diff --git a/geonode/base/api/serializers.py b/geonode/base/api/serializers.py index ac136d33bab..660eb8f1cba 100644 --- a/geonode/base/api/serializers.py +++ b/geonode/base/api/serializers.py @@ -69,6 +69,7 @@ from geonode.security.utils import get_resources_with_perms, get_geoapp_subtypes from geonode.resource.models import ExecutionRequest from django.contrib.gis.geos import Polygon +from geonode.security.registry import permissions_registry logger = logging.getLogger(__name__) @@ -523,7 +524,13 @@ class Meta: def to_representation(self, instance): request = self.context.get("request", None) resource = ResourceBase.objects.get(pk=instance) - return resource.get_user_perms(request.user) if request and request.user and resource else [] + return ( + permissions_registry.get_perms(instance=resource, user=request.user, include_virtual=True)["users"][ + request.user + ] + if request and request.user and resource + else [] + ) class LinksSerializer(DynamicModelSerializer): diff --git a/geonode/resource/manager.py b/geonode/resource/manager.py index 4d8842c8a70..ba139d672ab 100644 --- a/geonode/resource/manager.py +++ b/geonode/resource/manager.py @@ -588,6 +588,7 @@ def set_permissions( created=created, approval_status_changed=approval_status_changed, group_status_changed=group_status_changed, + include_virtual=False, ) """ @@ -800,7 +801,7 @@ def _safe_assign_perm(perm, user_or_group, obj=None): uuid, instance=_resource, owner=owner, - permissions=_resource.get_all_level_info(), + permissions=permissions_registry.get_perms(instance=_resource, include_virtual=True), created=created, ): # This might not be a severe error. E.g. for datasets outside of local GeoServer diff --git a/geonode/security/handlers.py b/geonode/security/handlers.py index ddfba19a539..f420a6c1be7 100644 --- a/geonode/security/handlers.py +++ b/geonode/security/handlers.py @@ -37,7 +37,14 @@ def __repr__(self): return self.__str__() @staticmethod - def fixup_perms(instance, perms_payload, *args, **kwargs): + def fixup_perms(instance, perms_payload, include_virtual, *args, **kwargs): + return perms_payload + + @staticmethod + def get_perms(instance, perms_payload, user, include_virtual, *args, **kwargs): + """ + By default we dont provide any additional perms + """ return perms_payload @@ -47,7 +54,7 @@ class AdvancedWorkflowPermissionsHandler(BasePermissionsHandler): """ @staticmethod - def fixup_perms(instance, perms_payload, *args, **kwargs): + def fixup_perms(instance, perms_payload, include_virtual, *args, **kwargs): # Fixup Advanced Workflow permissions return AdvancedSecurityWorkflowManager.get_permissions( instance.uuid, diff --git a/geonode/security/registry.py b/geonode/security/registry.py index 512315186ee..af0db25c3a6 100644 --- a/geonode/security/registry.py +++ b/geonode/security/registry.py @@ -52,9 +52,25 @@ def __check_item(self, item): if not isinstance(item, BasePermissionsHandler): raise Exception(f"Handler {item} is not a subclass of BasePermissionsHandler") - def fixup_perms(self, instance, payload, *args, **kwargs): + def fixup_perms(self, instance, payload, include_virtual=True, *args, **kwargs): for handler in self.REGISTRY: - payload = handler.fixup_perms(instance, payload, *args, **kwargs) + payload = handler.fixup_perms(instance, payload, include_virtual, *args, **kwargs) + return payload + + def get_perms(self, instance, user=None, include_virtual=True, *args, **kwargs): + """ + Return the payload with the permissions from the handlers. + The permissions payload can be edited by each permissions handler. + For example before return the payload, we can virtually remove perms + to the resource + """ + if user: + payload = {"users": {user: instance.get_user_perms(user)}, "groups": {}} + else: + payload = instance.get_all_level_info() + + for handler in self.REGISTRY: + payload = handler.get_perms(instance, payload, user, include_virtual=include_virtual, *args, **kwargs) return payload @classmethod