[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer
vlasvlasvlas at gmail.com
Tue May 5 10:16:05 PDT 2015
ummmmmmmmm exactly what lines do i need to change at views.py? txs!
Vladimiro Bellini __
\ /| _ _|. _ . _ |__) _||. _ .
2015-05-05 13:12 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com>:
> Hi Vladimiro!
> Good catch, it looks that we implemented the permissions for layers but
> not the check on map download see here
> We are also missing a test then.
> To fix that is enough to add
> *or not
> We will fix this soon in master.
> Thanks again for reporting!
> 2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:
>> i'm having some user-groups security issue...
>> i installed geonode 2.4 (ubuntu 14)
>> i have 1 all-allow private group with 1 all-allow user ,
>> and 1 all-deny group with 1 all-deny user.
>> I have this issue:
>> 1- using the all-allow user, i upload a shapefile, and i set public view
>> only (all other permissions just for his own user)
>> 2- logging as the all-deny user, i do see the uploaded layer, thats
>> correct because i chose that "everyone can see this layer, but they cannot
>> download it"
>> 3- using the same all-deny user, i create a map using the can-view
>> cannot-download layer.
>> 4- Then click on my created map and choose "download map" and choose
>> "download data layer", then i click on "start map download".. and yes..
>> there's the problem, being a "you cannot download" user, i just downloaded
>> the "view only" layer by creating a map with it.
>> how can this be resolved?
>> if you need screenshots i can make them!
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geonode-users