Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-20979

Only Share dashboard of a private site has access security check

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not a bug
    • Affects Version/s: 4.2 Enterprise
    • Fix Version/s: None
    • Component/s: Share Application
    • Security Level: external (External user)
    • Labels:
      None
    • Security Severity:
      Low

      Description

      1) Create new user "rocco"
      2) Create new private site called "test"
      3) Login as user "rocco"
      4) Try to access the URL /share/page/site/test/dashboard -> server error
      5) Try to access the URL /share/page/site/test/site-members -> access is granted

      If you have a custom page on the private site "test", any user who is aware of the URL can access it.

        Attachments

          Activity

          Hide
          kroast Kevin Roast added a comment -

          The operations on any page will have security checks.

          The page such as /share/page/site/test/site-members does not give you "access" to anything - you can make up a siteid and navigate to the url:
          /share/page/site/somethingrandom/site-members and you will see the same empty page and no information - it does not cause a security issue.

          Show
          kroast Kevin Roast added a comment - The operations on any page will have security checks. The page such as /share/page/site/test/site-members does not give you "access" to anything - you can make up a siteid and navigate to the url: /share/page/site/somethingrandom/site-members and you will see the same empty page and no information - it does not cause a security issue.
          Hide
          rdonnarumma Rocco Donnarumma added a comment -

          Until you create a custom page /share/page/site/test/custom and you will have access to it.

          Can have backend security but why share expose that to not members of the site?

          Show
          rdonnarumma Rocco Donnarumma added a comment - Until you create a custom page /share/page/site/test/custom and you will have access to it. Can have backend security but why share expose that to not members of the site?
          Hide
          rdonnarumma Rocco Donnarumma added a comment -

          The "site-members" was just an example because is OOTB.

          Try creating your custom page in the site

          Show
          rdonnarumma Rocco Donnarumma added a comment - The "site-members" was just an example because is OOTB. Try creating your custom page in the site
          Hide
          cosminaru Cosmin Marginean added a comment -

          I'm sorry, but this is not resolved, and neither "not a bug". If you create a custom page, the users will have access to that page. How is that not a fundamental security leak?

          Show
          cosminaru Cosmin Marginean added a comment - I'm sorry, but this is not resolved, and neither "not a bug". If you create a custom page, the users will have access to that page. How is that not a fundamental security leak?
          Hide
          resplin Richard Esplin added a comment -

          This issue has been marked as resolved since the last release of Alfresco Community Edition, so we are closing it.

          Show
          resplin Richard Esplin added a comment - This issue has been marked as resolved since the last release of Alfresco Community Edition, so we are closing it.

            People

            • Assignee:
              closedissues Closed Issues
              Reporter:
              rdonnarumma Rocco Donnarumma
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: