Check User permissions for private group

[t-book]

Describe the solution you'd like
GroupDetailView should check if group is private and if user is member.

[t-book]

@afabiani one more minor issue found in permissions form:

would change json_dict['groups'] in Ajax_lookup to something like

    json_dict['groups'] = [({'name': g.slug, 'title': g.title})
                           for g in groups
                           if g.user_is_member(request.user) 
                           or g.access == "public"]

or maybe better in the inital db query to avoid to many database hits?

[gannebamm]

Sidenote: Groups will be displayed on LayerDetailViews and the LayerListView, too. From there Links are displayed which would lead to a dead end, if the above is implemented.

[t-book]

@gannebamm not sure about it.
check: https://master.demo.geonode.org/layers/geonode_data:geonode:empty_layer

The private group is not showing up ad layer detail.

[gannebamm]

Same here @sjohn-atenekom :
Could you test this behaviour? I think those security-related issues are relevant for AteneKOM? This help would be very much appreciated :D

[ghost]

I could reproduce the problem. a user can assign the permissions for a private group in which he is not a member.
But what do you mean by this, @gannebamm?

Sidenote: Groups will be displayed on LayerDetailViews and the LayerListView, too. From there Links are displayed which would lead to a dead end, if the above is implemented.

[afabiani]

This behavior is enabled only when you set the GROUP_PRIVATE_RESOURCES to True

This is part of a set of 4 settings which allow you to enable (partially or fully) and advanced data validation workflow

[gannebamm]

But what do you mean by this, @gannebamm?

Sidenote: Groups will be displayed on LayerDetailViews and the LayerListView, too. From there Links are displayed which would lead to a dead end, if the above is implemented.

I can not reproduce this old behaviour I seem to have spotted.

I could reproduce the problem. a user can assign the permissions for a private group in which he is not a member.

I can reproduce this issue of seeing a private group in the permissions, too. I think this is an issue since the documentation states (https://docs.geonode.org/en/master/admin/admin_panel/index.html#types-of-groups):
Private: only invited users can join the group, registered users cannot see any details about the group, including membership.

@afabiani I think GROUP_PRIVATE_RESOURCES will make all resources inside a group non-visible by non-group users. This is a good switch but not related to this issue I think.

So you should not be able to see private groups if you are not a member of them. I would vote for @t-book idea to check in the template, or on the sql query side for group visibility permissions.

[gannebamm]

Same for linking dokuments:

I can see private groups in the autocomplete, even though I am not a member of them. This is with enabled GROUP_PRIVATE_RESOURCES.

[t-book]

@gannebamm Confirmed. Private groups do show up for non group members (GROUP_PRIVATE_RESOURCES=True). My understanding is a private group should be private. In other words non members should not even know of the group existence. If you and @afabiani agree I would follow up with my patch here and create a PR: #5801 (comment)

[gannebamm]

Yes, that is my understanding of private groups, too. They shouldn't be visible by anyone except members.

[afabiani]

Yes, this is correct. They should show-up only if the user is currently a member or manager of the group.