Security patch for django-filer
django filer did not check permissions properly for listing directories, moving files or folders, or uploading files. Effectively, a staff user without any permissions could thereby browse filer's folder tree if they knew the url. This vulnerability would expose the folder tree and the files to a staff user without permissions.
Please see the relevant commits on GitHub for more information about the vulnerability and mitigation.
Thanks to Akshar Tank for the detailed report through our security email.
As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at [email protected]
Please do not use GitHub, our email lists or slack to report, address or otherwise discuss matters relating to security.