Missing Security Implementation In WebCenter RESTful Services To Comment a Document
Last updated on MARCH 08, 2017
Applies to:Oracle WebCenter Portal - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
The issue occurs under the following circumstances:
Create a group space and upload a document to it and add a user as a member of the group space with view privileges.
Now, if you call the following RESTful service to 'comment' the document as the user that has view privileges, the 'comment' counter will increase.
If you then call the same RESTful service to 'comment' the document as a user that is not member of the group space (e.g. that has no view privileges), the 'comment' counter also increases.
where UCM#dDocName:253A010236 is the Identifier of the document
and utoken=FCUlDTi93JuzepapqktROnjnuTHT_w** is the user token (changing depending on what user does the request)
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms