Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permissions API return 403 on users in groups with manage permission on a resource #9116

Closed
marthamareal opened this issue Apr 15, 2022 · 0 comments
Assignees
Labels
4.0.x API v2 major A high priority issue which might affect a lot of people or large parts of the codebase master security Pull requests that address a security vulnerability

Comments

@marthamareal
Copy link
Contributor

marthamareal commented Apr 15, 2022

Expected Behavior

Users in groups with manage permissions should be able to access API /api/v2/resources/{resource_id}/permissions

Actual Behavior

403 is returned when a user in a group that has Manage permissions on a resource accesses /api/v2/resources/{resource_id}/permissions

This is because the API considers permission class IsOwnerOrAdmin here which uses get_users_with_perms, Note: this should also check for users in groups with manage permissions.

Steps to Reproduce the Problem

  1. as an admin, Select a resource and share it with a group with managers, and assign Manage permission and save
  2. Access the resource permissions api /api/v2/resources/{resource_id}/permissions as a member in the above group
  3. Notice that 403 is returned.

Specifications

  • GeoNode version:
  • Installation method (manual, GeoNode Docker, SPCGeoNode Docker):
  • Platform:
  • Additional details:
@marthamareal marthamareal changed the title Permissions API return 403 on users with manage permisions Permissions API return 403 on users in groups with manage permission on a resource Apr 15, 2022
@afabiani afabiani self-assigned this Apr 15, 2022
afabiani pushed a commit that referenced this issue Apr 15, 2022
@afabiani afabiani added API v2 master 4.0.x security Pull requests that address a security vulnerability major A high priority issue which might affect a lot of people or large parts of the codebase labels Apr 15, 2022
github-actions bot pushed a commit that referenced this issue Apr 15, 2022
…ge permission on a resource (#9117)

* [Fixes #9106] Implement API for compact permissions

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [Fixes #9116] Permissions API return 403 on users in groups with manage permission on a resource
afabiani pushed a commit that referenced this issue Apr 15, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…ge permission on a resource (#9117) (#9127)

* [Fixes #9106] Implement API for compact permissions

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [CircleCi] Fix tests

* [Fixes #9116] Permissions API return 403 on users in groups with manage permission on a resource

Co-authored-by: Alessio Fabiani <alessio.fabiani@geo-solutions.it>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
4.0.x API v2 major A high priority issue which might affect a lot of people or large parts of the codebase master security Pull requests that address a security vulnerability
Projects
None yet
Development

No branches or pull requests

2 participants