fix possible information disclosure by describing coordinates

2016-12-24 02:08:30 +01:00 · 2016-12-24 02:08:30 +01:00 · 3f3b868e8a
commit 3f3b868e8a
parent fa8561b69a
2 changed files with 6 additions and 3 deletions
--- a/src/c3nav/mapdata/models/locations.py
+++ b/src/c3nav/mapdata/models/locations.py
@ -284,10 +284,11 @@ class AreaLocation(LocationModelMixin, GeometryMapItemWithLevel):


 class PointLocation(Location):
-    def __init__(self, level: Level, x: int, y: int):
+    def __init__(self, level: Level, x: int, y: int, request):
        self.level = level
        self.x = x
        self.y = y
+        self.request = request

    @cached_property
    def location_id(self):
@ -302,7 +303,9 @@ class PointLocation(Location):
        from c3nav.routing.graph import Graph
        graph = Graph.load()
        point = graph.get_nearest_point(self.level, self.x, self.y)
-        if point is None:
+
+        if point is None or (':nonpublic' in point.arealocations and self.request.c3nav_full_access and
+                             not len(set(self.request.c3nav_access_list) - set(point.arealocations))):
            return _('Unreachable Coordinates'), ''

        locations = sorted(AreaLocation.objects.filter(name__in=point.arealocations, can_describe=True),
--- a/src/c3nav/mapdata/search.py
+++ b/src/c3nav/mapdata/search.py
@ -15,7 +15,7 @@ def get_location(request, name):
        level = levels.get(match.group('level'))
        if level is None:
            return None
-        return PointLocation(level=level, x=int(match.group('x'))/100, y=int(match.group('y'))/100)
+        return PointLocation(level=level, x=int(match.group('x'))/100, y=int(match.group('y'))/100, request=request)

    if name.startswith('g:'):
        queryset = LocationGroup.objects.filter(Q(name=name[2:], can_search=True))