Uploaded image for project: 'Opencast'
  1. MH-12700

Unprivileged users can publish events to series they do not have access to

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects versions: 4.0
    • Fix versions: 4.6
    • Components: Backend Software
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      The following applies if PR #74 is merged (fix for MH-12657).

      Suppose userA does not have read or write access to seriesX.

      Steps to reproduce:
      1. As userA, initiate the creation of a new event using internal or external APIs.
      2. Construct the ACL to include read/write access for userA, and at least read access to those roles attached to seriesX. For metadata, set the value of the 'isPartOf' field to the series id of seriesX.
      3. Complete the request.
       
       Actual Results:
       userA creates an event available/published to the seriesX catalogue.
       
       Expected Results:
       I cannot foresee a valuable use case where userA should be able to attach events to seriesX's catalogue. Therefore, userA should be denied from performing an action as such.

       Workaround (if any):
       None, as knowledgeable users can alter metadata and ACLs as they wish.
      Show
      The following applies if PR #74 is merged (fix for MH-12657 ). Suppose userA does not have read or write access to seriesX. Steps to reproduce: 1. As userA, initiate the creation of a new event using internal or external APIs. 2. Construct the ACL to include read/write access for userA, and at least read access to those roles attached to seriesX. For metadata, set the value of the 'isPartOf' field to the series id of seriesX. 3. Complete the request.    Actual Results:  userA creates an event available/published to the seriesX catalogue.    Expected Results:  I cannot foresee a valuable use case where userA should be able to attach events to seriesX's catalogue. Therefore, userA should be denied from performing an action as such.  Workaround (if any):  None, as knowledgeable users can alter metadata and ACLs as they wish.

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              slampunk Duncan Smith
            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                TestRail: Cases