See line https://github.com/lizardsystem/lizard-security/blob/master/lizard_security/manager.py#L27
If 'request.user' fails (because we don't have a thread local request object), no query filter is created. That's an insecure default!
- Either warn very verbosely in the admin, for instance, and on startup.
- And/or fix it so that there's a secure filter ("don't see a thing").
(Issue found because the "alkmaar.lizard.net" site didn't filter despite a dataset being set on an app icon).
See line https://github.com/lizardsystem/lizard-security/blob/master/lizard_security/manager.py#L27
If 'request.user' fails (because we don't have a thread local request object), no query filter is created. That's an insecure default!
(Issue found because the "alkmaar.lizard.net" site didn't filter despite a dataset being set on an app icon).