[Fixes #14262] Avoid returning all permissions in dataset owner payload#14263
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request modifies geonode/security/registry.py to restrict global permissions to only those explicitly defined in the PERMISSIONS map, removing the fallback for custom permissions. The reviewer identifies a high-severity issue where this change could lead to regressions, as it excludes valid GeoNode-specific and extension-based permissions like add_service or delete_service, potentially disabling UI actions for authorized users. It is recommended to either expand the whitelist or implement a more inclusive filtering mechanism.
Comment on lines
433
to
435
| if codename in PERMISSIONS: | ||
| # return constant names defined by GeoNode | ||
| perms.add(PERMISSIONS[codename]) |
Contributor
There was a problem hiding this comment.
The removal of the else block restricts global permissions to only those explicitly defined in the PERMISSIONS map (which currently only contains add_resourcebase). This will cause other GeoNode-specific global permissions that do not require mapping, such as add_service, delete_service, or any custom permissions from extensions, to be excluded from the global permissions payload.
While this successfully reduces the payload size by filtering out Django/Guardian internal permissions, it may lead to regressions in the UI where authorized users (including admins) can no longer see buttons or perform actions that depend on these global permissions. Consider using a more inclusive filter (e.g., based on app labels) or expanding the PERMISSIONS whitelist in geonode/security/permissions.py to include all relevant GeoNode global permissions.
Contributor
There was a problem hiding this comment.
/gemoni A solution could be to add a method to register new permissions inside the list of global permissions handled by the PermissionsRegistry.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #14263 +/- ##
==========================================
- Coverage 74.92% 74.92% -0.01%
==========================================
Files 975 975
Lines 59902 59901 -1
Branches 8157 8157
==========================================
- Hits 44884 44883 -1
Misses 13194 13194
Partials 1824 1824 🚀 New features to boost your workflow:
|
mattiagiupponi
approved these changes
May 27, 2026
mattiagiupponi
pushed a commit
that referenced
this pull request
May 27, 2026
mattiagiupponi
added a commit
that referenced
this pull request
May 28, 2026
# This is the 1st commit message: Replace flake8 and black with ruff # This is the commit message #2: Replace flake8 and black with ruff # This is the commit message #3: Update geonode/base/views.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> # This is the commit message #4: Clear-text logging of sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #5: 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #6: Potential fix for pull request finding 'CodeQL / URL redirection from remote source' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #7: PR review suggestions # This is the commit message #8: PR review suggestions # This is the commit message #9: Potential fix for pull request finding 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #10: fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #11: fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #12: Potential fix for pull request finding 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #13: fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> # This is the commit message #14: [Fixes #14244] Do not return WWW-Authenticate inside API exception response (#14265) * Do not return WWW-Authenticate inside API exception response * Test WWW-Authenticate stripped * Fix test docstring # This is the commit message #15: [Fixes #14262] Avoid returning all permissions in dataset owner payload (#14263)
mattiagiupponi
added a commit
that referenced
this pull request
May 28, 2026
Replace flake8 and black with ruff Update geonode/base/views.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Clear-text logging of sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Potential fix for pull request finding 'CodeQL / URL redirection from remote source' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> PR review suggestions PR review suggestions Potential fix for pull request finding 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Potential fix for pull request finding 'CodeQL / Information exposure through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> fix PR review suggestion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> [Fixes #14244] Do not return WWW-Authenticate inside API exception response (#14265) * Do not return WWW-Authenticate inside API exception response * Test WWW-Authenticate stripped * Fix test docstring [Fixes #14262] Avoid returning all permissions in dataset owner payload (#14263) [Fixes #14248] Fix proxy registry initialization (#14249) [Fixes #13512] Create a task that loads required thesauri automatically (#14187) * Add autoload subcommand to thesaurus management command, task in tasks.py, and entrypoint call * Add documentation for thesaurus autoload command and boot-time thesauri loading * Move autoload_thesauri into its own thesaurus_subcommands/autoload.py * Log improvements, lang selection * Apply suggestions from code review * Fix mutable default argument for langs parameter in load_thesaurus * Fix patch apps.get_app_configs in correct autoload module * Fix code formatting * Improve load final log Co-authored-by: etj <717359+etj@users.noreply.github.com> Co-authored-by: Emanuele Tajariol <etj@geo-solutions.it> merge with master
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #14262
Checklist
For all pull requests:
The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):
Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.