From 3d1fc8b962fb09f7aebea9c71d78267c74f10e24 Mon Sep 17 00:00:00 2001 From: mattiagiupponi <51856725+mattiagiupponi@users.noreply.github.com> Date: Fri, 17 May 2024 17:49:47 +0200 Subject: [PATCH] fix workflow (#12238) (cherry picked from commit 684a1f3572a39b6ab8ba5a6ce7ea4d96fc739c8c) --- geonode/resource/manager.py | 14 +++++++++-- geonode/security/models.py | 14 +++++++++-- geonode/security/tests.py | 48 +++++++++++++++++++++++++++++++++++++ geonode/security/utils.py | 3 +-- 4 files changed, 73 insertions(+), 6 deletions(-) diff --git a/geonode/resource/manager.py b/geonode/resource/manager.py index ad64452d6dc..5673409488e 100644 --- a/geonode/resource/manager.py +++ b/geonode/resource/manager.py @@ -859,7 +859,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None): ) else: for user_group in get_user_groups(_owner): - if not skip_registered_members_common_group(user_group): + # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False, + # means that at least one config of the advanced workflow is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): _safe_assign_perm("view_resourcebase", user_group, _resource.get_self_resource()) _prev_perm = ( _perm_spec["groups"].get(user_group, []) if "groups" in _perm_spec else [] @@ -883,7 +888,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None): ) else: for user_group in get_user_groups(_owner): - if not skip_registered_members_common_group(user_group): + # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False, + # means that at least one config of the advanced workflow is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): _safe_assign_perm( "download_resourcebase", user_group, _resource.get_self_resource() ) diff --git a/geonode/security/models.py b/geonode/security/models.py index 2a878368827..de9ece62f6d 100644 --- a/geonode/security/models.py +++ b/geonode/security/models.py @@ -201,7 +201,12 @@ def set_default_permissions(self, owner=None, created=False): perm_spec["groups"][anonymous_group] = ["view_resourcebase"] else: for user_group in user_groups: - if not skip_registered_members_common_group(user_group): + # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow + # is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): perm_spec["groups"][user_group] = ["view_resourcebase"] anonymous_can_download = settings.DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION @@ -209,7 +214,12 @@ def set_default_permissions(self, owner=None, created=False): perm_spec["groups"][anonymous_group] = ["view_resourcebase", "download_resourcebase"] else: for user_group in user_groups: - if not skip_registered_members_common_group(user_group): + # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow + # is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): perm_spec["groups"][user_group] = ["view_resourcebase", "download_resourcebase"] AdvancedSecurityWorkflowManager.handle_moderated_uploads(self.uuid, instance=self) diff --git a/geonode/security/tests.py b/geonode/security/tests.py index 433f4aa6de7..d621a77a13d 100644 --- a/geonode/security/tests.py +++ b/geonode/security/tests.py @@ -20,6 +20,7 @@ import json import base64 import logging +import uuid import requests import importlib import mock @@ -2267,6 +2268,53 @@ def test_permissions_on_user_role_promote_to_manager_only_RESOURCE_PUBLISHING_ac set(expected_perms), set(perms_got), msg=f"use case #0 - user: {authorized_subject.username}" ) + @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False) + def test_if_anonymoys_default_perms_is_false_should_not_assign_perms_to_user_group(self): + """ + if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False, the user's group should not get any permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + + @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False) + def test_if_anonymoys_default_download_perms_is_false_should_not_assign_perms_to_user_group(self): + """ + if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False, the user's group should not get any permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + + @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False) + @override_settings(RESOURCE_PUBLISHING=True) + def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on(self): + """ + if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False and the advanced workflow is activate + the user's group should get the view and download permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + group_val = resource.get_all_level_info()["groups"][self.group_profile.group] + self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val)) + + @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False) + @override_settings(ADMIN_MODERATE_UPLOADS=True) + def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on_moderate( + self, + ): + """ + if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False and the advanced workflow is activate + the user's group should get the view and download permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + + self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + group_val = resource.get_all_level_info()["groups"][self.group_profile.group] + self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val)) + @override_settings(RESOURCE_PUBLISHING=True) @override_settings(ADMIN_MODERATE_UPLOADS=True) diff --git a/geonode/security/utils.py b/geonode/security/utils.py index 91b567562de..312c2a417fb 100644 --- a/geonode/security/utils.py +++ b/geonode/security/utils.py @@ -221,8 +221,7 @@ def get_geoapp_subtypes(): def skip_registered_members_common_group(user_group): - _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME - if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and _members_group_name == user_group.name: + if groups_settings.REGISTERED_MEMBERS_GROUP_NAME == user_group.name: return True return False