From 867205fcbb9b9d74ec226b6aed0ed0ff3d14fdf1 Mon Sep 17 00:00:00 2001
From: Peter Wischer <peter.wischer@lwl.org>
Date: Mon, 29 Apr 2019 16:13:30 +0200
Subject: [PATCH] do not leak admin urls

---
 aldryn_locations/cms_plugins.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/aldryn_locations/cms_plugins.py b/aldryn_locations/cms_plugins.py
index e5d3e4f..3416f4d 100644
--- a/aldryn_locations/cms_plugins.py
+++ b/aldryn_locations/cms_plugins.py
@@ -56,6 +56,12 @@ def render(self, context, instance, placeholder):
                     data = '{}{}'.format(base_url, data)
                 path_sources.append(data)
             else:
+                if not request.toolbar or not (
+                    getattr(request.toolbar, 'edit_mode')
+                    or getattr(request.toolbar, 'edit_mode_active')
+                ):
+                    # do not leak /admin urls
+                    data['admin'] = None
                 location_data.append(data)
 
         # Options for the map comes from plugin so I assigned it here