[Fixes #13976] auto-assign group permissions to the resource creator groups

[sijandh35]

Fixes #13976

Note: This PR should pull the changes of PR: #13970 after the merge of the PR.

Checklist

Reviewing is a process done by project maintainers, mostly on a volunteer basis. We try to keep the overhead as small as possible and appreciate if you help us to do so by completing the following items. Feel free to ask in a comment if you have troubles with any of them.

For all pull requests:

• Confirm you have read the contribution guidelines
• You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
• Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

• There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
• The issue connected to the PR must have Labels and Milestone assigned
• PR for bug fixes and small new features are presented as a single commit
• PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
• New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.

[gemini-code-assist]

Summary of Changes

Hello @sijandh35, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new feature that automatically assigns permissions to the groups of a resource creator when a new resource is created. This is achieved through a new permissions handler and associated settings, enhancing the security model by automating permission assignments. The PR also includes unit tests to ensure the new functionality works as expected.

Highlights

• New Feature: Introduces a new feature that automatically assigns configured permissions to groups of the resource creator upon resource creation.
• Permissions Handling: Adds a ResourceCreatorGroupsPermissionsHandler to manage the automatic assignment of permissions.
• Settings Integration: Integrates new settings (AUTO_ASSIGN_RESOURCE_CREATOR_GROUPS_PERMISSIONS and RESOURCE_CREATOR_GROUPS_PERMISSIONS_LIST) to control the auto-assignment feature.
• Testing: Includes new unit tests to verify the functionality of the ResourceCreatorGroupsPermissionsHandler.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• geonode/security/handlers.py
  • Added ResourceCreatorGroupsPermissionsHandler to auto-assign permissions to groups of the resource creator.
• geonode/security/tests.py
  • Added tests for the ResourceCreatorGroupsPermissionsHandler to ensure correct permission assignment.
• geonode/settings.py
  • Added settings for enabling/disabling auto-assignment of resource creator group permissions and for configuring the permissions list.

Activity

• The PR addresses issue auto-assign group permissions to the resource creator groups #13976.
• The PR should pull changes from PR [Fixes #13965] Assign resource ownership to administrator during resource creation configurable via settings #13970 after it is merged.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new permissions handler, ResourceCreatorGroupsPermissionsHandler, which automatically assigns configured permissions to all groups of a resource creator upon resource creation. This is a useful feature for organizations that want to ensure team members have immediate access to resources created by their peers. The implementation includes the handler logic, necessary settings for configuration, and unit tests. My feedback focuses on improving the robustness of the permission assignment logic to prevent accidental overwriting of existing permissions, optimizing resource type detection to avoid unnecessary database queries, and ensuring the handler is correctly ordered within the processing pipeline to respect advanced security workflows.

[gemini-code-assist]

The current implementation overwrites any existing permissions for the group in the payload. If another handler has already assigned permissions to one of the creator's groups, those changes will be lost. It is safer to perform a union of the new permissions with any existing ones.

Suggested change

	payload["groups"][user_group] = sorted(extended_permissions)
	payload["groups"][user_group] = sorted(set(payload["groups"].get(user_group, [])) | extended_permissions)

[gemini-code-assist]

The ResourceCreatorGroupsPermissionsHandler is currently placed at the end of the PERMISSIONS_HANDLERS list. This means it runs after the AdvancedWorkflowPermissionsHandler. In GeoNode, the advanced workflow handler is responsible for enforcing strict security policies (e.g., making a resource private until it is approved). If the creator groups handler runs after it, it might grant permissions that the workflow explicitly intended to restrict. To ensure that workflow policies are respected, this handler should be placed before AdvancedWorkflowPermissionsHandler.

    "geonode.security.handlers.ResourceCreatorGroupsPermissionsHandler",
    "geonode.security.handlers.GroupManagersPermissionsHandler",
    "geonode.security.handlers.SpecialGroupsPermissionsHandler",
    "geonode.security.handlers.AdvancedWorkflowPermissionsHandler",

[gemini-code-assist]

Accessing instance.polymorphic_ctype.name can trigger an additional database query if the polymorphic_ctype relation hasn't been prefetched. Since fixup_perms is often called in performance-sensitive paths, it's more efficient to use instance._meta.model_name as a fallback for the resource type.

Suggested change

	_resource_type = getattr(instance, "resource_type", None) or instance.polymorphic_ctype.name
	_resource_type = getattr(instance, "resource_type", None) or instance._meta.model_name

[codecov]

Codecov Report

❌ Patch coverage is 88.31169% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.27%. Comparing base (7f6c030) to head (d2759e5).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #13986      +/-   ##
==========================================
+ Coverage   74.07%   74.27%   +0.20%     
==========================================
  Files         950      950              
  Lines       56826    56873      +47     
  Branches     7719     7710       -9     
==========================================
+ Hits        42093    42245     +152     
+ Misses      13044    12927     -117     
- Partials     1689     1701      +12     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[giohappy]

@sijandh35 I'm testing branch https://github.com/GeoNode/geonode/tree/ISSUE_13976_and_13965 with the following settings in a project:

AUTO_ASSIGN_RESOURCE_CREATOR_GROUPS_PERMISSIONS = True
RESOURCE_CREATOR_GROUPS_PERMISSIONS = "download"

Groups are assigned view permissions, although download is configured.