search

GeoNode / geonode

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data.
https://geonode.org/
Other
1.47k stars 1.13k forks source link

Data edition permissions set in GeoNode for a layer are not applied on the WFS #5779

Closed audetrobergem closed 4 years ago

audetrobergem commented 4 years ago

Expected Behavior

I want the data edition permissions set in GeoNode on the layers (Who can edit data for this layer?) to also be applied when I display the data in another client (WFS in QGIS).

Actual Behavior

All users who have access to a layer can modify the data in QGIS, even if they do not have data edition permission.

Steps to Reproduce the Problem

  1. With a first user , set the permissions of a layer in GeoNode so that no one can edit the data.
  2. Add the WFS into QGIS (https://master.demo.geonode.org/gs/ows for example) with the credentials of a different user.
  3. Add the layer that no one can edit the data in QGIS and open the attribute table.
  4. Activate the modifications by clicking on the small pen.
  5. Edit the attributes and save.

Specifications

audetrobergem commented 4 years ago

Adding a GeoFence Data Rule that deny transactions for a layer prevented a user from modifying the data in QGIS.

transactions

A solution to this problem could be the automatic addition of this type of rule when permissions are created?

afabiani commented 4 years ago

@audetrobergem yeps, I guess that would be the best option to fix this quickly.

gannebamm commented 4 years ago

@afabiani shouldn´t this work in the expected behaviour way out of the box? I am puzzled.

gannebamm commented 4 years ago

@sjohn-atenekom Could you test this behaviour? I think those security related issues are relevant for AteneKOM? This help would be very much appreciated :D

ghost commented 4 years ago

I think the problem here is actually bigger. I think the permissions are not always considered in the /gs/ows endpoint. I managed to load a private layer into QGIS without authentication. on the other hand, the data edition did not work (as expected). This layer should only be visible by users sberger and sberger1 : https://master.demo.geonode.org/layers/geonode_master_data:geonode:VG250_LAN

the layer should also not show up in the capabilities document https://master.demo.geonode.org/gs/ows?service=WMS&request=getcapabilities

afabiani commented 4 years ago

I guess the GeoFence rules on master demo where messed up. I cleaned up all the rules and refreshed. Can you please try again?

P.S. make sure to use the correct user and start always with a clean browser session.

image

image

ghost commented 4 years ago

Thanks, @afabiani. I was now able to reproduce the problem described by @audetrobergem and think that adding a geofence data rule should fix it.

gannebamm commented 4 years ago

I have added a general DENY rule for VG_LAN grafik

Which should get overwritten by specific ones. You should not be able to edit it anymore @sjohn-atenekom

ghost commented 4 years ago

It seems it does get overwritten. Even as owner of the dataset, I can't see it anymore. Probably this rule should be on the bottom to get overwritten. But even this rule denys everything and get overwritten by service=WFS and request=* the is again allowed to edit the data. Adding a default rule with service=wfs and request=transaction seems the only solution to me at the moment.