From a0df60cd8a6503cb9ec65d3a34a52023e5251497 Mon Sep 17 00:00:00 2001
From: Peter Wischer <peter.wischer@lwl.org>
Date: Mon, 29 Apr 2019 16:13:30 +0200
Subject: [PATCH] do not leak admin urls

---
 CHANGELOG.rst                   | 15 +++++++++++----
 aldryn_locations/cms_plugins.py |  6 ++++++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 940f597..034ba52 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,24 +1,31 @@
 CHANGELOG
 =========
 
+1.1.4 (2019-04-29)
+------------------
+
+* Fix unicode error in python 3
+* Fix for 'query' field not used in model for Django 1.11
+* Fix leaking the admin url when accessed without login
+
 
 1.1.3 (2016-10-11)
 ------------------
 
-* fix unicode error in location plugin
-* fix error introduced in 1.1.2 (commit f76dedd7)
+* Fix unicode error in location plugin
+* Fix error introduced in 1.1.2 (commit f76dedd7)
 
 
 1.1.2 (2016-10-11)
 ------------------
 
-* path location plugin: fix absolute url
+* Path location plugin: fix absolute url
 
 
 1.1.1 (2016-09-14)
 ------------------
 
-* fix staticmap with new kml location plugin
+* Fix staticmap with new kml location plugin
 
 
 1.1.0 (2016-09-14)
diff --git a/aldryn_locations/cms_plugins.py b/aldryn_locations/cms_plugins.py
index e5d3e4f..3416f4d 100644
--- a/aldryn_locations/cms_plugins.py
+++ b/aldryn_locations/cms_plugins.py
@@ -56,6 +56,12 @@ def render(self, context, instance, placeholder):
                     data = '{}{}'.format(base_url, data)
                 path_sources.append(data)
             else:
+                if not request.toolbar or not (
+                    getattr(request.toolbar, 'edit_mode')
+                    or getattr(request.toolbar, 'edit_mode_active')
+                ):
+                    # do not leak /admin urls
+                    data['admin'] = None
                 location_data.append(data)
 
         # Options for the map comes from plugin so I assigned it here