geonode icon indicating copy to clipboard operation
geonode copied to clipboard

Published 20 hours ago verified publisher icon GeoNode

via REST API uploaded documents to not get proper permissions

Open gannebamm opened this issue 1 year ago • 3 comments

Expected Behavior

If I upload a document via the REST API it belongs to my user and I can delete it. It should show this:

firefox_RrCcekaJKe

Actual Behavior

I am unable to delete it. It does not show delete: grafik

Steps to Reproduce the Problem

import requests
url = "https://stable.demo.geonode.org/api/v2/documents"
payload = { 'title' : 'test upload of document via rest api' }
files = [ ('doc_file', ('test.txt', open('./test.txt', 'rb'), 'text/plain')) ]
headers = { 'Authorization' : 'Basic ...' } # replaced "..." with the output of $(echo -n user:password | base64) with my credentials
response = requests.request ("POST", url, data=payload, headers=headers, files=files)

Open https://stable.demo.geonode.org/catalogue/#/documents

See the delete option is missing on the new document:

Specifications

  • GeoNode version: stable.demo (4.4.0.dev0)
  • Additional details:

gannebamm avatar Sep 25 '24 07:09 gannebamm

@ahmdthr please take a look at this. Since I tested both development and stable demo it should not be linked to your latest PR https://github.com/GeoNode/geonode/pull/11872

edit: or better send this to @kilichenko-pixida since he has more free capacity.

gannebamm avatar Sep 25 '24 07:09 gannebamm

@ridoo Test REST API upload v4.3.1

ridoo avatar Oct 16 '24 09:10 ridoo

additional specification to reproduce: You shall use a 'normal' user to upload. Admin /superuser will work.

gannebamm avatar Oct 16 '24 09:10 gannebamm

Hi @gannebamm did your team had time to check this issue? otherwise i can give a check on it

mattiagiupponi avatar Oct 23 '24 09:10 mattiagiupponi

@ridoo , @kilichenko-pixida please check this. As stated a normal registered user shall be used NOT an admin user.

edit: I did some clarification in the how to reproduce section above

gannebamm avatar Oct 28 '24 08:10 gannebamm

@gannebamm yes, I was able to reproduce it and ran into the same problem on the non-admin user after an API upload

kilichenko-pixida avatar Oct 28 '24 08:10 kilichenko-pixida

@gannebamm are you going to take care of this?

giohappy avatar Oct 29 '24 09:10 giohappy

@gannebamm yes, I was able to reproduce it and ran into the same problem on the non-admin user after an API upload

@kilichenko-pixida please debug into the process and take a look at the permission granting process to identify the issue.

@giohappy we will try

gannebamm avatar Oct 29 '24 09:10 gannebamm

The issue was indeed due to improper permissions handling. Both in DocumentUploadView that handles UI requests and in DocumentViewSet that handles API there is a call to set_permissions method and in both cases all permissions are being removed.

The difference, however, is that in UI code, after all permissions have been removed, there is also a resource_manager.update call which actually includes calling set_default_permissions method which restores default values.

See PR #10 for the suggested fix.

I see setting permissions to None on the API side was first introduced in 7f56ebe, though I don't know whether it was a simple oversight or there quite possibly was a good reason for it that I do not understand.

On the UI side, this permission workflow was implemented as part of big changes in f760e0f from 2021.

kilichenko-pixida avatar Nov 06 '24 21:11 kilichenko-pixida

@kilichenko-pixida please provide a PR for master, too. @giohappy please use some of our booked time to answer the questions above to make sure the PR fits the quality critera.

gannebamm avatar Nov 08 '24 10:11 gannebamm

@giohappy here is the PR: https://github.com/GeoNode/geonode/pull/12707 , I already sent the signed license agreement to [email protected], but I guess approval is pending. Thank you.

kilichenko-pixida avatar Nov 08 '24 13:11 kilichenko-pixida