[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

Vladimiro Bellini vlasvlasvlas at gmail.com
Tue May 5 10:16:05 PDT 2015


Hi! thanks,
ummmmmmmmm exactly what lines do i need to change at views.py? txs!

Vladimiro Bellini              __
\ /| _ _|. _ . _ |__) _||. _ .

2015-05-05 13:12 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com>:

> Hi Vladimiro!
> Good catch, it looks that we implemented the permissions for layers but
> not the check on map download see here
> https://github.com/GeoNode/geonode/blob/master/geonode/maps/views.py#L593.
> We are also missing a test then.
> To fix that is enough to add
> *or not
> request.user.has_perm('download_resourcebase',obj=ownable_layer.get_self_resource())*
> We will fix this soon in master.
> Thanks again for reporting!
>
> 2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:
>
>> Hi!
>>
>> i'm having some user-groups security issue...
>>
>> i installed geonode 2.4 (ubuntu 14)
>>
>> i have 1 all-allow private group with 1 all-allow user ,
>>
>> and 1 all-deny group with 1 all-deny user.
>>
>> I have this issue:
>>
>> 1- using the all-allow user, i upload a shapefile, and i set public view
>> only (all other permissions just for his own user)
>>
>> 2- logging as the all-deny user, i do see the uploaded layer, thats
>> correct because i chose that "everyone can see this layer, but they cannot
>> download it"
>>
>> 3- using the same all-deny user, i create a map using the can-view
>> cannot-download layer.
>>
>> 4- Then click on my created map and choose "download map" and choose
>> "download data layer", then i click on "start map download".. and yes..
>> there's the problem, being a "you cannot download" user, i just downloaded
>> the "view only" layer by creating a map with it.
>>
>>
>> how can this be resolved?
>>
>> thanks!
>> if you need screenshots i can make them!
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>
>>
>
>
> --
> Simone
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/ef1022b2/attachment.html>


More information about the geonode-users mailing list