[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

[Vladimiro Bellini]

Hi!

i'm having some user-groups security issue...

i installed geonode 2.4 (ubuntu 14)

i have 1 all-allow private group with 1 all-allow user ,

and 1 all-deny group with 1 all-deny user.

I have this issue:

1- using the all-allow user, i upload a shapefile, and i set public view
only (all other permissions just for his own user)

2- logging as the all-deny user, i do see the uploaded layer, thats correct
because i chose that "everyone can see this layer, but they cannot download
it"

3- using the same all-deny user, i create a map using the can-view
cannot-download layer.

4- Then click on my created map and choose "download map" and choose
"download data layer", then i click on "start map download".. and yes..
there's the problem, being a "you cannot download" user, i just downloaded
the "view only" layer by creating a map with it.


how can this be resolved?

thanks!
if you need screenshots i can make them!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/45ffd286/attachment.html>