[GeoNode-users] Restrict the add_layer auth to some user

FERRARI Hugo ferrari_hugo at yahoo.fr
Tue Jun 16 07:13:14 PDT 2015


Hello world,
in Geonode there are permissions on resources and we can modify them.
But is there any way to restrict actions for some users ?
I want only few users to be allowed to add new layers in geonode but 
apparently the only existing criteria to permit is authentication.
I'm sure i'm not the first to ask this question.
In auth_permission postgres table we can see that the "add_layer" 
permision already exists but it is not affected to users.

Thanks for your advices
Hugo FERRARI






Le 09/06/2015 18:50, geonode-users-request at lists.osgeo.org a écrit :
> Send geonode-users mailing list submissions to
> 	geonode-users at lists.osgeo.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
> or, via email, send a message with subject or body 'help' to
> 	geonode-users-request at lists.osgeo.org
>
> You can reach the person managing the list at
> 	geonode-users-owner at lists.osgeo.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of geonode-users digest..."
>
>
> Today's Topics:
>
>     1. developpement: Modifying permission behavior and data
>        visibility in Geonode (FERRARI Hugo)
>     2. Re: developpement: Modifying permission behavior and data
>        visibility in Geonode (Ariel Nunez)
>     3. Re: developpement: Modifying permission behavior and data
>        visibility in Geonode (Paolo Corti)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 09 Jun 2015 16:56:18 +0400
> From: FERRARI Hugo <ferrari_hugo at yahoo.fr>
> To: geonode-users at lists.osgeo.org
> Subject: [GeoNode-users] developpement: Modifying permission behavior
> 	and data visibility in Geonode
> Message-ID: <5576E272.6090606 at yahoo.fr>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Hello everyone,
> I have installed a complete geonode instance on a developpement server.
> I want  to change thebehaviorofthesoftware  to make it fit the need of
> the institution I work for.
> So i'm looking for some advices because  I didn't manage to code it yet.
>
> My aim to separate metada access from the data access.
> That  is to make all the layers uploaded in geoserver VISIBLE for all
> users (logged or not) but only in the layer-list page , not on the
> layer-detail page .
> If you click on any specific layer in the layer-list (or document-list
> because i want the same behavior for both), you get the layer detail so
> you what will see is:
>
> - In the case you have the view_resourcebase permission (who can see it
> ?), you will see the current template corresponding to
> layer_detail.html: both access to datas and metadatas.
> - In the other case if you don't have the view_resourcebase permission,
> you 'll only have access to metadatas's ressource (that means a template
> similar to layer_detail.html but Instead of the geoexplorer frame you
> sould have a "permission denied" message, but the possibility to
> retrieve metadata).
>
> It's quite simple to make all the layers visible in the layer list,
> whoever is logged in (you just have to modify SKIP_PERMS_FILTERS in
> settings.py AND read_list function in module api/authorisation.py).
> but the actual behavior is to catch a 403 http error when trying to view
> the layer detail.
> Modifying the 403.html template does not seems to be the good way to
> process.
> I don't think it is necessary to modify geonode's database model because
> the view_ressource permission  is enough, considering that  viewing the
> ressource is equivalent to having access to the data (even if you can't
> download it). There's no need to add a new kind of permissions, as far
> as I can guess.
> What is prefered is not throwing a 403 error but just the
> layer_detail.html template modified to get only metadatas.
>
> I hope the explanation was clear enough,
> Thanks for your advices
> Hugo FERRARI
>
> PS
> Does it correspond to the actual geonode developpement policy ?
> Datas and metada are strongly linked in this software.
> Could this functionnality be interresting for any other geonode users?
>
>
>
> Le 08/06/2015 23:00, geonode-users-request at lists.osgeo.org a ?crit :
>> Send geonode-users mailing list submissions to
>> 	geonode-users at lists.osgeo.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>> or, via email, send a message with subject or body 'help' to
>> 	geonode-users-request at lists.osgeo.org
>>
>> You can reach the person managing the list at
>> 	geonode-users-owner at lists.osgeo.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of geonode-users digest..."
>>
>>
>> Today's Topics:
>>
>>      1. Re: osgeo module install problem (Simone Dalmasso)
>>      2. Problems to Translate Geonode - Transifex -	Portuguese
>>         (Brazil) (Davi Custodio)
>>      3. Re: Problems to Translate Geonode - Transifex - Portuguese
>>         (Brazil) (Julien Collaer)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sun, 7 Jun 2015 21:40:13 +0200
>> From: Simone Dalmasso <simone.dalmasso at gmail.com>
>> To: Vicente <deluca.vicente at gmail.com>
>> Cc: geonode-users <geonode-users at lists.osgeo.org>
>> Subject: Re: [GeoNode-users] osgeo module install problem
>> Message-ID:
>> 	<CAAHAC+cU9GgbBUe-ocH4GJZ1PaXEZDrY5W=ZCsTzSUSx5ymVvA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi, you are missing the gdal python bindings, a "pip install gdal" should
>> fix it.
>>
>> Hope it helps, ciao
>>
>> 2015-06-07 17:59 GMT+02:00 Vicente <deluca.vicente at gmail.com>:
>>
>>> Good afternoon,
>>> If I run the following line from my command line, the answer is successful
>>>
>>> $ sudo apt-get -y install libgdal1h libgdal-dev python-gdal
>>>
>>> But if I run from the session virtualenv, the answer is No module named
>>> osgeo.
>>>
>>> I have just added the following session variables in my .bashrc:
>>> export VIRTUALENVWRAPPER_PYTHON = / usr / bin / python
>>> export WORKON_HOME = ~ / .venvs
>>> source /usr/local/bin/virtualenvwrapper.sh
>>> export PIP_DOWNLOAD_CACHE = $ HOME / .pip-downloads
>>>
>>> Both session with virtualenv or outside, the python to run is the same,
>>> Python 2.7.6 (default, Mar 22 2014, 22:59:56)
>>>
>>> The result is that I can not run because there is paver start the osgeo
>>> module from within the session obviously.
>>>
>>> Thanks!
>>>
>>> --
>>>
>>> [image: MANTA] <http://www.estudiomanta.com/>
>>>
>>>
>>>
>>> Vicente Deluca
>>>
>>> *+54 11 6091 4579 <%2B54%2011%206091%204579>*
>>>
>>>
>>> _______________________________________________
>>> geonode-users mailing list
>>> geonode-users at lists.osgeo.org
>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>
>>>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 9 Jun 2015 09:01:34 -0500
> From: Ariel Nunez <ingenieroariel at gmail.com>
> To: FERRARI Hugo <ferrari_hugo at yahoo.fr>
> Cc: "geonode-users at lists.osgeo.org" <geonode-users at lists.osgeo.org>
> Subject: Re: [GeoNode-users] developpement: Modifying permission
> 	behavior and data visibility in Geonode
> Message-ID:
> 	<CALh6R-QDnFhFPgQdejPp0Kuh5NABLExo7ONaQWjhyb2hk3chEw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hugo,
>
> Based on what I understand, the best path forward is to have a
> view_metadata permission that you use to enforce the behavior you want.
> Assigning a new meaning to the existing permission may be problematic for
> other users with different needs (for example where metadata is sensitive
> information).
>
> The place where we want to get to, is to allow uploaders to restrict any
> actions they want, but give the end user buttons to request permissions (to
> view if they cannot view, to download if they can only view, to edit if the
> can only download) to encourage a conversation between uploaders and users
> and provide a workflow to allow access to information when it is needed.
>
> The changes you make would be good candidates for inclusion in the main
> version of GeoNode so others can benefit in the future. Hopefully others
> (Paolo?) can chime in with more specific feedback.
>
> Best,
> Ariel.
>
> On Tue, Jun 9, 2015 at 7:56 AM, FERRARI Hugo <ferrari_hugo at yahoo.fr> wrote:
>
>> Hello everyone,
>> I have installed a complete geonode instance on a developpement server.
>> I want  to change thebehaviorofthesoftware  to make it fit the need of the
>> institution I work for.
>> So i'm looking for some advices because  I didn't manage to code it yet.
>>
>> My aim to separate metada access from the data access.
>> That  is to make all the layers uploaded in geoserver VISIBLE for all
>> users (logged or not) but only in the layer-list page , not on the
>> layer-detail page .
>> If you click on any specific layer in the layer-list (or document-list
>> because i want the same behavior for both), you get the layer detail so you
>> what will see is:
>>
>> - In the case you have the view_resourcebase permission (who can see it
>> ?), you will see the current template corresponding to layer_detail.html:
>> both access to datas and metadatas.
>> - In the other case if you don't have the view_resourcebase permission,
>> you 'll only have access to metadatas's ressource (that means a template
>> similar to layer_detail.html but Instead of the geoexplorer frame you sould
>> have a "permission denied" message, but the possibility to retrieve
>> metadata).
>>
>> It's quite simple to make all the layers visible in the layer list,
>> whoever is logged in (you just have to modify SKIP_PERMS_FILTERS in
>> settings.py AND read_list function in module api/authorisation.py).
>> but the actual behavior is to catch a 403 http error when trying to view
>> the layer detail.
>> Modifying the 403.html template does not seems to be the good way to
>> process.
>> I don't think it is necessary to modify geonode's database model because
>> the view_ressource permission  is enough, considering that  viewing the
>> ressource is equivalent to having access to the data (even if you can't
>> download it). There's no need to add a new kind of permissions, as far as I
>> can guess.
>> What is prefered is not throwing a 403 error but just the
>> layer_detail.html template modified to get only metadatas.
>>
>> I hope the explanation was clear enough,
>> Thanks for your advices
>> Hugo FERRARI
>>
>> PS
>> Does it correspond to the actual geonode developpement policy ?
>> Datas and metada are strongly linked in this software.
>> Could this functionnality be interresting for any other geonode users?
>>
>>
>>
>> Le 08/06/2015 23:00, geonode-users-request at lists.osgeo.org a ?crit :
>>
>>> Send geonode-users mailing list submissions to
>>>          geonode-users at lists.osgeo.org
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>          http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>> or, via email, send a message with subject or body 'help' to
>>>          geonode-users-request at lists.osgeo.org
>>>
>>> You can reach the person managing the list at
>>>          geonode-users-owner at lists.osgeo.org
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of geonode-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>      1. Re: osgeo module install problem (Simone Dalmasso)
>>>      2. Problems to Translate Geonode - Transifex -      Portuguese
>>>         (Brazil) (Davi Custodio)
>>>      3. Re: Problems to Translate Geonode - Transifex - Portuguese
>>>         (Brazil) (Julien Collaer)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Sun, 7 Jun 2015 21:40:13 +0200
>>> From: Simone Dalmasso <simone.dalmasso at gmail.com>
>>> To: Vicente <deluca.vicente at gmail.com>
>>> Cc: geonode-users <geonode-users at lists.osgeo.org>
>>> Subject: Re: [GeoNode-users] osgeo module install problem
>>> Message-ID:
>>>          <CAAHAC+cU9GgbBUe-ocH4GJZ1PaXEZDrY5W=
>>> ZCsTzSUSx5ymVvA at mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Hi, you are missing the gdal python bindings, a "pip install gdal" should
>>> fix it.
>>>
>>> Hope it helps, ciao
>>>
>>> 2015-06-07 17:59 GMT+02:00 Vicente <deluca.vicente at gmail.com>:
>>>
>>>   Good afternoon,
>>>> If I run the following line from my command line, the answer is
>>>> successful
>>>>
>>>> $ sudo apt-get -y install libgdal1h libgdal-dev python-gdal
>>>>
>>>> But if I run from the session virtualenv, the answer is No module named
>>>> osgeo.
>>>>
>>>> I have just added the following session variables in my .bashrc:
>>>> export VIRTUALENVWRAPPER_PYTHON = / usr / bin / python
>>>> export WORKON_HOME = ~ / .venvs
>>>> source /usr/local/bin/virtualenvwrapper.sh
>>>> export PIP_DOWNLOAD_CACHE = $ HOME / .pip-downloads
>>>>
>>>> Both session with virtualenv or outside, the python to run is the same,
>>>> Python 2.7.6 (default, Mar 22 2014, 22:59:56)
>>>>
>>>> The result is that I can not run because there is paver start the osgeo
>>>> module from within the session obviously.
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>>
>>>> [image: MANTA] <http://www.estudiomanta.com/>
>>>>
>>>>
>>>>
>>>> Vicente Deluca
>>>>
>>>> *+54 11 6091 4579 <%2B54%2011%206091%204579>*
>>>>
>>>>
>>>> _______________________________________________
>>>> geonode-users mailing list
>>>> geonode-users at lists.osgeo.org
>>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>>
>>>>
>>>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150609/4dbe42d3/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 9 Jun 2015 16:50:01 +0200
> From: Paolo Corti <pcorti at gmail.com>
> To: Ariel Nunez <ingenieroariel at gmail.com>
> Cc: FERRARI Hugo <ferrari_hugo at yahoo.fr>,
> 	"geonode-users at lists.osgeo.org" <geonode-users at lists.osgeo.org>
> Subject: Re: [GeoNode-users] developpement: Modifying permission
> 	behavior and data visibility in Geonode
> Message-ID:
> 	<CAHXrU-JBaUUQUBz7BjsNuTkmOpOSLB7rxAaXEt3Qsn1TmKmvqw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Yes, Ariel is totally right.
> Currently we don't have a specific permission for viewing metadata.
> This is implicit with the view_resourcebase permission that gives
> access to the data and metadata at the same time.
> As suggested by Ariel you may consider to add a new django guardian
> permission at the resource base model, like it has been done here [1]
> and then have your GeoNode instance behaved according to it in views,
> templates and javascript.
> I don't think there is an easy way to avoid forking GeoNode and
> customize the beahviour in your GeoNode project, though it may be not
> impossible and this would keep your instance easily updateable with
> mainstream code.
> Even better, as Ariel suggested, you may though fork it and send a PR
> as it could be useful for others as well.
> regards
> p
>
> [1] https://github.com/GeoNode/geonode/blob/master/geonode/base/models.py#L648
>
>
> On Tue, Jun 9, 2015 at 4:01 PM, Ariel Nunez <ingenieroariel at gmail.com> wrote:
>> Hugo,
>>
>> Based on what I understand, the best path forward is to have a view_metadata
>> permission that you use to enforce the behavior you want. Assigning a new
>> meaning to the existing permission may be problematic for other users with
>> different needs (for example where metadata is sensitive information).
>>
>> The place where we want to get to, is to allow uploaders to restrict any
>> actions they want, but give the end user buttons to request permissions (to
>> view if they cannot view, to download if they can only view, to edit if the
>> can only download) to encourage a conversation between uploaders and users
>> and provide a workflow to allow access to information when it is needed.
>>
>> The changes you make would be good candidates for inclusion in the main
>> version of GeoNode so others can benefit in the future. Hopefully others
>> (Paolo?) can chime in with more specific feedback.
>>
>> Best,
>> Ariel.
>>
>> On Tue, Jun 9, 2015 at 7:56 AM, FERRARI Hugo <ferrari_hugo at yahoo.fr> wrote:
>>> Hello everyone,
>>> I have installed a complete geonode instance on a developpement server.
>>> I want  to change thebehaviorofthesoftware  to make it fit the need of the
>>> institution I work for.
>>> So i'm looking for some advices because  I didn't manage to code it yet.
>>>
>>> My aim to separate metada access from the data access.
>>> That  is to make all the layers uploaded in geoserver VISIBLE for all
>>> users (logged or not) but only in the layer-list page , not on the
>>> layer-detail page .
>>> If you click on any specific layer in the layer-list (or document-list
>>> because i want the same behavior for both), you get the layer detail so you
>>> what will see is:
>>>
>>> - In the case you have the view_resourcebase permission (who can see it
>>> ?), you will see the current template corresponding to layer_detail.html:
>>> both access to datas and metadatas.
>>> - In the other case if you don't have the view_resourcebase permission,
>>> you 'll only have access to metadatas's ressource (that means a template
>>> similar to layer_detail.html but Instead of the geoexplorer frame you sould
>>> have a "permission denied" message, but the possibility to retrieve
>>> metadata).
>>>
>>> It's quite simple to make all the layers visible in the layer list,
>>> whoever is logged in (you just have to modify SKIP_PERMS_FILTERS in
>>> settings.py AND read_list function in module api/authorisation.py).
>>> but the actual behavior is to catch a 403 http error when trying to view
>>> the layer detail.
>>> Modifying the 403.html template does not seems to be the good way to
>>> process.
>>> I don't think it is necessary to modify geonode's database model because
>>> the view_ressource permission  is enough, considering that  viewing the
>>> ressource is equivalent to having access to the data (even if you can't
>>> download it). There's no need to add a new kind of permissions, as far as I
>>> can guess.
>>> What is prefered is not throwing a 403 error but just the
>>> layer_detail.html template modified to get only metadatas.
>>>
>>> I hope the explanation was clear enough,
>>> Thanks for your advices
>>> Hugo FERRARI
>>>
>>> PS
>>> Does it correspond to the actual geonode developpement policy ?
>>> Datas and metada are strongly linked in this software.
>>> Could this functionnality be interresting for any other geonode users?
>>>
>>>
>>>
>>> Le 08/06/2015 23:00, geonode-users-request at lists.osgeo.org a ?crit :
>>>> Send geonode-users mailing list submissions to
>>>>          geonode-users at lists.osgeo.org
>>>>
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>>          http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>> or, via email, send a message with subject or body 'help' to
>>>>          geonode-users-request at lists.osgeo.org
>>>>
>>>> You can reach the person managing the list at
>>>>          geonode-users-owner at lists.osgeo.org
>>>>
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of geonode-users digest..."
>>>>
>>>>
>>>> Today's Topics:
>>>>
>>>>      1. Re: osgeo module install problem (Simone Dalmasso)
>>>>      2. Problems to Translate Geonode - Transifex -      Portuguese
>>>>         (Brazil) (Davi Custodio)
>>>>      3. Re: Problems to Translate Geonode - Transifex - Portuguese
>>>>         (Brazil) (Julien Collaer)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Sun, 7 Jun 2015 21:40:13 +0200
>>>> From: Simone Dalmasso <simone.dalmasso at gmail.com>
>>>> To: Vicente <deluca.vicente at gmail.com>
>>>> Cc: geonode-users <geonode-users at lists.osgeo.org>
>>>> Subject: Re: [GeoNode-users] osgeo module install problem
>>>> Message-ID:
>>>>
>>>> <CAAHAC+cU9GgbBUe-ocH4GJZ1PaXEZDrY5W=ZCsTzSUSx5ymVvA at mail.gmail.com>
>>>> Content-Type: text/plain; charset="utf-8"
>>>>
>>>> Hi, you are missing the gdal python bindings, a "pip install gdal" should
>>>> fix it.
>>>>
>>>> Hope it helps, ciao
>>>>
>>>> 2015-06-07 17:59 GMT+02:00 Vicente <deluca.vicente at gmail.com>:
>>>>
>>>>> Good afternoon,
>>>>> If I run the following line from my command line, the answer is
>>>>> successful
>>>>>
>>>>> $ sudo apt-get -y install libgdal1h libgdal-dev python-gdal
>>>>>
>>>>> But if I run from the session virtualenv, the answer is No module named
>>>>> osgeo.
>>>>>
>>>>> I have just added the following session variables in my .bashrc:
>>>>> export VIRTUALENVWRAPPER_PYTHON = / usr / bin / python
>>>>> export WORKON_HOME = ~ / .venvs
>>>>> source /usr/local/bin/virtualenvwrapper.sh
>>>>> export PIP_DOWNLOAD_CACHE = $ HOME / .pip-downloads
>>>>>
>>>>> Both session with virtualenv or outside, the python to run is the same,
>>>>> Python 2.7.6 (default, Mar 22 2014, 22:59:56)
>>>>>
>>>>> The result is that I can not run because there is paver start the osgeo
>>>>> module from within the session obviously.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> --
>>>>>
>>>>> [image: MANTA] <http://www.estudiomanta.com/>
>>>>>
>>>>>
>>>>>
>>>>> Vicente Deluca
>>>>>
>>>>> *+54 11 6091 4579 <%2B54%2011%206091%204579>*
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> geonode-users mailing list
>>>>> geonode-users at lists.osgeo.org
>>>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>>>
>>>>>
>>> _______________________________________________
>>> geonode-users mailing list
>>> geonode-users at lists.osgeo.org
>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>
>
>



More information about the geonode-users mailing list