🐛 Fix layer ACL on pws requests. (#725)

Co-authored-by: wlorenzetti <lorenzett@gis3w.it>
g3w-suite · Feb 1, 2024 · e28c17f · e28c17f
1 parent 432818e
commit e28c17f
Showing 1 changed file with 29 additions and 9 deletions.
diff --git a/g3w-admin/qdjango/server_filters/accesscontrol/layer_acl.py b/g3w-admin/qdjango/server_filters/accesscontrol/layer_acl.py
@@ -10,11 +10,14 @@
 __copyright__ = "Copyright 2015 - 2023, Gis3w"
 __license__ = "MPL 2.0"
 
+from django.conf import settings
 from guardian.shortcuts import get_perms, get_anonymous_user
 from qgis.server import QgsAccessControlFilter
 from qgis.core import QgsMessageLog, Qgis
 from qdjango.apps import QGS_SERVER
 from qdjango.models import Layer
+from urllib.parse import urlparse, parse_qs
+
 
 
 class LayerAclAccessControlFilter(QgsAccessControlFilter):
@@ -23,6 +26,8 @@ class LayerAclAccessControlFilter(QgsAccessControlFilter):
     def __init__(self, server_iface):
         super().__init__(server_iface)
 
+        self.server_iface = server_iface
+
     def layerPermissions(self, layer):
 
         rights = QgsAccessControlFilter.LayerPermissions()
@@ -31,15 +36,30 @@ def layerPermissions(self, layer):
             qdjango_layer = Layer.objects.get(
                 project=QGS_SERVER.project, qgs_layer_id=layer.id())
 
-            # Check permission
-            perms = list(
-                set(get_perms(QGS_SERVER.user, qdjango_layer)) |
-                set(get_perms(get_anonymous_user(), qdjango_layer))
-            )
-            rights.canRead = "view_layer" in perms
-            rights.canInsert = "add_layer" in perms
-            rights.canUpdate = "change_layer" in perms
-            rights.canDelete = "delete_layer" in perms
+            # Check for caching
+            purl = urlparse(self.server_iface.requestHandler().url())
+            qs = parse_qs(purl.query)
+            arg = 'g3wsuite_caching_token'.upper()
+            if (('caching' in settings.G3WADMIN_LOCAL_MORE_APPS and
+                     arg in qs and
+                    settings.TILESTACHE_CACHE_TOKEN == qs[arg][0]) and
+                    f"{purl.scheme}://{purl.netloc}" == settings.QDJANGO_SERVER_URL):
+                rights.canRead = True
+                rights.canInsert = False
+                rights.canUpdate = False
+                rights.canDelete = False
+
+            else:
+
+                # Check permission
+                perms = list(
+                    set(get_perms(QGS_SERVER.user, qdjango_layer)) |
+                    set(get_perms(get_anonymous_user(), qdjango_layer))
+                )
+                rights.canRead = "view_layer" in perms
+                rights.canInsert = "add_layer" in perms
+                rights.canUpdate = "change_layer" in perms
+                rights.canDelete = "delete_layer" in perms
 
         except Layer.DoesNotExist:
             pass