User Who Has No Get File Privilege Can Download File Attachment Through Add by Search
(Doc ID 2312941.1)
Last updated on FEBRUARY 03, 2019
Applies to:Oracle Agile Product Collaboration - Version 126.96.36.199 and later
Information in this document applies to any platform.
On : 188.8.131.52 version, Folders, Files & Attachments
User can download the protected file if he uses Add by Search function to add file attachment.
User should not be allowed to download file attachment.
The issue can be reproduced at will with the following steps:
1. Create a user A with privileges of:
Modify file attachment of Item
Get file attachment of Item
View file attachment of Item
View file attachment of Change
2. Administrator creates a Change Order, upload a file attachment
3. User A logon Web Client, he only can view this Change's file attachment, he cannot get or open. This is correct.
4. User A clicks "Add by Search" in Item's Attachment tab, search the Change Order, select the file attachment to add to Item
5. Now user A can download the file from Item, this does not meet company security policy.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document