def _filter_security(q, user, model, permission): '''apply filters to the query that remove those model objects that are not viewable by the given user based on row-level permissions''' # superusers see everything if user and user.is_superuser: return q # resolve the model permission ct = ContentType.objects.get_for_model(model) p = Permission.objects.get(content_type=ct, codename=permission) # apply generic role filters generic_roles = [ANONYMOUS_USERS] if user and not user.is_anonymous(): generic_roles.append(AUTHENTICATED_USERS) grm = GenericObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], subject__in=generic_roles).values('object_id') security = Q(id__in=grm) # apply specific user filters if user and not user.is_anonymous(): urm = UserObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], user=user).values('object_id') security = security | Q(id__in=urm) # if the user is the owner, make sure these are included security = security | Q(owner=user) if "geonode.contrib.groups" in settings.INSTALLED_APPS: # apply group security for group in Group.groups_for_user(user): grm = GroupObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], group=group).values('object_id') security = security | Q(id__in=grm) return q.filter(security)
def _get_all_obj_perms(self, user_obj, obj): """ get all permissions for user in the context of ob (not cached) """ obj_perms = set() generic_roles = [ANONYMOUS_USERS] if not user_obj.is_anonymous(): generic_roles.append(AUTHENTICATED_USERS) obj_perms.update(self._get_generic_obj_perms(generic_roles, obj)) ct = ContentType.objects.get_for_model(obj) if not user_obj.is_anonymous(): for rm in UserObjectRoleMapping.objects.select_related('role', 'role__permissions', 'role__permissions__content_type').filter(object_id=obj.id, object_ct=ct, user=user_obj).all(): for perm in rm.role.permissions.all(): obj_perms.add((perm.content_type.app_label, perm.codename)) if "geonode.contrib.groups" in settings.INSTALLED_APPS: groups = Group.groups_for_user(user_obj) for group in groups: for rm in GroupObjectRoleMapping.objects.select_related('role', 'role__permissions', 'role__permissions__content_type').filter(object_id=obj.id, object_ct=ct, group=group).all(): for perm in rm.role.permissions.all(): obj_perms.add((perm.content_type.app_label, perm.codename)) return obj_perms
def objects_with_perm(self, acl_obj, perm, ModelType): """ select identifiers of objects the type specified that the user or group specified has the permission 'perm' for. """ if not isinstance(perm, Permission): perm = self._permission_for_name(perm) ct = ContentType.objects.get_for_model(ModelType) obj_ids = set() generic_roles = [ANONYMOUS_USERS] if isinstance(acl_obj, User): if not acl_obj.is_anonymous(): generic_roles.append(AUTHENTICATED_USERS) obj_ids.update([x[0] for x in UserObjectRoleMapping.objects.filter(user=acl_obj, role__permissions=perm, object_ct=ct).values_list('object_id')]) if "geonode.contrib.groups" in settings.INSTALLED_APPS: # If the user is a member of any groups, see if the groups have permission to the object. for group in Group.groups_for_user(acl_obj): obj_ids.update([x[0] for x in GroupObjectRoleMapping.objects.filter(group=group, role__permissions=perm, object_ct=ct).values_list('object_id')]) if "geonode.contrib.groups" in settings.INSTALLED_APPS: if isinstance(acl_obj, Group): obj_ids.update([x[0] for x in GroupObjectRoleMapping.objects.filter(group=acl_obj, role__permissions=perm, object_ct=ct).values_list('object_id')]) obj_ids.update([x[0] for x in GenericObjectRoleMapping.objects.filter(subject__in=generic_roles, role__permissions=perm, object_ct=ct).values_list('object_id')]) return obj_ids