geonode.security.utils
Attributes
Classes
Functions
|
|
|
Override of the Guardian get_users_with_perms |
|
|
|
Returns resources a user has access to. |
Returns a list of geoapp subtypes. |
|
|
|
|
Returns all the groups belonging to the "owner" |
|
Retrieves all the groups accordingly to the following conditions: |
Module Contents
- geonode.security.utils.get_visible_resources(queryset, user, request=None, metadata_only=False, admin_approval_required=False, unpublished_not_visible=False, private_groups_not_visibile=False)[source]
- geonode.security.utils.get_users_with_perms(obj)[source]
Override of the Guardian get_users_with_perms
- geonode.security.utils.get_resources_with_perms(user, filter_options={}, shortcut_kwargs={})[source]
Returns resources a user has access to.
- geonode.security.utils.get_geoapp_subtypes()[source]
Returns a list of geoapp subtypes. Example [‘geostory’]
- geonode.security.utils.get_user_groups(owner, group=None)[source]
Returns all the groups belonging to the “owner”
- geonode.security.utils.get_user_visible_groups(user, include_public_invite: bool = False)[source]
Retrieves all the groups accordingly to the following conditions:
The user is member of
The group is public
- class geonode.security.utils.AdvancedSecurityWorkflowManager[source]
-
- static is_auto_publishing_workflow()[source]
- AUTO PUBLISHING
RESOURCE_PUBLISHING = False
ADMIN_MODERATE_UPLOADS = False
When user creates a resource:
OWNER gets all the owner permissions (publish resource included)
ANONYMOUS can view and download
No change to the Group Manager is applied
- static is_simple_publishing_workflow()[source]
- SIMPLE PUBLISHING
RESOURCE_PUBLISHING = True (Autopublishing is disabled)
ADMIN_MODERATE_UPLOADS = False
When user creates a resource:
OWNER gets all the owner permissions (publish_resource and change_resourcebase_permissions INCLUDED)
Group MANAGERS of the user’s groups will get the owner permissions (publish_resource EXCLUDED)
Group MEMBERS of the user’s groups will get the view_resourcebase, download_resourcebase permission
ANONYMOUS can not view and download if the resource is not published
When resource has a group assigned:
OWNER gets all the owner permissions (publish_resource and change_resourcebase_permissions INCLUDED)
Group MANAGERS of the resource’s group will get the owner permissions (publish_resource EXCLUDED)
Group MEMBERS of the resource’s group will get the view_resourcebase, download_resourcebase permission
- static is_advanced_workflow()[source]
- ADVANCED WORKFLOW
RESOURCE_PUBLISHING = True
ADMIN_MODERATE_UPLOADS = True
When user creates a resource:
OWNER gets all the owner permissions (publish_resource and change_resourcebase_permissions EXCLUDED)
Group MANAGERS of the user’s groups will get the owner permissions (publish_resource INCLUDED)
Group MEMBERS of the user’s groups will get the view_resourcebase, download_resourcebase permission
ANONYMOUS can not view and download if the resource is not published
When resource has a group assigned:
OWNER gets all the owner permissions (publish_resource and change_resourcebase_permissions EXCLUDED)
Group MANAGERS of the resource’s group will get the owner permissions (publish_resource INCLUDED)
Group MEMBERS of the resource’s group will get the view_resourcebase, download_resourcebase permission
- static is_simplified_workflow()[source]
SIMPLIFIED WORKFLOW
RESOURCE_PUBLISHING = False
ADMIN_MODERATE_UPLOADS = True
Note
Is it even possibile? when the resource is automatically published, can it be un-published?
If this combination is not allowed, we should either stop the process when reading the settings or log a warning and force a safe combination.
When user creates a resource:
OWNER gets all the owner permissions (publish_resource and change_resourcebase_permissions INCLUDED)
Group MANAGERS of the user’s groups will get the owner permissions (publish_resource INCLUDED)
Group MEMBERS of the user’s group will get the view_resourcebase, download_resourcebase permission
ANONYMOUS can view and download
- static compute_admin_and_view_permissions_set(uuid: str, /, instance=None) AdminViewPermissionsSet[source]
Returns a copy of the ADMIN_PERMISSIONS and VIEW_PERMISISONS of a resource accordinlgy to:
The resource_type
The resource_subtype
- static compute_resource_groups_and_members_set(uuid: str, /, instance=None, group=None) ResourceGroupsAndMembersSet[source]
Returns a tuple containing:
The “Anonymous” Group
The “Registered Members” Group
The “Groups” belonging to the Resource Owner
The “managers” of the Groups affecting the Resource
The “members” of the Groups affecting the Resource
- static get_workflow_permissions(uuid: str, /, instance=None, perm_spec: dict = {'users': {}, 'groups': {}}, created: bool = False, approval_status_changed: bool = False, group_status_changed: bool = False) dict[source]
Adapts the provided “perm_spec” according to the following schema:
Publishing Workflow Schema
RESOURCE_PUBLISHING
ADMIN_MODERATE_UPLOADS
AUTO PUBLISH
X
X
SIMPLE PUBLISHING
✓
X
SIMPLIFIED WORKFLOW
X
✓
ADVANCED WORKFLOW
✓
✓
General Rules:
OWNER can never publish, except in the AUTO_PUBLISHING workflow.
MANAGERS can always “publish” the resource.
MEMBERS can always “view” and “download” the resource.
When the OWNER is also a MANAGER, the MANAGER wins and can publish.
Others, except in the AUTO_PUBLISHING workflow.
Approval and Publishing Schema
N/PUBLISHED
PUBLISHED
N/APPROVED
GM/OWR
APPROVED
registered
all
Exceptions based on the enabled workflow:
SIMPLIFIED WORKFLOW: If the resource is “approved” or “published”, OWNERS won’t be able to change the resource data and permissions.
ADVANCED WORKFLOW: If the resource is “approved” or “published”, OWNERS won’t be able to change the resource data, metadata, and permissions.
- static get_permissions(uuid: str, /, instance=None, permissions: dict = {}, created: bool = False, approval_status_changed: bool = False, group_status_changed: bool = False) dict[source]
Fix-ups the perm_spec accordingly to the enabled workflow (if any). For more details check the “get_workflow_permissions” method