[Fixes #3993] Adding group access makes layer public (#3995)

* [Fixes #3993] Adding group access makes layer public

* [Fixes #3993] Adding group access makes layer public

geonode/security/models.py

@@ -28,6 +28,7 @@
 from .utils import (get_users_with_perms,
                     set_owner_permissions,
                     set_geofence_all,
+                    purge_geofence_layer_rules,
                     sync_geofence_with_guardian,
                     remove_object_permissions)
 
@@ -168,6 +169,8 @@ def set_permissions(self, perm_spec):
         }
         """
         remove_object_permissions(self)
+        if settings.OGC_SERVER['default'].get("GEOFENCE_SECURITY_ENABLED", False):
+            purge_geofence_layer_rules(self.get_self_resource())
 
         # default permissions for resource owner
         set_owner_permissions(self)

geonode/security/tests.py

@@ -207,43 +207,43 @@ def test_perm_specs_synchronization(self):
         # Reset GeoFence Rules
         purge_geofence_all()
         geofence_rules_count = get_geofence_rules_count()
-        self.assertTrue(geofence_rules_count == 0)
+        self.assertEquals(geofence_rules_count, 0)
 
         perm_spec = {'users': {'AnonymousUser': []}}
         layer.set_permissions(perm_spec)
         geofence_rules_count = get_geofence_rules_count()
         _log("1. geofence_rules_count: %s " % geofence_rules_count)
-        self.assertTrue(geofence_rules_count == 1)
+        self.assertEquals(geofence_rules_count, 1)
 
         perm_spec = {
             "users": {"admin": ["view_resourcebase"]}, "groups": {}}
         layer.set_permissions(perm_spec)
         geofence_rules_count = get_geofence_rules_count()
         _log("2. geofence_rules_count: %s " % geofence_rules_count)
-        self.assertTrue(geofence_rules_count == 4)
+        self.assertEquals(geofence_rules_count, 4)
 
         perm_spec = {'users': {"admin": ['change_layer_data']}}
         layer.set_permissions(perm_spec)
         geofence_rules_count = get_geofence_rules_count()
         _log("3. geofence_rules_count: %s " % geofence_rules_count)
-        self.assertTrue(geofence_rules_count == 2)
+        self.assertEquals(geofence_rules_count, 2)
 
         perm_spec = {'groups': {'bar': ['view_resourcebase']}}
         layer.set_permissions(perm_spec)
         geofence_rules_count = get_geofence_rules_count()
         _log("4. geofence_rules_count: %s " % geofence_rules_count)
-        self.assertTrue(geofence_rules_count == 8)
+        self.assertEquals(geofence_rules_count, 4)
 
         perm_spec = {'groups': {'bar': ['change_resourcebase']}}
         layer.set_permissions(perm_spec)
         geofence_rules_count = get_geofence_rules_count()
         _log("5. geofence_rules_count: %s " % geofence_rules_count)
-        self.assertTrue(geofence_rules_count == 2)
+        self.assertEquals(geofence_rules_count, 1)
 
         # Reset GeoFence Rules
         purge_geofence_all()
         geofence_rules_count = get_geofence_rules_count()
-        self.assertTrue(geofence_rules_count == 0)
+        self.assertEquals(geofence_rules_count, 0)
 
     @on_ogc_backend(geoserver.BACKEND_PACKAGE)
     def test_layer_permissions(self):

geonode/security/utils.py

@@ -429,18 +429,24 @@ def sync_geofence_with_guardian(layer, perms, user=None, group=None):
     gf_services["WCS"] = ('download_resourcebase' in perms or 'change_layer_data' in perms) \
         and not layer.is_vector()
     gf_services["WPS"] = 'download_resourcebase' or 'change_layer_data' in perms
+
+    _user = None
+    if user:
+        _user = user if isinstance(user, basestring) else user.username
+    _group = None
+    if group:
+        _group = group if isinstance(group, basestring) else group.name
     for service, allowed in gf_services.iteritems():
         if allowed:
-            if user:
-                logger.debug("Adding to geofence the rule: %s %s %s" % (layer, service, user))
-                _user = user if isinstance(user, basestring) else user.username
+            if _user:
+                logger.debug("Adding 'user' to geofence the rule: %s %s %s" % (layer, service, _user))
                 _update_geofence_rule(layer.name, layer.workspace, service, user=_user)
-            else:
+            elif not _group:
                 logger.debug("Adding to geofence the rule: %s %s *" % (layer, service))
                 _update_geofence_rule(layer.name, layer.workspace, service)
-            if group:
-                logger.debug("Adding to geofence the rule: %s %s %s" % (layer, service, user))
-                _group = group if isinstance(group, basestring) else group.name
+
+            if _group:
+                logger.debug("Adding 'group' to geofence the rule: %s %s %s" % (layer, service, _group))
                 _update_geofence_rule(layer.name, layer.workspace, service, group=_group)
     set_geofence_invalidate_cache()
 
@@ -575,4 +581,7 @@ def _update_geofence_rule(layer, workspace, service, user=None, group=None):
     if response.status_code not in (200, 201):
         msg = ("Could not ADD GeoServer User {!r} Rule for "
                "Layer {!r}: '{!r}'".format(user, layer, response.text))
-        raise RuntimeError(msg)
+        if 'Duplicate Rule' in response.text:
+            logger.warning(msg)
+        else:
+            raise RuntimeError(msg)