Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30907

Prevent live proxies from bypassing the target document permissions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Duplicate
    • Affects Version/s: 10.10, 2021.0
    • Fix Version/s: None
    • Component/s: Core, Security

      Description

      It has been observed that it's possible to use live proxies to bypass the permissions (Write) on the target document with this scenario :

      1. As an admin, create a container Workspace1
      2. Grant Read permission to group1 which contains user1
      3. Create a document File1 in Workspace1
      4. At this step, user1 cannot make any modification on File1 because user1 only has Read permission on it
      5. As user1 create now a live proxy to File1 in its personal workspace where it has Everything permission
      6. Thanks to the Everything permission, user1 changes the description of the live proxy
      7. Observe that the description is updated on the live proxy but also on the target document File1

      Expected behavior: when user1 changes the metadata on the live proxy, the Write permission is checked on the target and in this scenario it should raise an exception (security exception).

      PS : Note that a schema can be defined as writable for a proxy : if a metadata from this schema is updated, it should work without error.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.