From eab593fbfe23f230fb4d084d6b99b61a8fd0e720 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 22:17:44 +0200 Subject: [PATCH] fix workflow (#12238) (#12239) (cherry picked from commit 684a1f3572a39b6ab8ba5a6ce7ea4d96fc739c8c) Co-authored-by: mattiagiupponi <51856725+mattiagiupponi@users.noreply.github.com> --- geonode/resource/manager.py | 14 +++++++++-- geonode/security/models.py | 14 +++++++++-- geonode/security/tests.py | 48 +++++++++++++++++++++++++++++++++++++ geonode/security/utils.py | 3 +-- 4 files changed, 73 insertions(+), 6 deletions(-) diff --git a/geonode/resource/manager.py b/geonode/resource/manager.py index d10266e60ee..d4c94a1bc66 100644 --- a/geonode/resource/manager.py +++ b/geonode/resource/manager.py @@ -849,7 +849,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None): ) else: for user_group in get_user_groups(_owner): - if not skip_registered_members_common_group(user_group): + # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False, + # means that at least one config of the advanced workflow is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): _safe_assign_perm("view_resourcebase", user_group, _resource.get_self_resource()) _prev_perm = ( _perm_spec["groups"].get(user_group, []) if "groups" in _perm_spec else [] @@ -873,7 +878,12 @@ def _safe_assign_perm(perm, user_or_group, obj=None): ) else: for user_group in get_user_groups(_owner): - if not skip_registered_members_common_group(user_group): + # if AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() is False, + # means that at least one config of the advanced workflow is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): _safe_assign_perm( "download_resourcebase", user_group, _resource.get_self_resource() ) diff --git a/geonode/security/models.py b/geonode/security/models.py index 2a878368827..de9ece62f6d 100644 --- a/geonode/security/models.py +++ b/geonode/security/models.py @@ -201,7 +201,12 @@ def set_default_permissions(self, owner=None, created=False): perm_spec["groups"][anonymous_group] = ["view_resourcebase"] else: for user_group in user_groups: - if not skip_registered_members_common_group(user_group): + # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow + # is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): perm_spec["groups"][user_group] = ["view_resourcebase"] anonymous_can_download = settings.DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION @@ -209,7 +214,12 @@ def set_default_permissions(self, owner=None, created=False): perm_spec["groups"][anonymous_group] = ["view_resourcebase", "download_resourcebase"] else: for user_group in user_groups: - if not skip_registered_members_common_group(user_group): + # if aswm.is_auto_publishing_workflow() is False, means that at least one config of the advanced workflow + # is set, which means that users group get view_permissions + if ( + not skip_registered_members_common_group(user_group) + and not AdvancedSecurityWorkflowManager.is_auto_publishing_workflow() + ): perm_spec["groups"][user_group] = ["view_resourcebase", "download_resourcebase"] AdvancedSecurityWorkflowManager.handle_moderated_uploads(self.uuid, instance=self) diff --git a/geonode/security/tests.py b/geonode/security/tests.py index 1d0f829b234..5ae00733cf4 100644 --- a/geonode/security/tests.py +++ b/geonode/security/tests.py @@ -20,6 +20,7 @@ import json import base64 import logging +import uuid import requests import importlib import mock @@ -2234,6 +2235,53 @@ def test_permissions_on_user_role_promote_to_manager_only_RESOURCE_PUBLISHING_ac set(expected_perms), set(perms_got), msg=f"use case #0 - user: {authorized_subject.username}" ) + @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False) + def test_if_anonymoys_default_perms_is_false_should_not_assign_perms_to_user_group(self): + """ + if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False, the user's group should not get any permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + + @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False) + def test_if_anonymoys_default_download_perms_is_false_should_not_assign_perms_to_user_group(self): + """ + if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False, the user's group should not get any permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertFalse(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + + @override_settings(DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION=False) + @override_settings(RESOURCE_PUBLISHING=True) + def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on(self): + """ + if DEFAULT_ANONYMOUS_DOWNLOAD_PERMISSION is False and the advanced workflow is activate + the user's group should get the view and download permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + group_val = resource.get_all_level_info()["groups"][self.group_profile.group] + self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val)) + + @override_settings(DEFAULT_ANONYMOUS_VIEW_PERMISSION=False) + @override_settings(ADMIN_MODERATE_UPLOADS=True) + def test_if_anonymoys_default_perms_is_false_should_assign_perms_to_user_group_if_advanced_workflow_is_on_moderate( + self, + ): + """ + if DEFAULT_ANONYMOUS_VIEW_PERMISSION is False and the advanced workflow is activate + the user's group should get the view and download permission + """ + + resource = resource_manager.create(str(uuid.uuid4), Dataset, defaults={"owner": self.group_member}) + + self.assertTrue(self.group_profile.group in resource.get_all_level_info()["groups"].keys()) + group_val = resource.get_all_level_info()["groups"][self.group_profile.group] + self.assertSetEqual({"view_resourcebase", "download_resourcebase"}, set(group_val)) + @override_settings(RESOURCE_PUBLISHING=True) @override_settings(ADMIN_MODERATE_UPLOADS=True) diff --git a/geonode/security/utils.py b/geonode/security/utils.py index 7ed61f199e2..98f13ab1395 100644 --- a/geonode/security/utils.py +++ b/geonode/security/utils.py @@ -224,8 +224,7 @@ def get_geoapp_subtypes(): def skip_registered_members_common_group(user_group): - _members_group_name = groups_settings.REGISTERED_MEMBERS_GROUP_NAME - if (settings.RESOURCE_PUBLISHING or settings.ADMIN_MODERATE_UPLOADS) and _members_group_name == user_group.name: + if groups_settings.REGISTERED_MEMBERS_GROUP_NAME == user_group.name: return True return False