Unable to clone a resource #9944
Comments
|
@mattiagiupponi somehow related to the new API permission checks? |
giohappy
added
regression
I'll give a deeper check, but it may be possible. The user should have one of the specific permission on that resource |
|
Here is the analysis: In this case, the user performs a PUT, and the class checks if the provided user has the In the case of CLONE, the user doesn't have the above perms on the resource, so the access is denied. @giohappy we need to decide how to proceed here |
|
@mattiagiupponi we need a more fine-grained control for specific methods and requests. I don't like very much the usage of PUT here, but a part from this, what we need is a specific permission check that overrides the generic ones for PUT (which assumes edit permissions).
Ideally, we should have a configurable DjangoModelPermissions subclass, to be attached to the specific method. |
|
makes sense, lemme write a POC to see if may suit the needed |
|
@giohappy Follow a POC of a possible solution. Permission classes attribute on the API will be something like this: permission_classes=[
IsAuthenticated, UserHasPerms(
perms_dict={
"PUT":['add_resource', 'download_resourcebase']
}
)
]Where the perms list will be defined for each endpoint. The perms_dict is not mandatory, so we can always rely on the default permissions defined. def has_permission(self, request, view):
from geonode.base.models import ResourceBase
queryset = self._queryset(view)
perms = self.perms_dict.get(request.method, None) or self.get_required_permissions(request.method, queryset.model)
.......The main logic will be the same where:
How does it look @giohappy ? |
|
looks good to me |
|
@mattiagiupponi, @giohappy For resources that don't have download permission, eg dashboard, geostory and map will still return 403 |
|
That's true, only datasets can be downloaded. Since the cloning endpoint is common, we have three choices here:
perms_dict= {
"dataset" : {
"PUT": ['add_resource', 'download_resourcebase']
},
"geoapp": {
"PUT": ['add_resource']
}
.....
}or having a default if the resource is not specified: perms_dict= {
"dataset" : {
"PUT": ['add_resource', 'download_resourcebase']
},
"default": {
"PUT": ['add_resource']
}
.....
}
@marthamareal @giohappy any thoughts? |
|
@mattiagiupponi the second option looks the best to me. |
@giohappy Is this something new to be implemented, because at the moment a user can clone with only View permission. |
Indeed, we perform an ANY to let the user pass... converting it to an ALL may introduce other regression. I guess we need to talk about it or let the dict of the user perms define which operation is needed |
|
@mattiagiupponi yes, we definitely need to use granular rules for specific actions, and they will be defined with the dict. |
|
In the end, the permission class will look like the following: permission_classes=[
IsAuthenticated, UserHasPerms(
perms_dict={
"dataset": {
"PUT": ['add_resourcebase', 'download_resourcebase'], "rule": all
},
"document": {
"PUT": ['add_resourcebase', 'download_resourcebase'], "rule": all
},
"default": {
"PUT": ['add_resourcebase']
}
}
)
]
|
Expected Behavior
All users non-admin and admins should be able to clone resources via the list option and SaveAs in view
Actual Behavior
Steps to Reproduce the Problem
Save > SaveAsSpecifications
The text was updated successfully, but these errors were encountered: