<div dir="ltr">Moving to GeoFence to replace the current auth system is something that can move at it's own pace. We discussed this option during the past code sprint (a full recap is due, will get to that soon and post here) and there was interest from the group.<div><br></div><div>I would say the next step is to draft a GNIP, vote on it and use that as a tool for organizations to either implement it or contract it out.</div><div><br></div><div>-a</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 25, 2015 at 11:30 AM, Stephen Mather <span dir="ltr"><<a href="mailto:stephen@smathermather.com" target="_blank">stephen@smathermather.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sounds like this is going some very interesting places. Integration of GeoFence would be epic. Is this something that would be implemented faster with funding, or something which has other dependencies or competing priorities?<div><br></div><div>Regarding disabling WFS, the consequences of that (which we have observed so far) is editing styles breaks, but otherwise this is an acceptable compromise if we run a dedicated server for these datasets. I think GetFeatureInfo still works. As I understand it, while it is technically a WFS style request, it is implemented and controlled on the WMS side of the house.</div><div><br></div><div>Thanks,</div><div>Best,</div><div>Steve</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 25, 2015 at 3:52 AM, Paolo Corti <span dir="ltr"><<a href="mailto:pcorti@gmail.com" target="_blank">pcorti@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
I was sure to have filed a ticket but cannot find it anymore,<br>
therefore I will add it later.<br>
<br>
The fact here is that GeoNode will correctly prevent the user to<br>
download a layer if he has not the permission to download it only by<br>
not showing the download button.<br>
Unluckily an astute user will still be able to download the datasets if<br>
he can figure out the GeoServer WFS link.<br>
This was not possible to fix also in the GeoServer side because of the<br>
way the GeoServer security plugin is actually conceived.<br>
One possible solutions would be to proxy any WFS request and make the<br>
permissions check, as we did for the REST API call modifying styles,<br>
but would need to be implemented. Some months ago I created a branch<br>
with a very row and prototypal implementation of this:<br>
<a href="https://github.com/capooti/geonode/commit/b4b232293d748fbe33ae436962dc8c9f1c289d50" target="_blank">https://github.com/capooti/geonode/commit/b4b232293d748fbe33ae436962dc8c9f1c289d50</a><br>
<br>
If to have this discrepancy is a big concern, you could consider to<br>
disable the GeoServer WFS. Unluckily the WFS services will be disabled<br>
for all of the layers, making impossible the download for all of the<br>
layers, but also some other features like editing (and maybe identify?<br>
I cannot remember if it relies on WMS or WFS GetFeatureInfo). So it<br>
depends on situation if this could be considered acceptable.<br>
<br>
During the sprint we have been talking with Alessio Fabiani to figure<br>
out a way to integrate GeoFence in GeoNode (for GeoNode 2.4++ only).<br>
Using GeoFence we will have a wider set of permissions, including<br>
effectively disable download for a specific layer, restrict a layer on<br>
a specific extent, disabling some of the layer attributes for a<br>
specific user/group.<br>
This sounds very exciting but we will have all to bear until the time<br>
this stuff is implemented.<br>
<br>
Please consider also this similar issue, related to metadata editing:<br>
<a href="https://github.com/GeoNode/geonode/issues/1726" target="_blank">https://github.com/GeoNode/geonode/issues/1726</a><br>
If I understand correctly here, this can be critical for GeoNetwork,<br>
while for pycsw only if enabling transactions that by default are<br>
disabled<br>
<br>
p<br>
<br>
On Tue, Feb 24, 2015 at 6:11 AM, Erick Omwandho Opiyo<br>
<div><div><<a href="mailto:e.omwandho@gmail.com" target="_blank">e.omwandho@gmail.com</a>> wrote:<br>
> Check under topic for layers - setting layers permission.<br>
><br>
> On Tue, Feb 24, 2015 at 8:10 AM, Erick Omwandho Opiyo <<a href="mailto:e.omwandho@gmail.com" target="_blank">e.omwandho@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Hi Steve,<br>
>><br>
>> I think the issue has been implemented in the newer version of Geonode<br>
>> version 2.4b18. When you upload a new layer you have the option for only<br>
>> viewing or download check documentation at<br>
>> <a href="https://geonode.readthedocs.org/en/master/reference/security.html?highlight=security" target="_blank">https://geonode.readthedocs.org/en/master/reference/security.html?highlight=security</a>.<br>
>><br>
>> Erick<br>
>><br>
>><br>
>><br>
>> On Tue, Feb 24, 2015 at 2:32 AM, Stephen Mather<br>
>> <<a href="mailto:stephen@smathermather.com" target="_blank">stephen@smathermather.com</a>> wrote:<br>
>>><br>
>>> Hi All,<br>
>>><br>
>>> What's the best way to allow for viewing, clicking for more info, but not<br>
>>> allow download of raw data (csv, shapefile, geojson, etc.)?<br>
>>><br>
>>> Thanks,<br>
>>> Best,<br>
>>> Steve<br>
>>><br>
>>> _______________________________________________<br>
>>> geonode-users mailing list<br>
>>> <a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
>>> <a href="http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users" target="_blank">http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users</a><br>
>>><br>
>><br>
>><br>
>><br>
>> --<br>
>> Kind Regards,<br>
>><br>
>> Erick Omwandho Opiyo<br>
>><br>
>> Cell: <a href="tel:0724590982" value="+5724590982" target="_blank">0724590982</a><br>
>> Blog: <a href="http://eomwandho.wordpress.com" target="_blank">http://eomwandho.wordpress.com</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Kind Regards,<br>
><br>
> Erick Omwandho Opiyo<br>
><br>
> Cell: <a href="tel:0724590982" value="+5724590982" target="_blank">0724590982</a><br>
> Blog: <a href="http://eomwandho.wordpress.com" target="_blank">http://eomwandho.wordpress.com</a><br>
><br>
> _______________________________________________<br>
> geonode-users mailing list<br>
> <a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
> <a href="http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users" target="_blank">http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users</a><br>
><br>
<br>
<br>
<br>
--<br>
</div></div><span><font color="#888888">Paolo Corti<br>
Geospatial software developer<br>
web: <a href="http://www.paolocorti.net" target="_blank">http://www.paolocorti.net</a><br>
twitter: @capooti<br>
skype: capooti<br>
</font></span></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org">geonode-users@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users" target="_blank">http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users</a><br>
<br></blockquote></div><br></div>