[NXP-19431] Fix removing access to a user on its personal workspace - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: 7.10-HF07
Fix Version/s: QualifiedToSchedule
Component/s: Security / Rights

Tags:
- techlead-needed

Description

Remove all permissions for user "toto" on his personal workspace
Login as "toto"

=> An error is thrown, user is blocked
=> Nothing appears in the logs
=> Putting the "Everything" permission is the only way to get a normal behaviour back
=> This can be a security issue if you allow anonymous access, because you can't remove the everything right on the Guest's personal workspace, and then anybody can create anything in the platform in this space

This behavior cannot be reproduced in 6.0

Attachments

Issue Links

is required by

NXP-18840 Don't allow collect creation for external user

Open

Activity

People

Assignee:

Unassigned

Reporter:

Bertrand Chauvin

Participants:

Bertrand Chauvin, Florent Guillaume, Pierre Bouvret

Votes:

4 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

2016-04-07 13:35

Updated:

2018-06-07 13:20