Browse files

Close _gaping_ security hole in resolve_object, might be good to get …

…some security tests in place
  • Loading branch information...
1 parent 2e393ea commit 9f195b9ab3958d086df28ebc5dc57d7b41d349a9 @jj0hns0n jj0hns0n committed Nov 13, 2012
Showing with 2 additions and 2 deletions.
  1. +2 −2 geonode/
@@ -546,13 +546,13 @@ def _get_viewer_projection_info(srid):
def resolve_object(request, model, query, permission=None,
- permission_required=False, permission_msg=None):
+ permission_required=True, permission_msg=None):
'''Resolve an object using the provided query and check the optional
permission. Model views should wrap this function as a shortcut.
query - a dict to use for querying the model
permission - an optional permission to check
- permission_required - if True, allow get methods to proceed
+ permission_required - if False, allow get methods to proceed
permission_msg - optional message to use in 403

0 comments on commit 9f195b9

Please sign in to comment.