Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data edition permissions set in GeoNode for a layer are not applied on the WFS #5779

Closed
audetrobergem opened this issue Feb 27, 2020 · 9 comments
Assignees
Labels
blocker Critical issue blocking next major release and/or (People are badly blocked with no workaround) security Pull requests that address a security vulnerability
Milestone

Comments

@audetrobergem
Copy link

Expected Behavior

I want the data edition permissions set in GeoNode on the layers (Who can edit data for this layer?) to also be applied when I display the data in another client (WFS in QGIS).

Actual Behavior

All users who have access to a layer can modify the data in QGIS, even if they do not have data edition permission.

Steps to Reproduce the Problem

  1. With a first user , set the permissions of a layer in GeoNode so that no one can edit the data.
  2. Add the WFS into QGIS (https://master.demo.geonode.org/gs/ows for example) with the credentials of a different user.
  3. Add the layer that no one can edit the data in QGIS and open the attribute table.
  4. Activate the modifications by clicking on the small pen.
  5. Edit the attributes and save.

Specifications

  • GeoNode version: 2.10.1 (my installation) & 2.10.3 (Master Demo)
  • Installation method (manual, GeoNode Docker, SPCGeoNode Docker): manual
  • Platform: Ubuntu 18.04
  • Additional details:
    • When the layer is displayed in MapStore the small pen for edition in the attribute table is not there.
@audetrobergem
Copy link
Author

Adding a GeoFence Data Rule that deny transactions for a layer prevented a user from modifying the data in QGIS.

transactions

A solution to this problem could be the automatic addition of this type of rule when permissions are created?

@afabiani
Copy link
Member

@audetrobergem yeps, I guess that would be the best option to fix this quickly.

@t-book t-book added feature A new feature to be added to the codebase question A User question which should be discussed at mailing list labels Feb 27, 2020
@gannebamm
Copy link
Contributor

@afabiani shouldn´t this work in the expected behaviour way out of the box? I am puzzled.

@audetrobergem audetrobergem changed the title Data edition permssions set in GeoNode for a layer are not applied on the WFS Data edition permissions set in GeoNode for a layer are not applied on the WFS Feb 28, 2020
@t-book t-book added this to the 3.1 milestone Apr 2, 2020
@gannebamm gannebamm modified the milestones: 3.1, 3.0 Apr 2, 2020
@gannebamm gannebamm added security Pull requests that address a security vulnerability needs further investigation Issue or reason for specific behaviour needs further investigation and removed feature A new feature to be added to the codebase labels Apr 2, 2020
@gannebamm gannebamm assigned afabiani and gannebamm and unassigned afabiani Apr 2, 2020
@afabiani afabiani modified the milestones: 3.0, 3.x May 11, 2020
@gannebamm gannebamm removed their assignment Oct 29, 2020
@gannebamm
Copy link
Contributor

@sjohn-atenekom Could you test this behaviour? I think those security related issues are relevant for AteneKOM? This help would be very much appreciated :D

@ghost
Copy link

ghost commented Nov 4, 2020

I think the problem here is actually bigger. I think the permissions are not always considered in the /gs/ows endpoint. I managed to load a private layer into QGIS without authentication. on the other hand, the data edition did not work (as expected). This layer should only be visible by users sberger and sberger1 : https://master.demo.geonode.org/layers/geonode_master_data:geonode:VG250_LAN

the layer should also not show up in the capabilities document https://master.demo.geonode.org/gs/ows?service=WMS&request=getcapabilities

@afabiani
Copy link
Member

afabiani commented Nov 4, 2020

I guess the GeoFence rules on master demo where messed up. I cleaned up all the rules and refreshed. Can you please try again?

P.S. make sure to use the correct user and start always with a clean browser session.

image

image

@ghost
Copy link

ghost commented Nov 4, 2020

Thanks, @afabiani. I was now able to reproduce the problem described by @audetrobergem and think that adding a geofence data rule should fix it.

@gannebamm
Copy link
Contributor

I have added a general DENY rule for VG_LAN
grafik

Which should get overwritten by specific ones. You should not be able to edit it anymore @sjohn-atenekom

@ghost
Copy link

ghost commented Nov 4, 2020

It seems it does get overwritten. Even as owner of the dataset, I can't see it anymore. Probably this rule should be on the bottom to get overwritten. But even this rule denys everything and get overwritten by service=WFS and request=* the is again allowed to edit the data.
Adding a default rule with service=wfs and request=transaction seems the only solution to me at the moment.

@gannebamm gannebamm added the blocker Critical issue blocking next major release and/or (People are badly blocked with no workaround) label Nov 5, 2020
@afabiani afabiani self-assigned this Nov 5, 2020
@gannebamm gannebamm removed needs further investigation Issue or reason for specific behaviour needs further investigation question A User question which should be discussed at mailing list labels Nov 5, 2020
afabiani pushed a commit that referenced this issue Nov 14, 2020
afabiani pushed a commit that referenced this issue Nov 14, 2020
afabiani pushed a commit that referenced this issue Nov 14, 2020
… not applied on the WFS

(cherry picked from commit 9e4e839)
github-actions bot pushed a commit that referenced this issue Nov 14, 2020
afabiani pushed a commit that referenced this issue Nov 14, 2020
… not applied on the WFS (#6641) (#6642)

Co-authored-by: Alessio Fabiani <[email protected]>
afabiani pushed a commit that referenced this issue Dec 10, 2020
…ble entities into the framework (#6713)

* [Hardening] - Recenet Activity List for Documents error when actor is None

* [Frontend] Monitoring: Bump "node-sass" to version 4.14.1

* [Frontend] Bump jquery to version 3.5.1

* [Fixes: #6519] Bump jquery to 3.5.1 (#6526)

(cherry picked from commit e532813)

# Conflicts:
#	geonode/static/lib/css/assets.min.css
#	geonode/static/lib/css/bootstrap-select.css
#	geonode/static/lib/css/bootstrap-table.css
#	geonode/static/lib/js/assets.min.js
#	geonode/static/lib/js/bootstrap-select.js
#	geonode/static/lib/js/bootstrap-table.js
#	geonode/static/lib/js/leaflet-plugins.min.js
#	geonode/static/lib/js/leaflet.js
#	geonode/static/lib/js/moment-timezone-with-data.js
#	geonode/static/lib/js/underscore.js

* Merge branch 'master' of https://github.com/GeoNode/geonode into rest_api_v2_proof_of_concept

# Please enter a commit message to explain why this merge is necessary,
# especially if it merges an updated upstream into a topic branch.
#
# Lines starting with '#' will be ignored, and an empty message aborts
# the commit.

* [Hardening] Re-create the map thumbnail only if it is missing

* Fixes error with GDAL 3.0.4 due to a breaking change on GDAL (https://code.djangoproject.com/ticket/30645)

* Fixes error with GDAL 3.0.4 due to a breaking change on GDAL (https://code.djangoproject.com/ticket/30645)

* - Introducing the concept of "GeoNode App" Resource Base

* [GeoApps] Add "Create new" Button to the apps list page

* [GeoApps] Hooking Resources List pages

* [GeoApps] Hooking GeoApp List page

* [GeoApps] Hooking GeoApp rest v2 API serializers fixes

* [GeoApps] Fix resourcebase_api polymorphic ctype filter

* [GeoApps] REST API v2 "geostories" endpoints optimizations

* [REST APIs V2] Make use of the new "bbox_polygon" field based on GeoDjango

* [Fixes RemoteServices bbox parse] Merge branch 'search-by-extent' of https://github.com/mtnorthcott/geonode

* [Fix migrations] Merge branch 'search-by-extent' of https://github.com/mtnorthcott/geonode

* [Fix migrations] Merge branch 'search-by-extent' of https://github.com/mtnorthcott/geonode

* [GeoApps] Adding "geoapp_edit" page

* [GeoApps] Adding "geoapp_edit" page context

* [GeoApps] Adding security info (access_token, user, ...) to the page context

* [GeoApps] Adding client endpoints

* [GeoApps] Missing "post_save" signal

* [GeoApps] Finalize GeoApp resources management

* Fix "bbox_to_projection" coords order

* Fix 'bbox_to_projection' coords order

* Fix "bbox_to_projection" coords order

(cherry picked from commit 72d6c1e)

* Fix "bbox_to_projection" coords order: check GDAL version >= 3.0.4

* Include missing 'mapstore2_adapter.geoapps' app to default INSTALLED_APPS

* Include mapstore client branch dependencies into requirements

* Revert security commit on branch

* Minor review of the current advanced resource workflow implementation #6551

* Minor review of the current advanced resource workflow implementation #6551

* Fix tests on Travis

* Fix tests on Travis

* Fix tests on Travis

* Fix tests on Travis

* Fix tests on Travis

(cherry picked from commit c7f651c)

# Conflicts:
#	geonode/layers/tests.py

* Fix logical errors on approval workflow

* Fix logical errors on approval workflow

(cherry picked from commit 7a3d5d0)

* Fix tests on Travis

* Cleanup "app_embed" template

* Advanced workflow: remove change_permissions to the owner if not a manager

* Advanced workflow: remove change_permissions to the owner if not a manager

(cherry picked from commit 9a1552a)

* Fix app_embed template

* Advanced workflow: remove change_permissions to the owner if not a manager

* Advanced workflow: remove change_permissions to the owner if not a manager

* Advanced workflow: remove change_permissions to the owner if not a manager

(cherry picked from commit f23096c)

* Advanced workflow: remove change_permissions to the owner if not a manager

(cherry picked from commit bfe51a7)

* Advanced workflow: remove change_permissions to the owner if not a manager

* Advanced workflow: remove change_permissions to the owner if not a manager

(cherry picked from commit d9ec566)

* Advanced workflow: filter actions stream returned to the users accordingly to their perms

* Advanced workflow: filter actions stream returned to the users accordingly to their perms

(cherry picked from commit 7f51346)

* Advanced workflow: filter actions stream returned to the users accordingly to their perms

* Add new settings from django-allauth 0.43.0

* Advanced workflow: filter actions stream returned to the users accordingly to their perms

(cherry picked from commit e2522fd)

* Add new settings from django-allauth 0.43.0

(cherry picked from commit 00f4be1)

* Code styling alerts: remove unnecessary pass

* Refreshing static libs

* Refreshing static libs

* Code styling alerts: remove unnecessary pass

(cherry picked from commit 0676f6e)

* Refreshing static libs

(cherry picked from commit f27d0df)

* Refreshing static libs

(cherry picked from commit 5b166bc)

* Advanced Workflow: Make sure the APIs counters are coherent with the visible resources

* Advanced Workflow: Make sure the APIs counters are coherent with the visible resources

(cherry picked from commit 1855d74)

* fix english/italian translations (#6563)

* fix english/italian translations (#6563)

* Advanced Workflow: fix "request editing" action when published

* Advanced Workflow: fix "request editing" action when published -> send messages to group managers too

* Advanced Workflow: fix "request editing" action when published

(cherry picked from commit 1041b12)

* Advanced Workflow: fix "request editing" action when published -> send messages to group managers too

(cherry picked from commit 5c93ef3)

* Fix test on travis

* fix english/italian translations (#6563)

* fix english/italian translations (#6563)

* fix english/italian translations (#6563)

* Avoid override User settings on "set_attributes_from_geoserver"

* - Docs links to 3.x branch

* Improve Celery Async Tasks configuration

(cherry picked from commit 50e208a)

* Improve Celery Async Tasks configuration

(cherry picked from commit d5150e8)

* Improve Celery Async Tasks configuration

(cherry picked from commit 50e208a)

* - Replace build.geo-solutions.it with www.dropbox.com

(cherry picked from commit 882e3e5)
(cherry picked from commit 7b970f8)

* [Security] Hardening Advanced Workflow resources visibility

(cherry picked from commit 2103f13)
(cherry picked from commit 025c82e)

* [Hardening] Removing redundant and replacement of instance abstract from GeoServer

* Bump drf-yasg from 1.17.1 to 1.20.0

* [Hardening] Fixes: db connection closed and worker hangs with celery 4.2+ celery/celery#4878

* [Hardening] Optimizing celery tasks settings

* [Hardening] Optimizing celery tasks settings

* - Documents REST v2 APIs

* [Fixes #6596] Incorrect Legend displayed in the layer detail page

(cherry picked from commit 0aa6902)

* [Fixes #6596] Incorrect Legend displayed in the layer detail page

(cherry picked from commit 0aa6902)

* - Update travis dist to '20.04 focal'

* - Fix geolimits panel translations

* - Filter Comments on Recent Activities accordingly to the user's perms

* [Hardening] Remove wrong class initializer

* [Hardening] LGTM warning fixes

* [CI Optimizations] - Continuous integration builders: CircleCI config based on "spcgeonode" docker-compose

(cherry picked from commit 7f091a7)

* - Enable "memcached" plugins for monitoring

* - Extend "documents" to accept and render video, audio and more image formats

 - Add "attribution" field to ResourceBase model

* - Generating documents thumbnails for video and audio mime types

(cherry picked from commit d1f4251)
(cherry picked from commit 5c89762)

* - Merge with master branch

* - Generating documents thumbnails for video and audio mime types

(cherry picked from commit 197c7ab)

* - Fixing doc image thumn generation

* - Updating translations

* - expose documents 'href' from REST serializer API endpoint

* [Hardening] - expose **secured** documents 'href' from REST serializer API endpoint

* [Hardening] - generate **secured** thumbnail for uploaded images

* - Restore missing list key on GXP_PTYPES enumeration

(cherry picked from commit 2352613)

* [FIX #6626] add tinymce editor to resource text areas

(cherry picked from commit 45bb0dc)

* [FIX #6626] add tinymce editor to resource text areas

(cherry picked from commit 45bb0dc)

* [Hardening] Correctly manage "_resolve_object" exception as Django error templates

(cherry picked from commit 017d885)

# Conflicts:
#	geonode/views.py

* - Remove wrong migration

* [Hardening] Using "apply_async" instead of "delay" for async signals calls

* [Hardening] Avoid exit prematurely from geoserver cascading delete signal

* Fix travis tests

* [Fixes #5779] Data edition permissions set in GeoNode for a layer are not applied on the WFS

(cherry picked from commit 9e4e839)

* - Cleaning up wrong migrations

* [Performance] - Improve Style editing requests callbacks

* [Performance] - Transform "geoserver_post_save_layers" to an asynchronous task

* [Performance] - Improve Style editing requests callbacks

* [Optimization] Improve 'navbar' content reposition script

* [Performance] - Transform "geoserver_post_save_layers" to an asynchronous task

* [Performance] - Improve Style editing requests callbacks

* FIXES[#6653] Mail notifications for private datasets are public

* - exclude query optimization

* [Performance] Dinamically loading the list of users geo-limits

(cherry picked from commit c54cc61)
(cherry picked from commit 756c1aa)

* [Fixes: #6640] Style Tag outside of html (#6657)

* [Minor Layout Issue] - Missing title on "map list" page

(cherry picked from commit 971e65f)

* added Document Creation Fallback, fixed exclude_user_ids.append()

* - Correct "geoapps" notification types

* - Fix remaining issues: 1. Layer create does no send "title" before sending notifications - 2. Doc created does not set "permissions" before sending notifications

* Typo: _QUEUE_ALL_FLAG

* Typo: _QUEUE_ALL_FLAG

(cherry picked from commit 8d9118f)

* - Fix asynchronous notification engine task

* - Fix asynchronous notification engine task

(cherry picked from commit 79274eb)

* - Do not send notifications if the resource has no title

* - Do not send notifications if the resource has no title

(cherry picked from commit c3d470e)

* - Asynchronous "probe" task for Remote Services

* [FIXES #6653] Mail notifications for private datasets are public

* - Fixes rating notifications

* - Fixes rating notifications

(cherry picked from commit b814692)

* - Fixes "guardian.exceptions.ObjectNotPersisted: Object None needs to be persisted first" exception on "set_workflow_perms" calls

* - Fixes "guardian.exceptions.ObjectNotPersisted: Object None needs to be persisted first" exception on "set_workflow_perms" calls

(cherry picked from commit fe35d46)

* - Fixes "guardian.exceptions.ObjectNotPersisted: Object None needs to be persisted first" exception on "set_workflow_perms" calls

* - Fixes "guardian.exceptions.ObjectNotPersisted: Object None needs to be persisted first" exception on "set_workflow_perms" calls

(cherry picked from commit dee7de1)

* - Fix LGTM issues

* - Fix LGTM issues

(cherry picked from commit 08644a6)

* - Fix LGTM issues

* - Fix LGTM issues

(cherry picked from commit df112c8)

* no notifications for resource owner, except for comments. PEP 8 reformatting

* resource owners will get notified on updates of their resources

* [Fixes #6665] Improve WYSIWYG metadata editor to store formatted and plain texts

* - Travis test-cases: "ensure owner won't be notified on upload"

* [Hardening] Do not fail in case of datastore with multiple geometries

* - Minor refactoring and clean out of the "geoserver_post_save_layers" task body

* [Hardening] Make "set_attributes" method more resilient to "Attribute.MultipleObjectsReturned" exception

* [Hardening] Make "helpers" methods more resilient to "Layer.MultipleObjectsReturned" and "Layer.DoesNotExist" exceptions

* - Minor environmnet params improvements. Exposing DB connection timeouts to .env

* - Explicit error codes along with description on Layer Upload form

* [Transaltions] - Explicit error codes along with description on Layer Upload form

* [Transaltions] - Explicit error codes along with description on Layer Upload form

(cherry picked from commit 395089e)

# Conflicts:
#	geonode/static/geonode/js/upload/LayerInfo.js
(cherry picked from commit f62b69a)

* [Docker] Use local nginx build

* Merge branch 'master' of https://github.com/GeoNode/geonode into rest_api_v2_geonode_apps

* [Hardening] More resiliet to 'missing thumbnail' on filesystem issues

* - GeoApp Test Cases

* - Typo

* - Update mapstore client and adapter versions

* - Set local .sh files exec perms

* - Bump pycsw to version 2.6.0

* - Bump pycsw to version 2.6.0

* - Bump pycsw to version 2.6.0

* - Align "setup.cfg" to "requirements.txt"

* - Fix travis

Co-authored-by: Toni <[email protected]>
Co-authored-by: Piotr Dankowski <[email protected]>
Co-authored-by: Florian Hoedt <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker Critical issue blocking next major release and/or (People are badly blocked with no workaround) security Pull requests that address a security vulnerability
Projects
None yet
Development

No branches or pull requests

4 participants