Opened 14 years ago

Closed 14 years ago

#931 closed defect (fixed)

Share items to EVERYONE without SHARE_TO_EVERYONE permission

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: minor Milestone: BASE 2.6
Component: core Version:
Keywords: Cc:

Description

This is somewhat related to ticket #929. It seems like there is another way to bypass the SHARE_TO_EVERYONE permission check. To exploit this custom made client or plug-in code is needed. It is not possible to bypass the security check in the web client. The problem is that the SHARE_TO_EVERYONE permission check is only checked in the ItemKey?.getNewOrExisting() method. It is simple to write code that instead finds another item, which is already shared to EVERYONE and then copy that ItemKey? to the target item. Then, the web client can be used to assign other permissions. Because of ticket #929 the user is no longer forced to remove the share to the EVERYONE group.

To fix this a check is needed in the SharedItem?.setItemKey() method.

Change History (2)

comment:1 Changed 14 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:2 Changed 14 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

(In [4142]) Fixes #931: Share items to EVERYONE without SHARE_TO_EVERYONE permission

Note: See TracTickets for help on using tickets.