Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fixes #9842] Extra metadata endpoint return 403 even if the user has… #9843

Merged
merged 4 commits into from
Aug 10, 2022
Merged

[Fixes #9842] Extra metadata endpoint return 403 even if the user has… #9843

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5643163
[Fixes #9842] Extra metadata endpoint return 403 even if the user has…
mattiagiupponi Aug 10, 2022
d576d6c
[Fixes #9842] Extra metadata endpoint return 403 even if the user has…
mattiagiupponi Aug 10, 2022
1df7a5a
[Fixes #9842] Extra metadata endpoint return 403 even if the user has…
mattiagiupponi Aug 10, 2022
b62f1d1
[Fixes #9842] Extra metadata endpoint return 403 even if the user has…
mattiagiupponi Aug 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 14 additions & 13 deletions geonode/base/api/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -503,7 +503,7 @@ def _to_compact_perms_list(allowed_perms: dict, resource_type: str, resource_sub
permission_classes=[
IsAuthenticated
])
def resource_service_permissions(self, request, pk=None):
def resource_service_permissions(self, request, pk):
"""Instructs the Async dispatcher to execute a 'DELETE' or 'UPDATE' on the permissions of a valid 'uuid'

- GET input_params: {
Expand Down Expand Up @@ -559,7 +559,7 @@ def resource_service_permissions(self, request, pk=None):

"""
config = Configuration.load()
resource = self.get_object()
resource = get_object_or_404(ResourceBase, pk=pk)
_user_can_manage = request.user.has_perm('change_resourcebase_permissions', resource.get_self_resource())
if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \
resource is None or not _user_can_manage:
Expand Down Expand Up @@ -883,7 +883,7 @@ def resource_service_create(self, request, resource_type: str = None):
permission_classes=[
IsAuthenticated, UserHasPerms
])
def resource_service_delete(self, request, pk=None):
def resource_service_delete(self, request, pk):
"""Instructs the Async dispatcher to execute a 'DELETE' operation over a valid 'uuid'

- DELETE input_params: {
Expand Down Expand Up @@ -922,7 +922,7 @@ def resource_service_delete(self, request, pk=None):
}
"""
config = Configuration.load()
resource = self.get_object()
resource = get_object_or_404(ResourceBase, pk=pk)
if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \
resource is None or not request.user.has_perm('delete_resourcebase', resource.get_self_resource()):
return Response(status=status.HTTP_403_FORBIDDEN)
Expand Down Expand Up @@ -963,7 +963,7 @@ def resource_service_delete(self, request, pk=None):
permission_classes=[
IsAuthenticated, UserHasPerms
])
def resource_service_update(self, request, pk=None):
def resource_service_update(self, request, pk):
"""Instructs the Async dispatcher to execute a 'UPDATE' operation over a valid 'uuid'

- PUT input_params: {
Expand Down Expand Up @@ -1029,7 +1029,7 @@ def resource_service_update(self, request, pk=None):
http://localhost:8000/api/v2/resources/<id>/update
"""
config = Configuration.load()
resource = self.get_object()
resource = get_object_or_404(ResourceBase, pk=pk)
if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \
resource is None or not request.user.has_perm('change_resourcebase', resource.get_self_resource()):
return Response(status=status.HTTP_403_FORBIDDEN)
Expand Down Expand Up @@ -1078,7 +1078,7 @@ def resource_service_update(self, request, pk=None):
permission_classes=[
IsAuthenticated, UserHasPerms
])
def resource_service_copy(self, request, pk=None):
def resource_service_copy(self, request, pk):
"""Instructs the Async dispatcher to execute a 'COPY' operation over a valid 'pk'

- PUT input_params: {
Expand Down Expand Up @@ -1128,7 +1128,7 @@ def resource_service_copy(self, request, pk=None):
}
"""
config = Configuration.load()
resource = self.get_object()
resource = get_object_or_404(ResourceBase, pk=pk)
if config.read_only or config.maintenance or request.user.is_anonymous or not request.user.is_authenticated or \
resource is None or not request.user.has_perm('view_resourcebase', resource.get_self_resource()):
return Response(status=status.HTTP_403_FORBIDDEN)
Expand Down Expand Up @@ -1175,8 +1175,8 @@ def resource_service_copy(self, request, pk=None):
permission_classes=[
IsAuthenticatedOrReadOnly, UserHasPerms
])
def ratings(self, request, pk=None):
resource = self.get_object()
def ratings(self, request, pk):
resource = get_object_or_404(ResourceBase, pk=pk)
resource = resource.get_real_instance()
ct = ContentType.objects.get_for_model(resource)
if request.method == 'POST':
Expand Down Expand Up @@ -1234,7 +1234,7 @@ def ratings(self, request, pk=None):
],
parser_classes=[JSONParser, MultiPartParser]
)
def set_thumbnail(self, request, pk=None):
def set_thumbnail(self, request, pk):
resource = get_object_or_404(ResourceBase, pk=pk)

if not request.data.get('file'):
Expand Down Expand Up @@ -1297,8 +1297,9 @@ def set_thumbnail(self, request, pk=None):
url_path=r"extra_metadata", # noqa
url_name="extra-metadata",
)
def extra_metadata(self, request, pk=None):
_obj = self.get_object()
def extra_metadata(self, request, pk):
_obj = get_object_or_404(ResourceBase, pk=pk)

if request.method == "GET":
# get list of available metadata
queryset = _obj.metadata.all()
Expand Down