Tony Nys
2017-11-02 10:03:09 UTC
In a quick check, I found already 2 big security bugs where users can see
documents of the other one
both cases use the api
image page preview:
/api/documents/documents/616/versions/822/pages/1187/image/ : BUG security
chinese wall : BUG: user2 can see metadata doc user1
document metadata : /api/metadata/documents/616/metadata/ : need ROle
permissions: view metadata of document : BUG: user2 can see metadata doc
user1
whereas eg. document download api checks security ok:
/api/documents/documents/616/versions/822/download/ => no permission for
user2
documents of the other one
both cases use the api
image page preview:
/api/documents/documents/616/versions/822/pages/1187/image/ : BUG security
chinese wall : BUG: user2 can see metadata doc user1
document metadata : /api/metadata/documents/616/metadata/ : need ROle
permissions: view metadata of document : BUG: user2 can see metadata doc
user1
whereas eg. document download api checks security ok:
/api/documents/documents/616/versions/822/download/ => no permission for
user2
--
---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mayan-edms+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mayan-edms+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.