[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer
Simone Dalmasso
simone.dalmasso at gmail.com
Tue May 5 11:46:09 PDT 2015
Yes is download instead of view.
Il martedì 5 maggio 2015, Vladimiro Bellini <vlasvlasvlas at gmail.com> ha
scritto:
> Did you meant:
>
> replacing this (lines 593,594,595):
>
> if not request.user.has_perm(
> '*view_resourcebase*',
> obj=ownable_layer.get_self_resource()):
>
>
> with this? (lines 593,594,595):
>
> if not request.user.has_perm(
> '*download_resourcebase*',
> obj=ownable_layer.get_self_resource()):
>
>
>
>
>
>
> Vladimiro Bellini __
> \ /| _ _|. _ . _ |__) _||. _ .
>
> 2015-05-05 14:16 GMT-03:00 Vladimiro Bellini <vlasvlasvlas at gmail.com
> <javascript:_e(%7B%7D,'cvml','vlasvlasvlas at gmail.com');>>:
>
>> Hi! thanks,
>> ummmmmmmmm exactly what lines do i need to change at views.py? txs!
>>
>> Vladimiro Bellini __
>> \ /| _ _|. _ . _ |__) _||. _ .
>>
>> 2015-05-05 13:12 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com
>> <javascript:_e(%7B%7D,'cvml','simone.dalmasso at gmail.com');>>:
>>
>> Hi Vladimiro!
>>> Good catch, it looks that we implemented the permissions for layers but
>>> not the check on map download see here
>>> https://github.com/GeoNode/geonode/blob/master/geonode/maps/views.py#L593.
>>> We are also missing a test then.
>>> To fix that is enough to add
>>> *or not
>>> request.user.has_perm('download_resourcebase',obj=ownable_layer.get_self_resource())*
>>> We will fix this soon in master.
>>> Thanks again for reporting!
>>>
>>> 2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','vlasvlasvlas at gmail.com');>>:
>>>
>>>> Hi!
>>>>
>>>> i'm having some user-groups security issue...
>>>>
>>>> i installed geonode 2.4 (ubuntu 14)
>>>>
>>>> i have 1 all-allow private group with 1 all-allow user ,
>>>>
>>>> and 1 all-deny group with 1 all-deny user.
>>>>
>>>> I have this issue:
>>>>
>>>> 1- using the all-allow user, i upload a shapefile, and i set public
>>>> view only (all other permissions just for his own user)
>>>>
>>>> 2- logging as the all-deny user, i do see the uploaded layer, thats
>>>> correct because i chose that "everyone can see this layer, but they cannot
>>>> download it"
>>>>
>>>> 3- using the same all-deny user, i create a map using the can-view
>>>> cannot-download layer.
>>>>
>>>> 4- Then click on my created map and choose "download map" and choose
>>>> "download data layer", then i click on "start map download".. and yes..
>>>> there's the problem, being a "you cannot download" user, i just downloaded
>>>> the "view only" layer by creating a map with it.
>>>>
>>>>
>>>> how can this be resolved?
>>>>
>>>> thanks!
>>>> if you need screenshots i can make them!
>>>>
>>>>
>>>> _______________________________________________
>>>> geonode-users mailing list
>>>> geonode-users at lists.osgeo.org
>>>> <javascript:_e(%7B%7D,'cvml','geonode-users at lists.osgeo.org');>
>>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Simone
>>>
>>
>>
>
--
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/c2d32370/attachment-0001.html>
More information about the geonode-users
mailing list