[Backport 5.0.x] [Fixes #14217 #14219] Permissons diffing and fix to permissions removal

[giohappy]

• Confirm you have read the contribution guidelines
• You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
• Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

• There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
• The issue connected to the PR must have Labels and Milestone assigned
• PR for bug fixes and small new features are presented as a single commit
• PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
• New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.

[gemini-code-assist]

Code Review

This pull request introduces a structured mechanism for diffing and applying permission changes through the new PermSpecCompactDiff class and a diff method in PermSpecCompact. The API's resource_service_permissions view now supports PATCH requests by merging proposed changes with current permissions and correctly filtering restricted group updates based on user permissions. Additionally, the patch_perms utility was refactored to utilize this new diffing logic, and comprehensive tests were added to ensure correctness. Feedback was provided to ensure that the apply method receives a dictionary as expected by the PermSpecCompact constructor to avoid potential type errors.

[gemini-code-assist]

The PermSpecCompact constructor expects a dictionary as its first argument. Ensure that current_perms_compact passed to apply is indeed a dictionary (e.g., the result of PermSpec.compact). If it's already a PermSpecCompact instance, this call might fail or lead to unexpected behavior because _bind_json expects a dict.

References

1. Defensive programming: ensure appropriate type checks or guards exist before object property accesses or constructor calls.

[codecov]

Codecov Report

❌ Patch coverage is 98.01325% with 6 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (5.0.x@16ec8b3). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff            @@
##             5.0.x   #14225   +/-   ##
========================================
  Coverage         ?   74.41%           
========================================
  Files            ?      940           
  Lines            ?    56566           
  Branches         ?     7665           
========================================
  Hits             ?    42093           
  Misses           ?    12794           
  Partials         ?     1679           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.