[GeoNode-users] GeoNodish way to restrict download

Ariel Nunez ingenieroariel at gmail.com
Wed Feb 25 08:57:06 PST 2015


Moving to GeoFence to replace the current auth system is something that can
move at it's own pace. We discussed this option during the past code sprint
(a full recap is due, will get to that soon and post here) and there was
interest from the group.

I would say the next step is to draft a GNIP, vote on it and use that as a
tool for organizations to either implement it or contract it out.

-a

On Wed, Feb 25, 2015 at 11:30 AM, Stephen Mather <stephen at smathermather.com>
wrote:

> Sounds like this is going some very interesting places. Integration of
> GeoFence would be epic. Is this something that would be implemented faster
> with funding, or something which has other dependencies or competing
> priorities?
>
> Regarding disabling WFS, the consequences of that (which we have observed
> so far) is editing styles breaks, but otherwise this is an acceptable
> compromise if we run a dedicated server for these datasets. I think
> GetFeatureInfo still works. As I understand it, while it is technically a
> WFS style request, it is implemented and controlled on the WMS side of the
> house.
>
> Thanks,
> Best,
> Steve
>
>
>
>
>
> On Wed, Feb 25, 2015 at 3:52 AM, Paolo Corti <pcorti at gmail.com> wrote:
>
>> Hi
>>
>> I was sure to have filed a ticket but cannot find it anymore,
>> therefore I will add it later.
>>
>> The fact here is that GeoNode will correctly prevent the user to
>> download a layer if he has not the permission to download it only by
>> not showing the download button.
>> Unluckily an astute user will still be able to download the datasets if
>> he can figure out the GeoServer WFS link.
>> This was not possible to fix also in the GeoServer side because of the
>> way the GeoServer security plugin is actually conceived.
>> One possible solutions would be to proxy any WFS request and make the
>> permissions check, as we did for the REST API call modifying styles,
>> but would need to be implemented. Some months ago I created a branch
>> with a very row and prototypal implementation of this:
>>
>> https://github.com/capooti/geonode/commit/b4b232293d748fbe33ae436962dc8c9f1c289d50
>>
>> If to have this discrepancy is a big concern, you could consider to
>> disable the GeoServer WFS. Unluckily the WFS services will be disabled
>> for all of the layers, making impossible the download for all of the
>> layers, but also some other features like editing (and maybe identify?
>> I cannot remember if it relies on WMS or WFS GetFeatureInfo). So it
>> depends on situation if this could be considered acceptable.
>>
>> During the sprint we have been talking with Alessio Fabiani to figure
>> out a way to integrate GeoFence in GeoNode (for GeoNode 2.4++ only).
>> Using GeoFence we will have a wider set of permissions, including
>> effectively disable download for a specific layer, restrict a layer on
>> a specific extent, disabling some of the layer attributes for a
>> specific user/group.
>> This sounds very exciting but we will have all to bear until the time
>> this stuff is implemented.
>>
>> Please consider also this similar issue, related to metadata editing:
>> https://github.com/GeoNode/geonode/issues/1726
>> If I understand correctly here, this can be critical for GeoNetwork,
>> while for pycsw only if enabling transactions that by default are
>> disabled
>>
>> p
>>
>> On Tue, Feb 24, 2015 at 6:11 AM, Erick Omwandho Opiyo
>> <e.omwandho at gmail.com> wrote:
>> > Check under topic for layers - setting layers permission.
>> >
>> > On Tue, Feb 24, 2015 at 8:10 AM, Erick Omwandho Opiyo <
>> e.omwandho at gmail.com>
>> > wrote:
>> >>
>> >> Hi Steve,
>> >>
>> >> I think the issue has been implemented in the newer version of Geonode
>> >> version 2.4b18. When you upload a new layer you have the option for
>> only
>> >> viewing or download check documentation at
>> >>
>> https://geonode.readthedocs.org/en/master/reference/security.html?highlight=security
>> .
>> >>
>> >> Erick
>> >>
>> >>
>> >>
>> >> On Tue, Feb 24, 2015 at 2:32 AM, Stephen Mather
>> >> <stephen at smathermather.com> wrote:
>> >>>
>> >>> Hi All,
>> >>>
>> >>> What's the best way to allow for viewing, clicking for more info, but
>> not
>> >>> allow download of raw data (csv, shapefile, geojson, etc.)?
>> >>>
>> >>> Thanks,
>> >>> Best,
>> >>> Steve
>> >>>
>> >>> _______________________________________________
>> >>> geonode-users mailing list
>> >>> geonode-users at lists.osgeo.org
>> >>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Kind Regards,
>> >>
>> >> Erick Omwandho Opiyo
>> >>
>> >> Cell:               0724590982
>> >> Blog:              http://eomwandho.wordpress.com
>> >
>> >
>> >
>> >
>> > --
>> > Kind Regards,
>> >
>> > Erick Omwandho Opiyo
>> >
>> > Cell:               0724590982
>> > Blog:              http://eomwandho.wordpress.com
>> >
>> > _______________________________________________
>> > geonode-users mailing list
>> > geonode-users at lists.osgeo.org
>> > http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>> >
>>
>>
>>
>> --
>> Paolo Corti
>> Geospatial software developer
>> web: http://www.paolocorti.net
>> twitter: @capooti
>> skype: capooti
>>
>
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150225/597444e0/attachment.html>


More information about the geonode-users mailing list