geonode.security.utils ====================== .. py:module:: geonode.security.utils Attributes ---------- .. autoapisummary:: geonode.security.utils.logger geonode.security.utils.AdminViewPermissionsSet geonode.security.utils.ResourceGroupsAndMembersSet Classes ------- .. autoapisummary:: geonode.security.utils.AdvancedSecurityWorkflowManager Functions --------- .. autoapisummary:: geonode.security.utils.get_visible_resources geonode.security.utils.get_users_with_perms geonode.security.utils.perms_as_set geonode.security.utils.get_resources_with_perms geonode.security.utils.get_geoapp_subtypes geonode.security.utils.skip_registered_members_common_group geonode.security.utils.get_user_groups geonode.security.utils.get_user_visible_groups Module Contents --------------- .. py:data:: logger .. py:function:: get_visible_resources(queryset, user, request=None, metadata_only=False, admin_approval_required=False, unpublished_not_visible=False, private_groups_not_visibile=False) .. py:function:: get_users_with_perms(obj) Override of the Guardian get_users_with_perms .. py:function:: perms_as_set(perm) -> set .. py:function:: get_resources_with_perms(user, filter_options={}, shortcut_kwargs={}) Returns resources a user has access to. .. py:function:: get_geoapp_subtypes() Returns a list of geoapp subtypes. Example ['geostory'] .. py:function:: skip_registered_members_common_group(user_group) .. py:function:: get_user_groups(owner, group=None) Returns all the groups belonging to the "owner" .. py:function:: get_user_visible_groups(user, include_public_invite: bool = False) Retrieves all the groups accordingly to the following conditions: - The user is member of - The group is public .. py:data:: AdminViewPermissionsSet .. py:data:: ResourceGroupsAndMembersSet .. py:class:: AdvancedSecurityWorkflowManager .. py:method:: is_anonymous_can_view() :staticmethod: .. py:method:: is_anonymous_can_download() :staticmethod: .. py:method:: is_group_private_mode() :staticmethod: .. py:method:: is_manager_publish_mode() :staticmethod: .. py:method:: is_admin_moderate_mode() :staticmethod: .. py:method:: is_auto_publishing_workflow() :staticmethod: **AUTO PUBLISHING** - `RESOURCE_PUBLISHING = False` - `ADMIN_MODERATE_UPLOADS = False` - When user creates a resource: - OWNER gets all the owner permissions (publish resource included) - ANONYMOUS can view and download - No change to the Group Manager is applied .. py:method:: is_simple_publishing_workflow() :staticmethod: **SIMPLE PUBLISHING** - `RESOURCE_PUBLISHING = True` (Autopublishing is disabled) - `ADMIN_MODERATE_UPLOADS = False` - When user creates a resource: - OWNER gets all the owner permissions (`publish_resource` and `change_resourcebase_permissions` INCLUDED) - Group MANAGERS of the user's groups will get the owner permissions (`publish_resource` EXCLUDED) - Group MEMBERS of the user's groups will get the `view_resourcebase`, `download_resourcebase` permission - ANONYMOUS can not view and download if the resource is not published - When resource has a group assigned: - OWNER gets all the owner permissions (`publish_resource` and `change_resourcebase_permissions` INCLUDED) - Group MANAGERS of the *resource's group* will get the owner permissions (`publish_resource` EXCLUDED) - Group MEMBERS of the *resource's group* will get the `view_resourcebase`, `download_resourcebase` permission .. py:method:: is_advanced_workflow() :staticmethod: **ADVANCED WORKFLOW** - `RESOURCE_PUBLISHING = True` - `ADMIN_MODERATE_UPLOADS = True` - When user creates a resource: - OWNER gets all the owner permissions (`publish_resource` and `change_resourcebase_permissions` EXCLUDED) - Group MANAGERS of the user's groups will get the owner permissions (`publish_resource` INCLUDED) - Group MEMBERS of the user's groups will get the `view_resourcebase`, `download_resourcebase` permission - ANONYMOUS can not view and download if the resource is not published - When resource has a group assigned: - OWNER gets all the owner permissions (`publish_resource` and `change_resourcebase_permissions` EXCLUDED) - Group MANAGERS of the resource's group will get the owner permissions (`publish_resource` INCLUDED) - Group MEMBERS of the resource's group will get the `view_resourcebase`, `download_resourcebase` permission .. py:method:: is_simplified_workflow() :staticmethod: **SIMPLIFIED WORKFLOW** - `RESOURCE_PUBLISHING = False` - `ADMIN_MODERATE_UPLOADS = True` .. note:: Is it even possibile? when the resource is automatically published, can it be un-published? If this combination is not allowed, we should either stop the process when reading the settings or log a warning and force a safe combination. - When user creates a resource: - OWNER gets all the owner permissions (`publish_resource` and `change_resourcebase_permissions` INCLUDED) - Group MANAGERS of the user's groups will get the owner permissions (`publish_resource` INCLUDED) - Group MEMBERS of the user's group will get the `view_resourcebase`, `download_resourcebase` permission - ANONYMOUS can view and download .. py:method:: is_allowed_to_approve(user, resource) :staticmethod: .. py:method:: is_allowed_to_publish(user, resource) :staticmethod: .. py:method:: assignable_perm_condition(perm, resource_type) :staticmethod: .. py:method:: get_instance(uuid: str) :staticmethod: .. py:method:: compute_admin_and_view_permissions_set(uuid: str, /, instance=None) -> AdminViewPermissionsSet :staticmethod: Returns a copy of the ADMIN_PERMISSIONS and VIEW_PERMISISONS of a resource accordinlgy to: - The resource_type - The resource_subtype .. py:method:: compute_resource_groups_and_members_set(uuid: str, /, instance=None, group=None) -> ResourceGroupsAndMembersSet :staticmethod: Returns a tuple containing: - The "Anonymous" Group - The "Registered Members" Group - The "Groups" belonging to the Resource Owner - The "managers" of the Groups affecting the Resource - The "members" of the Groups affecting the Resource .. py:method:: get_workflow_permissions(uuid: str, /, instance=None, perm_spec: dict = {'users': {}, 'groups': {}}, created: bool = False, approval_status_changed: bool = False, group_status_changed: bool = False) -> dict :staticmethod: Adapts the provided "perm_spec" according to the following schema: **Publishing Workflow Schema** +---------------------+-----------------------+-------------------------+ | | RESOURCE_PUBLISHING | ADMIN_MODERATE_UPLOADS | +---------------------+-----------------------+-------------------------+ | AUTO PUBLISH | X | X | +---------------------+-----------------------+-------------------------+ | SIMPLE PUBLISHING | ✓ | X | +---------------------+-----------------------+-------------------------+ | SIMPLIFIED WORKFLOW | X | ✓ | +---------------------+-----------------------+-------------------------+ | ADVANCED WORKFLOW | ✓ | ✓ | +---------------------+-----------------------+-------------------------+ **General Rules:** - **OWNER** can never publish, except in the **AUTO_PUBLISHING** workflow. - **MANAGERS** can always "publish" the resource. - **MEMBERS** can always "view" and "download" the resource. - When the OWNER is also a MANAGER, the MANAGER wins and can publish. - Others, except in the AUTO_PUBLISHING workflow. **Approval and Publishing Schema** +----------------+--------------+-------------+ | | N/PUBLISHED | PUBLISHED | +----------------+--------------+-------------+ | N/APPROVED | GM/OWR | - | +----------------+--------------+-------------+ | APPROVED | registered | all | +----------------+--------------+-------------+ Exceptions based on the enabled workflow: - **SIMPLIFIED WORKFLOW**: If the resource is "approved" or "published", OWNERS won't be able to change the resource data and permissions. - **ADVANCED WORKFLOW**: If the resource is "approved" or "published", OWNERS won't be able to change the resource data, metadata, and permissions. .. py:method:: get_permissions(uuid: str, /, instance=None, permissions: dict = {}, created: bool = False, approval_status_changed: bool = False, group_status_changed: bool = False) -> dict :staticmethod: Fix-ups the perm_spec accordingly to the enabled workflow (if any). For more details check the "get_workflow_permissions" method .. py:method:: handle_moderated_uploads(uuid: str, /, instance=None) -> object :staticmethod: .. py:method:: set_group_member_permissions(user, group, role) :staticmethod: