User Who Has No Get File Privilege Can Download File Attachment Through Add by Search
Last updated on OCTOBER 01, 2017
Applies to:Oracle Agile Product Collaboration - Version 184.108.40.206 and later
Information in this document applies to any platform.
On : 220.127.116.11 version, Folders, Files & Attachments
User can download the protected file if he uses Add by Search function to add file attachment.
User should not be allowed to download file attachment.
The issue can be reproduced at will with the following steps:
1. Create a user A with privileges of:
Modify file attachment of Item
Get file attachment of Item
View file attachment of Item
View file attachment of Change
2. Administrator creates a Change Order, upload a file attachment
3. User A logon Web Client, he only can view this Change's file attachment, he cannot get or open. This is correct.
4. User A clicks "Add by Search" in Item's Attachment tab, search the Change Order, select the file attachment to add to Item
5. Now user A can download the file from Item, this does not meet company security policy.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms