My Oracle Support Banner

User Who Has No Get File Privilege Can Download File Attachment Through Add by Search (Doc ID 2312941.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle Agile Product Collaboration - Version and later
Information in this document applies to any platform.


On : version, Folders, Files & Attachments

User can download the protected file if he uses Add by Search function to add file attachment.

User should not be allowed to download file attachment.

The issue can be reproduced at will with the following steps:
1. Create a user A with privileges of:
  Modify file attachment of Item
  Get file attachment of Item
  View file attachment of Item
  View file attachment of Change
2. Administrator creates a Change Order, upload a file attachment
3. User A logon Web Client, he only can view this Change's file attachment, he cannot get or open. This is correct.
4. User A clicks "Add by Search" in Item's Attachment tab, search the Change Order, select the file attachment to add to Item
5. Now user A can download the file from Item, this does not meet company security policy.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.