[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

Simone Dalmasso simone.dalmasso at gmail.com
Tue May 5 09:12:25 PDT 2015

Hi Vladimiro!
Good catch, it looks that we implemented the permissions for layers but not
the check on map download see here
We are also missing a test then.
To fix that is enough to add
*or not
We will fix this soon in master.
Thanks again for reporting!

2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:

> Hi!
> i'm having some user-groups security issue...
> i installed geonode 2.4 (ubuntu 14)
> i have 1 all-allow private group with 1 all-allow user ,
> and 1 all-deny group with 1 all-deny user.
> I have this issue:
> 1- using the all-allow user, i upload a shapefile, and i set public view
> only (all other permissions just for his own user)
> 2- logging as the all-deny user, i do see the uploaded layer, thats
> correct because i chose that "everyone can see this layer, but they cannot
> download it"
> 3- using the same all-deny user, i create a map using the can-view
> cannot-download layer.
> 4- Then click on my created map and choose "download map" and choose
> "download data layer", then i click on "start map download".. and yes..
> there's the problem, being a "you cannot download" user, i just downloaded
> the "view only" layer by creating a map with it.
> how can this be resolved?
> thanks!
> if you need screenshots i can make them!
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/b221cdcf/attachment.html>

More information about the geonode-users mailing list