do not leak admin urls

aldryn · Apr 29, 2019 · a0df60c · a0df60c
1 parent 9e1b1dd
commit a0df60c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,24 +1,31 @@
 CHANGELOG
 =========
 
+1.1.4 (2019-04-29)
+------------------
+
+* Fix unicode error in python 3
+* Fix for 'query' field not used in model for Django 1.11
+* Fix leaking the admin url when accessed without login
+
 
 1.1.3 (2016-10-11)
 ------------------
 
-* fix unicode error in location plugin
-* fix error introduced in 1.1.2 (commit f76dedd7)
+* Fix unicode error in location plugin
+* Fix error introduced in 1.1.2 (commit f76dedd7)
 
 
 1.1.2 (2016-10-11)
 ------------------
 
-* path location plugin: fix absolute url
+* Path location plugin: fix absolute url
 
 
 1.1.1 (2016-09-14)
 ------------------
 
-* fix staticmap with new kml location plugin
+* Fix staticmap with new kml location plugin
 
 
 1.1.0 (2016-09-14)

diff --git a/aldryn_locations/cms_plugins.py b/aldryn_locations/cms_plugins.py
@@ -56,6 +56,12 @@ def render(self, context, instance, placeholder):
                     data = '{}{}'.format(base_url, data)
                 path_sources.append(data)
             else:
+                if not request.toolbar or not (
+                    getattr(request.toolbar, 'edit_mode')
+                    or getattr(request.toolbar, 'edit_mode_active')
+                ):
+                    # do not leak /admin urls
+                    data['admin'] = None
                 location_data.append(data)
 
         # Options for the map comes from plugin so I assigned it here