[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

Vladimiro Bellini vlasvlasvlas at gmail.com
Tue May 5 10:20:11 PDT 2015


Did you meant:

replacing this (lines 593,594,595):

if not request.user.has_perm(
                        '*view_resourcebase*',
                        obj=ownable_layer.get_self_resource()):


with this? (lines 593,594,595):

if not request.user.has_perm(
                        '*download_resourcebase*',
                        obj=ownable_layer.get_self_resource()):






Vladimiro Bellini              __
\ /| _ _|. _ . _ |__) _||. _ .

2015-05-05 14:16 GMT-03:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:

> Hi! thanks,
> ummmmmmmmm exactly what lines do i need to change at views.py? txs!
>
> Vladimiro Bellini              __
> \ /| _ _|. _ . _ |__) _||. _ .
>
> 2015-05-05 13:12 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com>:
>
> Hi Vladimiro!
>> Good catch, it looks that we implemented the permissions for layers but
>> not the check on map download see here
>> https://github.com/GeoNode/geonode/blob/master/geonode/maps/views.py#L593.
>> We are also missing a test then.
>> To fix that is enough to add
>> *or not
>> request.user.has_perm('download_resourcebase',obj=ownable_layer.get_self_resource())*
>> We will fix this soon in master.
>> Thanks again for reporting!
>>
>> 2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:
>>
>>> Hi!
>>>
>>> i'm having some user-groups security issue...
>>>
>>> i installed geonode 2.4 (ubuntu 14)
>>>
>>> i have 1 all-allow private group with 1 all-allow user ,
>>>
>>> and 1 all-deny group with 1 all-deny user.
>>>
>>> I have this issue:
>>>
>>> 1- using the all-allow user, i upload a shapefile, and i set public view
>>> only (all other permissions just for his own user)
>>>
>>> 2- logging as the all-deny user, i do see the uploaded layer, thats
>>> correct because i chose that "everyone can see this layer, but they cannot
>>> download it"
>>>
>>> 3- using the same all-deny user, i create a map using the can-view
>>> cannot-download layer.
>>>
>>> 4- Then click on my created map and choose "download map" and choose
>>> "download data layer", then i click on "start map download".. and yes..
>>> there's the problem, being a "you cannot download" user, i just downloaded
>>> the "view only" layer by creating a map with it.
>>>
>>>
>>> how can this be resolved?
>>>
>>> thanks!
>>> if you need screenshots i can make them!
>>>
>>>
>>> _______________________________________________
>>> geonode-users mailing list
>>> geonode-users at lists.osgeo.org
>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>
>>>
>>
>>
>> --
>> Simone
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/a1295bdd/attachment.html>


More information about the geonode-users mailing list