forked from GeoNode/geonode
/
security.txt
189 lines (124 loc) · 6.07 KB
/
security.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
.. _security:
========================
Security and Permissions
========================
.. note:: This is mainly meant for administrators!
GeoNode has the ability to restrict the access on your layers and maps, including the metadata and your uploaded documents. This section will help you to understand which restrictions are possible and what to take care of while using them.
Generally permissions can be set on all your uploaded data, but here´s an overview:
#. Users
* superuser permissions
* django admin interface permissions
#. Layers
* view and download a layer
* edit a layer
* edit and manage a layer
#. Maps
* view and download a map
* edit a map
* edit and manage a map
#. Documents
* view and download a document
* edit a document
* edit and manage a document
.. todo::
#. Groups
* not yet implemented
To understand how this permissions can be set, you first have to know about the different kinds of users.
Users
-----
GeoNode has two types of users:
* unregistered users (anonymous)
* registered users
An unregistered user is someone who is just visiting the site, but doesn't have any data uploaded yet. A registered user has
already done that. But there are even more kinds of registered users! A registered user can have one or more of those three status:
* superuser
* staff
* active
A superuser is usually generated directly after the installation of GeoNode via the terminal. When creating a *superuser* through
the terminal it always has the status *active* and the status *staff* as well. It is also important to know that a superuser is a user that has all permissions without explicitly assigning them! That means that he is able to
upload and edit layers, create maps etc. and can not be restricted from that! So the superuser is basically the administrator, who knows and has access on everything.
The status *staff* only implies that a user with this status is able to attend the *Django Admin Interface*. *Active* has no special meaning, it only says that there is a user and it is available. Instead of deleting this user, you could just unset the status *active*, your user will still be remaining, but it won´t show up.
There are three options to create a user:
* terminal: Here you can only create a superuser
* GeoNode interface: A *normal* user will be created by signing up to GeoNode. It only has the status *active* so far!
* django admin interface: A new user can be created as well as the status of an already existing user can be changed, e.g make a generic user a superuser.
Groups
------
In GeoNode you can assign permissions to groups, all the users that belong to the group will inherit its permissions.
If you are an administrator you can create a group in the dedicated tab and invite or assign users to it.
The group will be available in the permissions widget in geonode and you will be able to assign object permissions to it.
Layers
------
As mentioned above, a superuser has access on all the uploaded data. In order to restrict other users from certain data, use
the superuser to change those permissions. Generally you have the following possibilities of permissions:
.. figure:: img/map_permissions.PNG
So there are permissions on:
* who can view and download
* who can edit
* who can edit and manage
The difference between *who can edit* and *who can edit and manage* is the fact, that only a user who is allowed to *edit and manage* is able to change the permissions on this layer/map.
Basically you can choose between
* Anybody
* Only a certain user or group
If you allow a user to edit your layer, this user has the right to do the following actions:
* Edit metadata
* Edit styles
* Manage styles
* Replace the layer
* Remove the layer
This can also be seen here:
.. figure:: img/edit_and_manage.PNG
Edit and manage
.. todo:: EDIT PERMISSIONS HAS TO BE REMOVED!!
Now take a closer look on to the section *Edit Metadata*. All the following things can be edited in the metadata section:
* Owner
* Title
* Date
* Data type
* Edition
* Abstract
* Purpose
* Maintenance frequency
* Keywords region
* Restrictions
* Restrictions other
* Language
* Category
* Spatial representation type
* Temporal extent start
* Temporal extent end
* Supplemental information
* Distribution URL
* Distribution description
* Data quality statement
* Keywords
* Point of contact
* Metadata author
* Attributes (those can though not be changed!)
.. todo:: eventually more detailed? can copy the descriptions as well.
The sections about editing and managing styles only include the possibility to change the existing styles of the layer and create new ones.
.. note:: At the moment it is possible for any user, registered or unregistered, who is permitted to view and download a layer, to *Edit Styles*!
Any user who is permitted to edit your layer is also able to replace or even remove it!
Maps
----
Generally all the same applies to maps, but here the opportunities of editing the map are fewer:
* Edit map metadata
* Set map thumbnail
* Remove the map
The sector *Edit metadata* is almost the same like in the layer's section, just that it has two options more:
* Metadata XML
* Thumbnail
In *Set map thumbnail* the thumbnail of the map can be set.
Documents
---------
The same permissions can be done on the documents. There's again a section on *Edit Metadata* and you could also *replace*
or *remove* the document.
Groups
------
Until now it is not possible to set permissions to groups! This action may come in a further GeoNode release!
Require authentication to access GeoNode
----------------------------------------
By default, unregistered users can view maps, layers, and documents on your site without being authenticated. GeoNode comes
a security option that requires users to authenticate before accessing any page. To enable this option, set the ``LOCKDOWN_GEONODE``
setting to true in your ``settings.py`` file. You can fine-tune which url routes are white-listed (accessible by unregistered
users) by listing the routes in the ``AUTH_EXEMPT_URLS`` tuple. See the :ref:`djangoapps` documentation for more information.