From 4ea1863d5355d228efd899aa7805c94be24fa5d9 Mon Sep 17 00:00:00 2001 From: mattiagiupponi <51856725+mattiagiupponi@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:58:06 +0200 Subject: [PATCH] =?UTF-8?q?[Fixes=20#9842]=20Extra=20metadata=20endpoint?= =?UTF-8?q?=20return=20403=20even=20if=20the=20user=20has=E2=80=A6=20(#984?= =?UTF-8?q?3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [Fixes #9842] Extra metadata endpoint return 403 even if the user has view perms --- geonode/base/api/views.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/geonode/base/api/views.py b/geonode/base/api/views.py index 2160044f514..65950619def 100644 --- a/geonode/base/api/views.py +++ b/geonode/base/api/views.py @@ -503,7 +503,7 @@ def _to_compact_perms_list(allowed_perms: dict, resource_type: str, resource_sub permission_classes=[ IsAuthenticated ]) - def resource_service_permissions(self, request, pk=None): + def resource_service_permissions(self, request, pk): """Instructs the Async dispatcher to execute a 'DELETE' or 'UPDATE' on the permissions of a valid 'uuid' - GET input_params: { @@ -559,7 +559,7 @@ def resource_service_permissions(self, request, pk=None): """ config = Configuration.load() - resource = self.get_object() + resource = get_object_or_404(ResourceBase, pk=pk) _user_can_manage = request.user.has_perm('change_resourcebase_permissions', resource.get_self_resource()) if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \ resource is None or not _user_can_manage: @@ -883,7 +883,7 @@ def resource_service_create(self, request, resource_type: str = None): permission_classes=[ IsAuthenticated, UserHasPerms ]) - def resource_service_delete(self, request, pk=None): + def resource_service_delete(self, request, pk): """Instructs the Async dispatcher to execute a 'DELETE' operation over a valid 'uuid' - DELETE input_params: { @@ -922,7 +922,7 @@ def resource_service_delete(self, request, pk=None): } """ config = Configuration.load() - resource = self.get_object() + resource = get_object_or_404(ResourceBase, pk=pk) if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \ resource is None or not request.user.has_perm('delete_resourcebase', resource.get_self_resource()): return Response(status=status.HTTP_403_FORBIDDEN) @@ -963,7 +963,7 @@ def resource_service_delete(self, request, pk=None): permission_classes=[ IsAuthenticated, UserHasPerms ]) - def resource_service_update(self, request, pk=None): + def resource_service_update(self, request, pk): """Instructs the Async dispatcher to execute a 'UPDATE' operation over a valid 'uuid' - PUT input_params: { @@ -1029,7 +1029,7 @@ def resource_service_update(self, request, pk=None): http://localhost:8000/api/v2/resources//update """ config = Configuration.load() - resource = self.get_object() + resource = get_object_or_404(ResourceBase, pk=pk) if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \ resource is None or not request.user.has_perm('change_resourcebase', resource.get_self_resource()): return Response(status=status.HTTP_403_FORBIDDEN) @@ -1078,7 +1078,7 @@ def resource_service_update(self, request, pk=None): permission_classes=[ IsAuthenticated, UserHasPerms ]) - def resource_service_copy(self, request, pk=None): + def resource_service_copy(self, request, pk): """Instructs the Async dispatcher to execute a 'COPY' operation over a valid 'pk' - PUT input_params: { @@ -1128,7 +1128,7 @@ def resource_service_copy(self, request, pk=None): } """ config = Configuration.load() - resource = self.get_object() + resource = get_object_or_404(ResourceBase, pk=pk) if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \ resource is None or not request.user.has_perm('view_resourcebase', resource.get_self_resource()): return Response(status=status.HTTP_403_FORBIDDEN) @@ -1175,8 +1175,8 @@ def resource_service_copy(self, request, pk=None): permission_classes=[ IsAuthenticatedOrReadOnly, UserHasPerms ]) - def ratings(self, request, pk=None): - resource = self.get_object() + def ratings(self, request, pk): + resource = get_object_or_404(ResourceBase, pk=pk) resource = resource.get_real_instance() ct = ContentType.objects.get_for_model(resource) if request.method == 'POST': @@ -1234,7 +1234,7 @@ def ratings(self, request, pk=None): ], parser_classes=[JSONParser, MultiPartParser] ) - def set_thumbnail(self, request, pk=None): + def set_thumbnail(self, request, pk): resource = get_object_or_404(ResourceBase, pk=pk) if not request.data.get('file'): @@ -1297,8 +1297,9 @@ def set_thumbnail(self, request, pk=None): url_path=r"extra_metadata", # noqa url_name="extra-metadata", ) - def extra_metadata(self, request, pk=None): - _obj = self.get_object() + def extra_metadata(self, request, pk): + _obj = get_object_or_404(ResourceBase, pk=pk) + if request.method == "GET": # get list of available metadata queryset = _obj.metadata.all()