Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 4.0.x] [Fixes #10055] Modify Metadata form with permissions check #10076

Merged
merged 1 commit into from
Oct 3, 2022
+64 −3
Merged

[Backport 4.0.x] [Fixes #10055] Modify Metadata form with permissions check #10076

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion geonode/base/forms.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -484,7 +484,9 @@ def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user', None)
super().__init__(*args, **kwargs)
self.fields['regions'].choices = get_tree_data()

self.can_change_perms = self.user and self.user.has_perm(
'change_resourcebase_permissions', self.instance.get_self_resource()
)
if self.instance and self.instance.id and self.instance.metadata.exists():
self.fields['extra_metadata'].initial = [x.metadata for x in self.instance.metadata.all()]

Expand All @@ -501,6 +503,9 @@ def __init__(self, *args, **kwargs):
'data-container': 'body',
'data-html': 'true'})

if field in ['poc', 'owner'] and not self.can_change_perms:
self.fields[field].disabled = True

def disable_keywords_widget_for_non_superuser(self, user):
if settings.FREETEXT_KEYWORDS_READONLY and not user.is_superuser:
self['keywords'].field.disabled = True
Expand Down
2 changes: 1 addition & 1 deletion geonode/geoapps/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ def test_resource_form_is_valid_extra_metadata(self):
"date_type": "creation",
"language": "eng",
"extra_metadata": '[{"id": 1, "filter_header": "object", "field_name": "object", "field_label": "object", "field_value": "object"}]'
})
}, user=self.user)
self.assertTrue(form.is_valid())

def test_geoapp_category_is_correctly_assigned_in_metadata_upload(self):
Expand Down
56 changes: 56 additions & 0 deletions geonode/layers/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1877,6 +1877,62 @@ def test_resource_form_is_invalid_extra_metadata_not_json_format(self):
expected = {"success": False, "errors": ["extra_metadata: The value provided for the Extra metadata field is not a valid JSON"]}
self.assertDictEqual(expected, response.json())

def test_change_owner_in_metadata(self):
try:
test_user = get_user_model().objects.create_user(
username='non_auth',
email="[email protected]",
password='password')
norman = get_user_model().objects.get(username='norman')
dataset = Dataset.objects.first()
data = {
"resource-title": "geoapp_title",
"resource-date": "2022-01-24 16:38 pm",
"resource-date_type": "creation",
"resource-language": "eng",
'dataset_attribute_set-TOTAL_FORMS': 0,
'dataset_attribute_set-INITIAL_FORMS': 0
}
perm_spec = {
"users": {
"non_auth": [
'change_resourcebase_metadata',
'change_resourcebase',
],
"norman": [
'change_resourcebase_metadata',
'change_resourcebase_permissions'
],
}
}
self.assertTrue(dataset.set_permissions(perm_spec))
self.assertFalse(test_user.has_perm('change_resourcebase_permissions', dataset.get_self_resource()))

url = reverse("dataset_metadata", args=(dataset.alternate,))
# post as non-authorised user
self.client.login(username="non_auth", password="password")
data["resource-owner"] = test_user.id
response = self.client.post(url, data=data)
self.assertEqual(response.status_code, 200)
self.assertNotEqual(dataset.owner, test_user)
# post as admin
self.client.login(username="admin", password="admin")
response = self.client.post(url, data=data)
dataset.refresh_from_db()
self.assertEqual(response.status_code, 200)
self.assertEqual(dataset.owner, test_user)
# post as an authorised user
self.client.login(username="norman", password="norman")
self.assertTrue(norman.has_perm('change_resourcebase_permissions', dataset.get_self_resource()))
data["resource-owner"] = norman.id
response = self.client.post(url, data=data)
dataset.refresh_from_db()
self.assertEqual(response.status_code, 200)
self.assertEqual(dataset.owner, norman)
finally:
get_user_model().objects.filter(username='non_auth').delete
Dataset.objects.filter(name='dataset_name').delete()

@override_settings(EXTRA_METADATA_SCHEMA={"key": "value"})
def test_resource_form_is_invalid_extra_metadata_not_schema_in_settings(self):
self.client.login(username="admin", password="admin")
Expand Down
2 changes: 1 addition & 1 deletion geonode/maps/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -710,7 +710,7 @@ def test_resource_form_is_invalid_extra_metadata_invalids_schema_entry(self):
self.assertIn(expected, response.json()['errors'][0])

def test_resource_form_is_valid_extra_metadata(self):
form = self.sut(data={
form = self.sut(user=self.user, data={
"owner": self.map.owner.id,
"title": "map_title",
"date": "2022-01-24 16:38 pm",
Expand Down