[GeoNode-users] Security issue: allowed to download view-only shapefiles if i create a map with selected layer

Vladimiro Bellini vlasvlasvlas at gmail.com
Tue May 5 11:47:42 PDT 2015


thanks ill test it right now :P

Vladimiro Bellini              __
\ /| _ _|. _ . _ |__) _||. _ .

2015-05-05 15:46 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com>:

> Yes is download instead of view.
>
>
> Il martedì 5 maggio 2015, Vladimiro Bellini <vlasvlasvlas at gmail.com> ha
> scritto:
>
>> Did you meant:
>>
>> replacing this (lines 593,594,595):
>>
>> if not request.user.has_perm(
>>                         '*view_resourcebase*',
>>                         obj=ownable_layer.get_self_resource()):
>>
>>
>> with this? (lines 593,594,595):
>>
>> if not request.user.has_perm(
>>                         '*download_resourcebase*',
>>                         obj=ownable_layer.get_self_resource()):
>>
>>
>>
>>
>>
>>
>> Vladimiro Bellini              __
>> \ /| _ _|. _ . _ |__) _||. _ .
>>
>> 2015-05-05 14:16 GMT-03:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:
>>
>>> Hi! thanks,
>>> ummmmmmmmm exactly what lines do i need to change at views.py? txs!
>>>
>>> Vladimiro Bellini              __
>>> \ /| _ _|. _ . _ |__) _||. _ .
>>>
>>> 2015-05-05 13:12 GMT-03:00 Simone Dalmasso <simone.dalmasso at gmail.com>:
>>>
>>> Hi Vladimiro!
>>>> Good catch, it looks that we implemented the permissions for layers but
>>>> not the check on map download see here
>>>> https://github.com/GeoNode/geonode/blob/master/geonode/maps/views.py#L593.
>>>> We are also missing a test then.
>>>> To fix that is enough to add
>>>> *or not
>>>> request.user.has_perm('download_resourcebase',obj=ownable_layer.get_self_resource())*
>>>> We will fix this soon in master.
>>>> Thanks again for reporting!
>>>>
>>>> 2015-05-05 17:55 GMT+02:00 Vladimiro Bellini <vlasvlasvlas at gmail.com>:
>>>>
>>>>> Hi!
>>>>>
>>>>> i'm having some user-groups security issue...
>>>>>
>>>>> i installed geonode 2.4 (ubuntu 14)
>>>>>
>>>>> i have 1 all-allow private group with 1 all-allow user ,
>>>>>
>>>>> and 1 all-deny group with 1 all-deny user.
>>>>>
>>>>> I have this issue:
>>>>>
>>>>> 1- using the all-allow user, i upload a shapefile, and i set public
>>>>> view only (all other permissions just for his own user)
>>>>>
>>>>> 2- logging as the all-deny user, i do see the uploaded layer, thats
>>>>> correct because i chose that "everyone can see this layer, but they cannot
>>>>> download it"
>>>>>
>>>>> 3- using the same all-deny user, i create a map using the can-view
>>>>> cannot-download layer.
>>>>>
>>>>> 4- Then click on my created map and choose "download map" and choose
>>>>> "download data layer", then i click on "start map download".. and yes..
>>>>> there's the problem, being a "you cannot download" user, i just downloaded
>>>>> the "view only" layer by creating a map with it.
>>>>>
>>>>>
>>>>> how can this be resolved?
>>>>>
>>>>> thanks!
>>>>> if you need screenshots i can make them!
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> geonode-users mailing list
>>>>> geonode-users at lists.osgeo.org
>>>>> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Simone
>>>>
>>>
>>>
>>
>
> --
> Simone
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150505/9a1b7152/attachment.html>


More information about the geonode-users mailing list