Layer download should be consistent with layer permissions

[capooti]

If a user/group does not have the download_resourcebase permission for a layer, GeoNode will correctly prevent to download it only by not showing the download button.
Unluckily an astute user will still be able to download the datasets if he can figure out the GeoServer WFS link.

[d3netxer]

How can we block the GeoServer WFS link?

[capooti]

An option is to disable WFS, but this will disable also layer editing

[d3netxer]

so disable WFS from GeoServer?

Is there a way to only have WFS available with authentication and GeoNode can access it this way?

[capooti]

This would require change in the java code base.

The final solution would be to check the download authorization from the
GeoServer GeoNode plugin, and enable the download on a layer per layer and
user per user basis. Unluckily I am not sure how easy to do this before we
start using GeoFence.

Still another approach could be to proxy the WFS requests from Django, and
check the authorization there. In this case it is not necessary to modify
the GeoServer plugin.

On Fri, Dec 18, 2015 at 11:59 AM, @tomgertin notifications@github.com
wrote:

so disable WFS from GeoServer?

Is there a way to only have WFS available with authentication and GeoNode
can access it this way?

—
Reply to this email directly or view it on GitHub
#2085 (comment).

Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

[d3netxer]

Ok great. I would like to try the proxy approach with WFS requests from Django. I was able to change the GeoServer settings to be able to use the http headers to authenticate WFS services. Do you know what to change in Django to use these headers?

[capooti]

This is what was done for styles authorization:
https://github.com/GeoNode/geonode/blob/master/geonode/geoserver/views.py#L325

You could do something like this, intercepting any call made to WFS
endpoint. Though, I am not sure how you could differentiate by different
WFS request types.

On Mon, Dec 28, 2015 at 9:12 PM, @tomgertin notifications@github.com
wrote:

Ok great. I would like to try the proxy approach with WFS requests from
Django. I was able to change the GeoServer settings to be able to use the
http headers to authenticate WFS services. Do you know what to change in
Django to use these headers?

—
Reply to this email directly or view it on GitHub
#2085 (comment).

Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

[jj0hns0n]

@afabiani this is one that I think you guys can look into. It comes up a lot. There is currently no way to disable the wfs but keep the wms working for a layer. Moving to 2.7

[afabiani]

Roger, I will take a look at this.

Best Regards,
Alessio Fabiani.

GeoServer Professional Services from the experts!

Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

---

On Sun, Aug 21, 2016 at 9:41 AM, Jeffrey Johnson notifications@github.com
wrote:

@afabiani https://github.com/afabiani this is one that I think you guys
can look into. It comes up a lot. There is currently no way to disable the
wfs but keep the wms working for a layer. Moving to 2.7

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#2085 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABOARaq0csg-bMMHq_hDalUfhhPJmR43ks5qiAEigaJpZM4Dld55
.

[afabiani]

This issue will be solved with the new A&A subsystem we are working on. GeoNode will expose a UserRoleService to GeoServer, wich can be used to configure Authorization on GeoServer side.

See this document for the technical details:

https://docs.google.com/document/d/1fEs6NsCVC3KcB8TCM_P7BmxKLrza2n9fxlySdQVShQ8/edit?usp=sharing

Moreoever the plan would be to enable on GeoServer the GeoFence extension for advanced security which will enhance the granularity of security permissions.

[afabiani]

Dear all, I created a GNIP which will address this issue too:

#2696

[capooti]

thanks @afabiani !