User defined permissions will break the permissions exposed by the API

[ridoo]

Expected Behavior

Create and add custom permissions to a user (via group) does not have any effect on handling user permissions.

Actual Behavior

Adding new permissions to a user, which are not known by GeoNode, raises an exception while mapping permissions in people/models.py#perms. As a result the API skips the perms attribute completely. With the API skipping that attribute, geonode-mapstore-client sees no permissions given to a user. For example a user who has actual contributor permissions, will not have the ability to (for example) add new resources.

Steps to Reproduce the Problem

See my discussion about custom permissions to reproduce.

1. Add new user (id 1001) to contributor group
2. Check /api/v2/users/1001 contains perms attribute
3. Add a custom permission to a group a user belongs to
4. Check /api/v2/users/1001 is missing perms attribute

Specifications

• GeoNode version: 4.3.1 (but would affect older versions, which I did not test)
• Installation type (vanilla, geonode-project):
• Installation method (manual, docker):
• Platform:
• Additional details: Adding custom permissions #12635

[ridoo]

@giohappy @mattiagiupponi the solution seems as easy as doing

# return constant names defined by GeoNode
#perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
perms = group_perms

but I am unsure, if that mapping has a specific reason In any case the mapping should stay the same but could be changed to allow unknown permissions. I tested locally, and did not see any other things break on geonode-mapstore-client side.

Do you want me to create a PR for it?

However, looking at the whole method

geonode/geonode/people/models.py

Lines 199 to 216 in 677c578

	def perms(self):
	if self.is_superuser or self.is_staff:
	# return all permissions for admins
	perms = PERMISSIONS.values()
	else:
	user_groups = self.groups.values_list("name", flat=True)
	group_perms = (
	Permission.objects.filter(group__name__in=user_groups).distinct().values_list("codename", flat=True)
	)
	# return constant names defined by GeoNode
	perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
	# check READ_ONLY mode
	config = Configuration.load()
	if config.read_only:
	# exclude permissions affected by readonly
	perms = [perm for perm in perms if perm not in READ_ONLY_AFFECTED_PERMISSIONS]
	return perms

it seems that staff users do not get extra permissions at all. Is this intended?

[kikislater]

Interesting !
Just to link issues bout staff: #12551

[ridoo]

BTW: The perms attribute is also skipped when a user gets non-custom permissions like adding site.

@giohappy @mattiagiupponi the solution seems as easy as doing

# return constant names defined by GeoNode
#perms = [PERMISSIONS[db_perm] for db_perm in group_perms]
perms = group_perms

This quick guess omits the actual mapping. However, I created a PR which adds all permissions (even for admin and staff).

[giohappy]

@ridoo I think it's fine to include custom permissions here.
GeoNode only tracks the permissions it is aware of because there's a lot of logic that depends on the exact names of permissions. See for example all the methods under the security module.
By the way, in this specific case, I don't see any problem. If I'm not wrong that property is only read by the API serializer, so it shouldn't interfere with the rest.