User Can Update Content Item To Move It into a Folder Even Though They Do Not Have Write Permission to That Folder (Doc ID 1556966.1)

Last updated on MAY 30, 2017

Applies to:

Oracle WebCenter Content - Version 11.1.1.6.0 and later
Information in this document applies to any platform.

Symptoms

Using Folders_g, a user with only Read permission to a Folder can not check content into that folder.  That is the correct behavior.

He also cannot check the content into a different folder, and then move the item into a folder he only has Read permission by using the folder move functionality.  That is also correct behavior.

However, the user can check the content into a different folder and then move it to the other folder by updating the content information to point to the new folder.  This should not be allowed since the user only had Read permission to this other folder.

To reproduce issue:

  1. Create two folders.  Set one to the Public security group and the other to the Secure security group.

  2. Create a user who has Read Write permission to the Public security group and Read Only permission to the Secure security group.

  3. As that user, check a content item into the Public folder.

  4. When the item is released, navigate to the Content Information page for that content item and do an Update.  Click the Folder Browse button and change the folder to the Secure folder.  Click Submit Update.

This succeeds.  Note that the item still stays in the Public security group but it is now in the Secure folder.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms