User Who Has No Get File Privilege Can Download File Attachment Through Add by Search

(Doc ID 2312941.1)

Last updated on OCTOBER 01, 2017

Applies to:

Oracle Agile Product Collaboration - Version 9.3.5.0 and later
Information in this document applies to any platform.

Symptoms

On : 9.3.5.0 version, Folders, Files & Attachments

ACTUAL BEHAVIOR
---------------
User can download the protected file if he uses Add by Search function to add file attachment.

EXPECTED BEHAVIOR
-----------------------
User should not be allowed to download file attachment.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Create a user A with privileges of:
  Modify file attachment of Item
  Get file attachment of Item
  View file attachment of Item
  View file attachment of Change
2. Administrator creates a Change Order, upload a file attachment
3. User A logon Web Client, he only can view this Change's file attachment, he cannot get or open. This is correct.
4. User A clicks "Add by Search" in Item's Attachment tab, search the Change Order, select the file attachment to add to Item
5. Now user A can download the file from Item, this does not meet company security policy.



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms