[GeoNode-devel] Deny upload for a group of users

Paolo Corti pcorti at gmail.com
Wed Dec 12 15:26:39 PST 2018 

I think I remembered incorrectly this.
After looking at the documentation of Django, it looks like you will
need to decorate your view with @permission_required in order to check
model permissions for the user.

For example, to disable the upload page for a user which has not the
layers.can_add permissions you should decorate this view (in
layers.views):

@login_required
@permission_required('layers.add_layer', raise_exception=True)
def layer_upload(request, template='upload/layer_upload.html'):
    ...

I believe it would make sense to have these views permission required
checks in GeoNode source code.

Therefore a pull request would be welcomed.
Paolo
On Wed, Dec 12, 2018 at 6:08 PM Paolo Corti <pcorti at gmail.com> wrote:
>
> Hello Emídio
>
> you are right, I am not sure why this is happening but I don't think
> is the expected behaviour from Django model permissions system, as far
> as I remember. If a user or a group of user has not the permission to
> create an instance of that model, Django should raise an error
> automatically.
>
> I am wondering if not using  the default value for
> AUTHENTICATION_BACKENDS [1] for a Django project, but a combination of
> different backends, including OAuth2, [2] change the things.
>
> best
> Paolo
>
> [1]
> AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend']
>
> [2]
> AUTHENTICATION_BACKENDS = (
>     'oauth2_provider.backends.OAuth2Backend',
>     'django.contrib.auth.backends.ModelBackend',
>     'guardian.backends.ObjectPermissionBackend',
>     'allauth.account.auth_backends.AuthenticationBackend',
> )
>
> On Wed, Dec 12, 2018 at 7:44 AM Emídio Fernandes <ebueno at spacesur.com> wrote:
> >
> > Grazie mille Paolo, i have tried to create groups as you said, but users from the group without permission to add/change/edit/delete layer still can upload  of data. Another thing i observed, after remove  the anonymous group its came appears again.
> > Thanks
> >
> > El mar., 11 dic. 2018 a las 19:07, Paolo Corti (<pcorti at gmail.com>) escribió:
> >>
> >> You should be able to accomplish this without forking GeoNode using
> >> Django groups and customizing your templates. For example create 2
> >> groups, one named "uploaders" and the other "not-uploaders". Make sure
> >> the first group has the can add/change/edit/delete layer permissions
> >> while the second not.
> >> In your custom project templates hide links to the layer
> >> administrative pages (layer upload, layer change metadata) when a user
> >> belongs to the not-uploader group. As a last thing, add a signal in
> >> your custom project to add each user to the not-uploader group when
> >> she/he registers.
> >> Hope this helps
> >> Paolo
> >>
> >> On Mon, Dec 10, 2018 at 2:58 PM Emídio Fernandes <ebueno at spacesur.com> wrote:
> >> >
> >> > hello everyone!!, i would like to know if it's possible deny a certain group of users to upload any data(vectorial, raster and document) to Geonode. Something like a viewer user
> >> >
> >> > tanks
> >> > _______________________________________________
> >> > geonode-devel mailing list
> >> > geonode-devel at lists.osgeo.org
> >> > https://lists.osgeo.org/mailman/listinfo/geonode-devel
> >>
> >>
> >>
> >> --
> >> Paolo Corti
> >> Geospatial software developer
> >> web: http://www.paolocorti.net
> >> twitter: @capooti
> >> skype: capooti
> >
> >
> >
> > --
> >
> >
> > Emídio Bueno
> >
> > Geospatial Product Manager
> >
> >
> > +54 (11) 4342-2976/84
> >
> > www.spacesur.com
>
>
>
> --
> Paolo Corti
> Geospatial software developer
> web: http://www.paolocorti.net
> twitter: @capooti
> skype: capooti



--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

More information about the geonode-devel mailing list