fix possible information disclosure by describing coordinates

src/c3nav/mapdata/models/locations.py

@@ -284,10 +284,11 @@ class AreaLocation(LocationModelMixin, GeometryMapItemWithLevel):
 
 
 class PointLocation(Location):
-    def __init__(self, level: Level, x: int, y: int):
+    def __init__(self, level: Level, x: int, y: int, request):
         self.level = level
         self.x = x
         self.y = y
+        self.request = request
 
     @cached_property
     def location_id(self):
@@ -302,7 +303,9 @@ class PointLocation(Location):
         from c3nav.routing.graph import Graph
         graph = Graph.load()
         point = graph.get_nearest_point(self.level, self.x, self.y)
-        if point is None:
+
+        if point is None or (':nonpublic' in point.arealocations and self.request.c3nav_full_access and
+                             not len(set(self.request.c3nav_access_list) - set(point.arealocations))):
             return _('Unreachable Coordinates'), ''
 
         locations = sorted(AreaLocation.objects.filter(name__in=point.arealocations, can_describe=True),

src/c3nav/mapdata/search.py

@@ -15,7 +15,7 @@ def get_location(request, name):
         level = levels.get(match.group('level'))
         if level is None:
             return None
-        return PointLocation(level=level, x=int(match.group('x'))/100, y=int(match.group('y'))/100)
+        return PointLocation(level=level, x=int(match.group('x'))/100, y=int(match.group('y'))/100, request=request)
 
     if name.startswith('g:'):
         queryset = LocationGroup.objects.filter(Q(name=name[2:], can_search=True))