Security and Permissions

Note

This is mainly meant for administrators!

GeoNode has the ability to restrict the access on your layers and maps, including the metadata and your uploaded documents. This section will help you to understand which restrictions are possible and what to take care of while using them. Generally permissions can be set on all your uploaded data, but here´s an overview:

  1. Users
    • superuser permissions
    • django admin interface permissions
  2. Layers
    • view and download a layer
    • edit a layer
    • edit and manage a layer
  3. Maps
    • view and download a map
    • edit a map
    • edit and manage a map
  4. Documents
    • view and download a document
    • edit a document
    • edit and manage a document

To understand how this permissions can be set, you first have to know about the different kinds of users.

Users

GeoNode has two types of users:

  • unregistered users (anonymous)
  • registered users

An unregistered user is someone who is just visiting the site, but doesn’t have any data uploaded yet. A registered user has already done that. But there are even more kinds of registered users! A registered user can have one or more of those three status:

  • superuser
  • staff
  • active

A superuser is usually generated directly after the installation of GeoNode via the terminal. When creating a superuser through the terminal it always has the status active and the status staff as well. It is also important to know that a superuser is a user that has all permissions without explicitly assigning them! That means that he is able to upload and edit layers, create maps etc. and can not be restricted from that! So the superuser is basically the administrator, who knows and has access on everything.

The status staff only implies that a user with this status is able to attend the Django Admin Interface. Active has no special meaning, it only says that there is a user and it is available. Instead of deleting this user, you could just unset the status active, your user will still be remaining, but it won´t show up.

There are three options to create a user:

  • terminal: Here you can only create a superuser
  • GeoNode interface: A normal user will be created by signing up to GeoNode. It only has the status active so far!
  • django admin interface: A new user can be created as well as the status of an already existing user can be changed, e.g make a generic user a superuser.

Layers

As mentioned above, a superuser has access on all the uploaded data. In order to restrict other users from certain data, use the superuser to change those permissions. Generally you have the following possibilities of permissions:

../_images/map_permissions.PNG

So there are permissions on:

  • who can view and download
  • who can edit
  • who can edit and manage

The difference between who can edit and who can edit and manage is the fact, that only a user who is allowed to edit and manage is able to change the permissions on this layer/map. (It should be that way but there is a bug so far!)

Basically you can choose between

  • Anybody
  • Any registered user
  • Only a certain user or group

If you allow a user to edit your layer, this user has the right to do the following actions:

  • Edit metadata
  • Edit styles
  • Manage styles
  • Replace the layer
  • Remove the layer

This can also be seen here:

../_images/edit_and_manage.PNG

Edit and manage

Now take a closer look on to the section Edit Metadata. All the following things can be edited in the metadata section:

  • Owner
  • Title
  • Date
  • Data type
  • Edition
  • Abstract
  • Purpose
  • Maintenance frequency
  • Keywords region
  • Restrictions
  • Restrictions other
  • Language
  • Category
  • Spatial representation type
  • Temporal extent start
  • Temporal extent end
  • Supplemental information
  • Distribution URL
  • Distribution description
  • Data quality statement
  • Keywords
  • Point of contact
  • Metadata author
  • Attributes (those can though not be changed!)

The sections about editing and managing styles only include the possibility to change the existing styles of the layer and create new ones.

Note

At the moment it is possible for any user, registered or unregistered, who is permitted to view and download a layer, to Edit Styles!

Any user who is permitted to edit your layer is also able to replace or even remove it!

Maps

Generally all the same applies to maps, but here the opportunities of editing the map are fewer:

  • Edit map metadata
  • Set map thumbnail
  • Remove the map

The sector Edit metadata is almost the same like in the layer’s section, just that it has two options more:

  • Metadata XML
  • Thumbnail

In Set map thumbnail the thumbnail of the map can be set.

Documents

The same permissions can be done on the documents. There’s again a section on Edit Metadata and you could also replace or remove the document.

Groups

Until now it is not possible to set permissions to groups! This action may come in a further GeoNode release!

Require authentication to access GeoNode

By default, unregistered users can view maps, layers, and documents on your site without being authenticated. GeoNode comes a security option that requires users to authenticate before accessing any page. To enable this option, set the LOCKDOWN_GEONODE setting to true in your settings.py file. You can fine-tune which url routes are white-listed (accessible by unregistered users) by listing the routes in the AUTH_EXEMPT_URLS tuple. See the GeoNode Django Apps documentation for more information.