[Fixes #5801] Check User permissions for private group

GeoNode · Nov 15, 2020 · ef830b1 · ef830b1
1 parent e1d986e
commit ef830b1
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 16 deletions.
diff --git a/geonode/documents/views.py b/geonode/documents/views.py
@@ -519,11 +519,10 @@ def document_metadata(
         try:
             all_metadata_author_groups = chain(
                 request.user.group_list_all(),
-                GroupProfile.objects.exclude(
-                    access="private").exclude(access="public-invite"))
+                GroupProfile.objects.exclude(access="private"))
         except Exception:
             all_metadata_author_groups = GroupProfile.objects.exclude(
-                access="private").exclude(access="public-invite")
+                access="private")
         [metadata_author_groups.append(item) for item in all_metadata_author_groups
             if item not in metadata_author_groups]
 

diff --git a/geonode/groups/views.py b/geonode/groups/views.py
@@ -146,6 +146,9 @@ def get_queryset(self):
     def get(self, request, *args, **kwargs):
         self.group = get_object_or_404(
             models.GroupProfile, slug=kwargs.get('slug'))
+        if self.group.access == 'private' and \
+        not self.group.user_is_member(request.user):
+            raise Http404
         return super(GroupDetailView, self).get(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):

diff --git a/geonode/layers/views.py b/geonode/layers/views.py
@@ -1185,11 +1185,10 @@ def layer_metadata(
         try:
             all_metadata_author_groups = chain(
                 request.user.group_list_all().distinct(),
-                GroupProfile.objects.exclude(
-                    access="private").exclude(access="public-invite"))
+                GroupProfile.objects.exclude(access="private"))
         except Exception:
             all_metadata_author_groups = GroupProfile.objects.exclude(
-                access="private").exclude(access="public-invite")
+                access="private")
         [metadata_author_groups.append(item) for item in all_metadata_author_groups
             if item not in metadata_author_groups]
 

diff --git a/geonode/maps/views.py b/geonode/maps/views.py
@@ -387,11 +387,10 @@ def map_metadata(
         try:
             all_metadata_author_groups = chain(
                 request.user.group_list_all(),
-                GroupProfile.objects.exclude(
-                    access="private").exclude(access="public-invite"))
+                GroupProfile.objects.exclude(access="private"))
         except Exception:
             all_metadata_author_groups = GroupProfile.objects.exclude(
-                access="private").exclude(access="public-invite")
+                access="private")
         [metadata_author_groups.append(item) for item in all_metadata_author_groups
             if item not in metadata_author_groups]
 

diff --git a/geonode/people/adapters.py b/geonode/people/adapters.py
@@ -139,7 +139,7 @@ def enhanced_invitation_context(self, context):
         user = context.get("inviter") if context.get("inviter") else context.get("user")
         full_name = " ".join((user.first_name, user.last_name)) if user.first_name or user.last_name else None
         user_groups = GroupProfile.objects.filter(
-            slug__in=user.groupmember_set.filter().values_list("group__slug", flat=True))
+            slug__in=user.groupmember_set.all().values_list("group__slug", flat=True))
         enhanced_context = context.copy()
         enhanced_context.update({
             "username": user.username,

diff --git a/geonode/views.py b/geonode/views.py
@@ -17,9 +17,9 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 #########################################################################
+import json
 
 from django import forms
-import json
 from django.db.models import Q
 from django.urls import reverse
 from django.conf import settings
@@ -84,15 +84,19 @@ def ajax_lookup(request):
             content='use a field named "query" to specify a prefix to filter usernames',
             content_type='text/plain')
     keyword = request.POST['query']
-    users = get_user_model().objects.filter(Q(username__icontains=keyword)).exclude(Q(username='AnonymousUser') |
-                                                                                    Q(is_active=False))
-    groups = GroupProfile.objects.filter(Q(title__icontains=keyword) |
-                                         Q(slug__icontains=keyword))
+    users = get_user_model().objects.filter(
+        Q(username__icontains=keyword)).exclude(Q(username='AnonymousUser') |
+                                                Q(is_active=False))
+    groups = GroupProfile.objects.filter(
+        Q(title__icontains=keyword) |
+        Q(slug__icontains=keyword)).exclude(
+            Q(access='private') & ~Q(
+                slug__in=request.user.groupmember_set.all().values_list("group__slug", flat=True))
+        )
     json_dict = {
         'users': [({'username': u.username}) for u in users],
         'count': users.count(),
     }
-
     json_dict['groups'] = [({'name': g.slug, 'title': g.title})
                            for g in groups]
     return HttpResponse(