My Oracle Support Banner

GetFile Privilege Can Be Bypassed In The View Versions Table For Items (Doc ID 2830009.1)

Last updated on DECEMBER 22, 2021

Applies to:

Oracle Agile Product Collaboration - Version 9.3.6.0 and later
Information in this document applies to any platform.

Symptoms

ACTUAL BEHAVIOR 
Users can bypass the privilege mask for GetFile privilege by accessing the file through the View Versions table on the attachment tab of Items.

EXPECTED BEHAVIOR
The Get button should be grayed out for users who do not have the GetFile privilege

STEPS

  1. Log into Java client (http://server:port/JavaClient/start.html)
  2. Select from the Admin tab User Settings > Roles
  3. Create a new Role
  4. Add the following privileges to the Role
    Discover Changes
    Discover Items
    GetFile Items
    Modify Preliminary Items
    Read Changes
    Read Items
    ViewFile Items
    ViewFile Engineering Change
  5. Save the settings and assign this Role to a test user
  6. Log into Web Client using the test user (http://server:port/Agile/PLMServlet)
  7. Opened a Document object D0001234
  8. Selected Rev 004 from the drop down.
  9. Get is grayed out and user can not download the file using GET
  10. Selected from the More > View Versions menu 
  11. User can GET the attachment from the Versions window

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.