[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

Tue May 5 09:12:25 PDT 2015

Hi Vladimiro!
Good catch, it looks that we implemented the permissions for layers but not
the check on map download see here
https://github.com/GeoNode/geonode/blob/master/geonode/maps/views.py#L593.
We are also missing a test then.
To fix that is enough to add
*or not
request.user.has_perm('download_resourcebase',obj=ownable_layer.get_self_resource())*
We will fix this soon in master.
Thanks again for reporting!

2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:

> Hi!
>
> i'm having some user-groups security issue...
>
> i installed geonode 2.4 (ubuntu 14)
>
> i have 1 all-allow private group with 1 all-allow user ,
>
> and 1 all-deny group with 1 all-deny user.
>
> I have this issue:
>
> 1- using the all-allow user, i upload a shapefile, and i set public view
> only (all other permissions just for his own user)
>
> 2- logging as the all-deny user, i do see the uploaded layer, thats
> correct because i chose that "everyone can see this layer, but they cannot
> download it"
>
> 3- using the same all-deny user, i create a map using the can-view
> cannot-download layer.
>
> 4- Then click on my created map and choose "download map" and choose
> "download data layer", then i click on "start map download".. and yes..
> there's the problem, being a "you cannot download" user, i just downloaded
> the "view only" layer by creating a map with it.
>
>
> how can this be resolved?
>
> thanks!
> if you need screenshots i can make them!
>
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>
>

-- 
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/b221cdcf/attachment.html>