GeoNode · giohappy · May 17, 2024 · May 17, 2024
diff --git a/geonode/resource/manager.py b/geonode/resource/manager.py
@@ -849,7 +849,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None):
                             )
                         else:
                             for user_group in get_user_groups(_owner):
-                                if not skip_registered_members_common_group(user_group):
+                                # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False,
+                                # means that at least one config of the advanced workflow is set, which means that users group get view_permissions
+                                if (
+                                    not skip_registered_members_common_group(user_group)
+                                    and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow()
+                                ):
                                     _safe_assign_perm("view_resourcebase", user_group, _resource.get_self_resource())
                                     _prev_perm = (
                                         _perm_spec["groups"].get(user_group, []) if "groups" in _perm_spec else []
@@ -873,7 +878,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None):
                                 )
                             else:
                                 for user_group in get_user_groups(_owner):
-                                    if not skip_registered_members_common_group(user_group):
+                                    # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False,
+                                    # means that at least one config of the advanced workflow is set, which means that users group get view_permissions
+                                    if (
+                                        not skip_registered_members_common_group(user_group)
+                                        and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow()
+                                    ):
                                         _safe_assign_perm(
                                             "download_resourcebase", user_group, _resource.get_self_resource()
                                         )

diff --git a/geonode/security/models.py b/geonode/security/models.py
@@ -201,15 +201,25 @@ def set_default_permissions(self, owner=None, created=False):
             perm_spec["groups"][anonymous_group] = ["view_resourcebase"]
         else:
             for user_group in user_groups:
-                if not skip_registered_members_common_group(user_group):
+                # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow
+                # is set, which means that users group get view_permissions
+                if (
+                    not skip_registered_members_common_group(user_group)
+                    and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow()
+                ):
                     perm_spec["groups"][user_group] = ["view_resourcebase"]
 
         anonymous_can_download = settings.DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION
         if anonymous_can_download:
             perm_spec["groups"][anonymous_group] = ["view_resourcebase", "download_resourcebase"]
         else:
             for user_group in user_groups:
-                if not skip_registered_members_common_group(user_group):
+                # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow
+                # is set, which means that users group get view_permissions
+                if (
+                    not skip_registered_members_common_group(user_group)
+                    and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow()
+                ):
                     perm_spec["groups"][user_group] = ["view_resourcebase", "download_resourcebase"]
 
         AdvancedSecurityWorkflowManager.handle_moderated_uploads(self.uuid, instance=self)

diff --git a/geonode/security/tests.py b/geonode/security/tests.py
@@ -20,6 +20,7 @@
 import json
 import base64
 import logging
+import uuid
 import requests
 import importlib
 import mock
@@ -2234,6 +2235,53 @@ def test_permissions_on_user_role_promote_to_manager_only_RESOURCE_PUBLISHING_ac
                 set(expected_perms), set(perms_got), msg=f"use case #0 - user: {authorized_subject.username}"
             )
 
+    @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False)
+    def test_if_anonymoys_default_perms_is_false_should_not_assign_perms_to_user_group(self):
+        """
+        if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False, the user's group should not get any permission
+        """
+
+        resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member})
+        self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys())
+
+    @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False)
+    def test_if_anonymoys_default_download_perms_is_false_should_not_assign_perms_to_user_group(self):
+        """
+        if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False, the user's group should not get any permission
+        """
+
+        resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member})
+        self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys())
+
+    @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False)
+    @override_settings(RESOURCE_PUBLISHING=True)
+    def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on(self):
+        """
+        if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False and the advanced workflow is activate
+         the user's group should get the view and download permission
+        """
+
+        resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member})
+        self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys())
+        group_val = resource.get_all_level_info()["groups"][self.group_profile.group]
+        self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val))
+
+    @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False)
+    @override_settings(ADMIN_MODERATE_UPLOADS=True)
+    def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on_moderate(
+        self,
+    ):
+        """
+        if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False and the advanced workflow is activate
+         the user's group should get the view and download permission
+        """
+
+        resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member})
+
+        self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys())
+        group_val = resource.get_all_level_info()["groups"][self.group_profile.group]
+        self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val))
+
 
 @override_settings(RESOURCE_PUBLISHING=True)
 @override_settings(ADMIN_MODERATE_UPLOADS=True)

diff --git a/geonode/security/utils.py b/geonode/security/utils.py
@@ -224,8 +224,7 @@ def get_geoapp_subtypes():
 
 
 def skip_registered_members_common_group(user_group):
-    _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME
-    if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and _members_group_name == user_group.name:
+    if groups_settings.REGISTERED_MEMBERS_GROUP_NAME == user_group.name:
         return True
     return False