def _filter_security(q, user, model, permission):
'''apply filters to the query that remove those model objects that are
not viewable by the given user based on row-level permissions'''
# superusers see everything
if user and user.is_superuser: return q
# resolve the model permission
ct = ContentType.objects.get_for_model(model)
p = Permission.objects.get(content_type=ct, codename=permission)
# apply generic role filters
generic_roles = [ANONYMOUS_USERS]
if user and not user.is_anonymous():
generic_roles.append(AUTHENTICATED_USERS)
grm = GenericObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], subject__in=generic_roles).values('object_id')
security = Q(id__in=grm)
# apply specific user filters
if user and not user.is_anonymous():
urm = UserObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], user=user).values('object_id')
security = security | Q(id__in=urm)
# if the user is the owner, make sure these are included
security = security | Q(owner=user)
if "geonode.contrib.groups" in settings.INSTALLED_APPS:
# apply group security
for group in Group.groups_for_user(user):
grm = GroupObjectRoleMapping.objects.filter(object_ct=ct, role__permissions__in=[p], group=group).values('object_id')
security = security | Q(id__in=grm)
return q.filter(security)
def _get_all_obj_perms(self, user_obj, obj):
"""
get all permissions for user in the context of ob (not cached)
"""
obj_perms = set()
generic_roles = [ANONYMOUS_USERS]
if not user_obj.is_anonymous():
generic_roles.append(AUTHENTICATED_USERS)
obj_perms.update(self._get_generic_obj_perms(generic_roles, obj))
ct = ContentType.objects.get_for_model(obj)
if not user_obj.is_anonymous():
for rm in UserObjectRoleMapping.objects.select_related('role', 'role__permissions', 'role__permissions__content_type').filter(object_id=obj.id, object_ct=ct, user=user_obj).all():
for perm in rm.role.permissions.all():
obj_perms.add((perm.content_type.app_label, perm.codename))
if "geonode.contrib.groups" in settings.INSTALLED_APPS:
groups = Group.groups_for_user(user_obj)
for group in groups:
for rm in GroupObjectRoleMapping.objects.select_related('role', 'role__permissions', 'role__permissions__content_type').filter(object_id=obj.id, object_ct=ct, group=group).all():
for perm in rm.role.permissions.all():
obj_perms.add((perm.content_type.app_label, perm.codename))
return obj_perms
def objects_with_perm(self, acl_obj, perm, ModelType):
"""
select identifiers of objects the type specified that the
user or group specified has the permission 'perm' for.
"""
if not isinstance(perm, Permission):
perm = self._permission_for_name(perm)
ct = ContentType.objects.get_for_model(ModelType)
obj_ids = set()
generic_roles = [ANONYMOUS_USERS]
if isinstance(acl_obj, User):
if not acl_obj.is_anonymous():
generic_roles.append(AUTHENTICATED_USERS)
obj_ids.update([x[0] for x in UserObjectRoleMapping.objects.filter(user=acl_obj,
role__permissions=perm,
object_ct=ct).values_list('object_id')])
if "geonode.contrib.groups" in settings.INSTALLED_APPS:
# If the user is a member of any groups, see if the groups have permission to the object.
for group in Group.groups_for_user(acl_obj):
obj_ids.update([x[0] for x in GroupObjectRoleMapping.objects.filter(group=group,
role__permissions=perm,
object_ct=ct).values_list('object_id')])
if "geonode.contrib.groups" in settings.INSTALLED_APPS:
if isinstance(acl_obj, Group):
obj_ids.update([x[0] for x in GroupObjectRoleMapping.objects.filter(group=acl_obj,
role__permissions=perm,
object_ct=ct).values_list('object_id')])
obj_ids.update([x[0] for x in GenericObjectRoleMapping.objects.filter(subject__in=generic_roles,
role__permissions=perm,
object_ct=ct).values_list('object_id')])
return obj_ids
