Skip to content

[Backport 5.0.x] Replace Dataset does not keep in account the user perm(#14387)#14398

Open
sijandh35 wants to merge 1 commit into
5.0.xfrom
backport-14387-to-5.0.x
Open

[Backport 5.0.x] Replace Dataset does not keep in account the user perm(#14387)#14398
sijandh35 wants to merge 1 commit into
5.0.xfrom
backport-14387-to-5.0.x

Conversation

@sijandh35

@sijandh35 sijandh35 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

(cherry picked from commit 79d213c) PR: #14387

Checklist

Reviewing is a process done by project maintainers, mostly on a volunteer basis. We try to keep the overhead as small as possible and appreciate if you help us to do so by completing the following items. Feel free to ask in a comment if you have troubles with any of them.

For all pull requests:

  • Confirm you have read the contribution guidelines
  • You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
  • Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

  • There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
  • The issue connected to the PR must have Labels and Milestone assigned
  • PR for bug fixes and small new features are presented as a single commit
  • PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
  • New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.

#14387)

* [Fixes #14386] Replace Dataset does not keep in account the user permissions
---------

Co-authored-by: sijandh35 <sumoseason35@gmail.com>
(cherry picked from commit 79d213c)
@sijandh35 sijandh35 requested a review from mattiagiupponi June 30, 2026 14:16
@cla-bot cla-bot Bot added the cla-signed CLA Bot: community license agreement signed label Jun 30, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances the robustness and permission handling of GeoNode's raster and vector upload handlers during resource overwrites, and adds comprehensive unit tests. The review feedback identifies a critical regression in the vector handler where a missing branch prevents resource creation during an overwrite if the dataset does not exist. Additionally, the feedback points out a potential SQL injection vulnerability in raw SQL execution, a type hint mismatch in the raster handler, and a defensive check opportunity during rollback.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +909 to 911
elif not dataset and not _overwrite:
logger.warning("The resource does not exists, please use 'create_geonode_resource' to create one")
return

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The elif not dataset and _overwrite: branch was accidentally removed during refactoring. If a user attempts to replace/overwrite a dataset that does not exist yet, the method will silently return None instead of creating the resource. This breaks the expected behavior and differs from the raster handler implementation. Please restore this branch to ensure the resource is created when overwrite is requested but the dataset is missing.

        elif not dataset and _overwrite:
            logger.warning(
                f"The dataset required {alternate} does not exists, but an overwrite is required, the resource will be created"
            )
            return self.create_geonode_resource(layer_name, alternate, execution_id, resource_type, asset)
        elif not dataset and not _overwrite:
            logger.warning("The resource does not exists, please use 'create_geonode_resource' to create one")
        return

Comment on lines 1101 to +1103
db_name = os.getenv("DEFAULT_BACKEND_DATASTORE", "datastore")
with connections[db_name].cursor() as cursor:
cursor.execute(f"DROP TABLE {instance_name}")
cursor.execute(f"DROP TABLE IF EXISTS {instance_name}")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Directly interpolating instance_name into the raw SQL query introduces a potential SQL injection vulnerability. Even if the input is sanitized elsewhere, it is highly recommended to use the database connection's quote_name utility to safely escape the table identifier before executing the query.

Suggested change
db_name = os.getenv("DEFAULT_BACKEND_DATASTORE", "datastore")
with connections[db_name].cursor() as cursor:
cursor.execute(f"DROP TABLE {instance_name}")
cursor.execute(f"DROP TABLE IF EXISTS {instance_name}")
db_name = os.getenv("DEFAULT_BACKEND_DATASTORE", "datastore")
with connections[db_name].cursor() as cursor:
safe_instance_name = connections[db_name].ops.quote_name(instance_name)
cursor.execute(f"DROP TABLE IF EXISTS {safe_instance_name}")

@@ -184,9 +186,22 @@ def create_asset_and_link(self, resource, files, action=None):
response.raise_for_status()

def overwrite_geoserver_resource(self, resource: List[str], catalog, store, workspace):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The type hint for resource is specified as List[str], but the implementation calls .get('name') on it, and the corresponding tests pass a dictionary. Please update the type hint to dict to prevent static analysis errors and improve code readability.

Suggested change
def overwrite_geoserver_resource(self, resource: List[str], catalog, store, workspace):
def overwrite_geoserver_resource(self, resource: dict, catalog, store, workspace):

Comment on lines +1074 to +1077
dataset_alternate = instance_name
if ":" not in dataset_alternate:
workspace = DataPublisher(None).workspace.name
dataset_alternate = f"{workspace}:{dataset_alternate}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

If instance_name is None, performing ":" not in dataset_alternate will raise a TypeError. Adding a defensive check to ensure dataset_alternate is not None or empty before performing the membership check prevents potential runtime crashes.

Suggested change
dataset_alternate = instance_name
if ":" not in dataset_alternate:
workspace = DataPublisher(None).workspace.name
dataset_alternate = f"{workspace}:{dataset_alternate}"
dataset_alternate = instance_name
if dataset_alternate and ":" not in dataset_alternate:
workspace = DataPublisher(None).workspace.name
dataset_alternate = f"{workspace}:{dataset_alternate}"

@sijandh35 sijandh35 changed the title [Fixes #14386] Replace Dataset does not keep in account the user perm(#14387) [Backport 5.0.x] Replace Dataset does not keep in account the user perm(#14387) Jun 30, 2026
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 1.19048% with 166 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (5.0.x@0dcd5ba). Learn more about missing BASE report.

Additional details and impacted files
@@           Coverage Diff            @@
##             5.0.x   #14398   +/-   ##
========================================
  Coverage         ?   66.00%           
========================================
  Files            ?      945           
  Lines            ?    57034           
  Branches         ?     7744           
========================================
  Hits             ?    37643           
  Misses           ?    17824           
  Partials         ?     1567           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla-signed CLA Bot: community license agreement signed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants