issue Oct 8, 2024 · 3 comments
Open

User defined permissions will break the permissions exposed by the API #12639

ridoo opened this issue Oct 8, 2024 · 3 comments
Labels
bug

Comments

@ridoo
Copy link
Contributor

ridoo commented Oct 8, 2024

Expected Behavior

Create and add custom permissions to a user (via group) does not have any effect on handling user permissions.

Actual Behavior

Adding new permissions to a user, which are not known by GeoNode, raises an exception while mapping permissions in people/models.py#perms. As a result the API skips the perms attribute completely. With the API skipping that attribute, geonode-mapstore-client sees no permissions given to a user. For example a user who has actual contributor permissions, will not have the ability to (for example) add new resources.

Steps to Reproduce the Problem

See my discussion about custom permissions to reproduce.

  1. Add new user (id 1001) to contributor group
  2. Check /api/v2/users/1001 contains perms attribute
  3. Add a custom permission to a group a user belongs to
  4. Check /api/v2/users/1001 is missing perms attribute

Specifications

  • GeoNode version: 4.3.1 (but would affect older versions, which I did not test)
  • Installation type (vanilla, geonode-project):
  • Installation method (manual, docker):
  • Platform:
  • Additional details: Adding custom permissions #12635
@ridoo ridoo added the bug label Oct 8, 2024
@ridoo
Copy link
Contributor Author

ridoo commented Oct 8, 2024
edited
Loading

@giohappy @mattiagiupponi the solution seems as easy as doing

# return constant names defined by GeoNode
#perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
perms = group_perms

but I am unsure, if that mapping has a specific reason In any case the mapping should stay the same but could be changed to allow unknown permissions. I tested locally, and did not see any other things break on geonode-mapstore-client side.

Do you want me to create a PR for it?

However, looking at the whole method

geonode/geonode/people/models.py

Lines 199 to 216 in 677c578

def perms(self):
if self.is_superuser or self.is_staff:
# return all permissions for admins
perms = PERMISSIONS.values()
else:
user_groups = self.groups.values_list("name", flat=True)
group_perms = (
Permission.objects.filter(group__name__in=user_groups).distinct().values_list("codename", flat=True)
)
# return constant names defined by GeoNode
perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
# check READ_ONLY mode
config = Configuration.load()
if config.read_only:
# exclude permissions affected by readonly
perms = [perm for perm in perms if perm not in READ_ONLY_AFFECTED_PERMISSIONS]
return perms

it seems that staff users do not get extra permissions at all. Is this intended?

@kikislater
Copy link
Contributor

Interesting !
Just to link issues bout staff: #12551

@ridoo ridoo mentioned this issue Oct 10, 2024
Draft
13 tasks
@ridoo
Copy link
Contributor Author

ridoo commented Oct 10, 2024

BTW: The perms attribute is also skipped when a user gets non-custom permissions like adding site.

@giohappy @mattiagiupponi the solution seems as easy as doing

# return constant names defined by GeoNode
#perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
perms = group_perms

This quick guess omits the actual mapping. However, I created a PR which adds all permissions (even for admin and staff).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ridoo @kikislater