via REST API uploaded documents to not get proper permissions

[gannebamm]

Expected Behavior

edit: clarifications

If I as a normal registered user upload a document via the REST API it belongs to my user and I can delete it. It should show this:

Actual Behavior

I as a normal registered user am unable to delete it. It does not show delete:

as admin I am able to delete the ressource

Steps to Reproduce the Problem

• create a new user (registered user)
• use this new user account to upload a document via REST API like:

import requests
url = "https://stable.demo.geonode.org/api/v2/documents"
payload = { 'title' : 'test upload of document via rest api' }
files = [ ('doc_file', ('test.txt', open('./test.txt', 'rb'), 'text/plain')) ]
headers = { 'Authorization' : 'Basic ...' } # replaced "..." with the output of $(echo -n user:password | base64) with my credentials
response = requests.request ("POST", url, data=payload, headers=headers, files=files)

Open https://stable.demo.geonode.org/catalogue/#/documents

log in as user (not admin!)

See the delete option is missing on the new document:

Specifications

• GeoNode version: stable.demo (4.4.0.dev0)
• Additional details:

[gannebamm]

@ahmdthr please take a look at this. Since I tested both development and stable demo it should not be linked to your latest PR #11872

edit: or better send this to @kilichenko-pixida since he has more free capacity.

[ridoo]

@ridoo Test REST API upload v4.3.1

[gannebamm]

additional specification to reproduce: You shall use a 'normal' user to upload. Admin /superuser will work.

[mattiagiupponi]

Hi @gannebamm did your team had time to check this issue? otherwise i can give a check on it

[gannebamm]

@ridoo , @kilichenko-pixida please check this. As stated a normal registered user shall be used NOT an admin user.

edit: I did some clarification in the how to reproduce section above

[kilichenko-pixida]

@gannebamm yes, I was able to reproduce it and ran into the same problem on the non-admin user after an API upload

[giohappy]

@gannebamm are you going to take care of this?

[gannebamm]

@gannebamm yes, I was able to reproduce it and ran into the same problem on the non-admin user after an API upload

@kilichenko-pixida please debug into the process and take a look at the permission granting process to identify the issue.

@giohappy we will try

[kilichenko-pixida]

The issue was indeed due to improper permissions handling. Both in DocumentUploadView that handles UI requests and in DocumentViewSet that handles API there is a call to set_permissions method and in both cases all permissions are being removed.

The difference, however, is that in UI code, after all permissions have been removed, there is also a resource_manager.update call which actually includes calling set_default_permissions method which restores default values.

See PR #10 for the suggested fix.

I see setting permissions to None on the API side was first introduced in 7f56ebe, though I don't know whether it was a simple oversight or there quite possibly was a good reason for it that I do not understand.

On the UI side, this permission workflow was implemented as part of big changes in f760e0f from 2021.

[gannebamm]

@kilichenko-pixida please provide a PR for master, too. @giohappy please use some of our booked time to answer the questions above to make sure the PR fits the quality critera.

[kilichenko-pixida]

@giohappy here is the PR: #12707 , I already sent the signed license agreement to [email protected], but I guess approval is pending. Thank you.