Geonode: Data edition permissions set in GeoNode for a layer are not applied on the WFS

Created on 27 Feb 2020  路  9Comments  路  Source: GeoNode/geonode

Expected Behavior

I want the data edition permissions set in GeoNode on the layers (Who can edit data for this layer?) to also be applied when I display the data in another client (WFS in QGIS).

Actual Behavior

All users who have access to a layer can modify the data in QGIS, even if they do not have data edition permission.

Steps to Reproduce the Problem

  1. With a first user , set the permissions of a layer in GeoNode so that no one can edit the data.
  2. Add the WFS into QGIS (https://master.demo.geonode.org/gs/ows for example) with the credentials of a different user.
  3. Add the layer that no one can edit the data in QGIS and open the attribute table.
  4. Activate the modifications by clicking on the small pen.
  5. Edit the attributes and save.

Specifications

  • GeoNode version: 2.10.1 (my installation) & 2.10.3 (Master Demo)
  • Installation method (manual, GeoNode Docker, SPCGeoNode Docker): manual
  • Platform: Ubuntu 18.04
  • Additional details:

    • When the layer is displayed in MapStore the small pen for edition in the attribute table is not there.

blocker security

Most helpful comment

Adding a GeoFence Data Rule that deny transactions for a layer prevented a user from modifying the data in QGIS.

transactions

A solution to this problem could be the automatic addition of this type of rule when permissions are created?

All 9 comments

Adding a GeoFence Data Rule that deny transactions for a layer prevented a user from modifying the data in QGIS.

transactions

A solution to this problem could be the automatic addition of this type of rule when permissions are created?

@audetrobergem yeps, I guess that would be the best option to fix this quickly.

@afabiani shouldn麓t this work in the expected behaviour way out of the box? I am puzzled.

@sjohn-atenekom Could you test this behaviour? I think those security related issues are relevant for AteneKOM? This help would be very much appreciated :D

I think the problem here is actually bigger. I think the permissions are not always considered in the /gs/ows endpoint. I managed to load a private layer into QGIS without authentication. on the other hand, the data edition did not work (as expected). This layer should only be visible by users sberger and sberger1 : https://master.demo.geonode.org/layers/geonode_master_data:geonode:VG250_LAN

the layer should also not show up in the capabilities document https://master.demo.geonode.org/gs/ows?service=WMS&request=getcapabilities

I guess the GeoFence rules on master demo where messed up. I cleaned up all the rules and refreshed. Can you please try again?

P.S. make sure to use the correct user and start always with a clean browser session.

image

image

Thanks, @afabiani. I was now able to reproduce the problem described by @audetrobergem and think that adding a geofence data rule should fix it.

I have added a general DENY rule for VG_LAN
grafik

Which should get overwritten by specific ones. You should not be able to edit it anymore @sjohn-atenekom

It seems it does get overwritten. Even as owner of the dataset, I can't see it anymore. Probably this rule should be on the bottom to get overwritten. But even this rule denys everything and get overwritten by service=WFS and request=* the is again allowed to edit the data.
Adding a default rule with service=wfs and request=transaction seems the only solution to me at the moment.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

hishamkaram picture hishamkaram  路  9Comments

sjohn-atenekom picture sjohn-atenekom  路  5Comments

frafra picture frafra  路  10Comments

malnajdi picture malnajdi  路  3Comments

capooti picture capooti  路  8Comments