MantisBT - v1.2 Release (Closed)
View Issue Details
0000295v1.2 Release (Closed)[All Projects] Generalpublic2009-10-28 14:292009-12-08 19:06
Reportercheuschober 
Assigned Tocaseydk 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version1.2 
Summary0000295: Task Access security circumvented by files module
DescriptionOur team decided to give W2P a test run the other day and discovered a disturbing little bit when trying to isolate files within tasks.

Our consensus on the whole permissions issue was that while we'd prefer per-project permissions based on batch contact assignment we could work with the task access field to simulate that and protect information that can't be shared within the entire org (eg, something like a budget document with worker salaries).

The assumption was that if a task is set to private/participant then files associated with that task would similarly inherit that access.

Not only was that NOT the case we found that the associated task, as linked under the the files module completely bypasses the access check and allows any user straight into the participant/private task.

I'm not certain if it's the intention of the devs to allow protected files the way I've described but the access bypass, at least, seems like something that needs addressing.

Hope this helps.
-C

ps. +1 for excluding files who are attached to access-limited tasks
TagsNo tags attached.
related to 0000284closed caseydk The W2P is allowing delete files linked to a project that the user not participating in the project. 
Attached Files

Notes
(0000560)
caseydk   
2009-10-30 10:01   
Agreed and good point.
(0000596)
caseydk   
2009-11-20 23:21   
"The assumption was that if a task is set to private/participant then files associated with that task would similarly inherit that access."

I've fixed this portion of this issue in r783. I still need to work on filtering the file list itself...

(0000601)
caseydk   
2009-11-24 22:17   
Closing this one because the required changes for the original request are complete. For the filtering of the file list, issue 0000284 covers it just as well.

Issue History
2009-10-28 14:29cheuschoberNew Issue
2009-10-30 10:01caseydkNote Added: 0000560
2009-10-30 10:02caseydkStatusnew => assigned
2009-10-30 10:02caseydkAssigned To => caseydk
2009-10-30 10:02caseydkProjectv1.1 Release (Closed) => v1.2 Release (Closed)
2009-11-09 21:52caseydkRelationship addedrelated to 0000284
2009-11-17 20:42caseydkPrioritynormal => high
2009-11-20 23:21caseydkNote Added: 0000596
2009-11-20 23:21caseydkStatusassigned => confirmed
2009-11-24 22:17caseydkStatusconfirmed => resolved
2009-11-24 22:17caseydkResolutionopen => fixed
2009-11-24 22:17caseydkNote Added: 0000601
2009-12-08 19:06caseydkStatusresolved => closed
2009-12-08 19:06caseydkFixed in Version => 1.2