Missing Security Implementation In WebCenter RESTful Services To Comment a Document

(Doc ID 1527428.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle WebCenter Portal - Version and later
Information in this document applies to any platform.


The issue occurs under the following circumstances:
Create a group space and upload a document to it and add a user as a member of the group space with view privileges.

Now, if you call the following RESTful service to 'comment' the document as the user that has view privileges, the 'comment' counter will increase.

If you then call the same RESTful service to 'comment' the document as a user that is not member of the group space (e.g. that has no view privileges), the 'comment' counter also increases.

REST call:**

where UCM#dDocName:253A010236 is the Identifier of the document
and utoken=FCUlDTi93JuzepapqktROnjnuTHT_w** is the user token (changing depending on what user does the request)


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms