Uploaded image for project: 'Opencast'
  1. Opencast
  2. MH-13055

Ingesting without providing an ACL results in a public event

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed and reviewed
    • Affects versions: 4.0, 5.0, 6.0
    • Fix versions: 4.5, 5.1, 6.0
    • Components: Backend Software
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      When ingesting something without providing an ACL, the ingest service currently appends a custom Acl (as a series Acl, strangely enough) that grants read access to the anonymous role and in develop also write access to the "global capture agent role".

      This is at least surprising (as evidenced by the lengthy thread on the German user list: https://groups.google.com/a/opencast.org/forum/#!topic/anwender/qj94Xqr2Luw, and seeing that other places of the Opencast code base fall back to **another** default), if not a security risk.

      You can test this for yourself for example using the ingest scripts found here: https://github.com/opencast/helper-scripts/tree/master/ingest. Note that the "New Event Wizard" in the admin UI **always** attaches an ACL.
      Show
      When ingesting something without providing an ACL, the ingest service currently appends a custom Acl (as a series Acl, strangely enough) that grants read access to the anonymous role and in develop also write access to the "global capture agent role". This is at least surprising (as evidenced by the lengthy thread on the German user list: https://groups.google.com/a/opencast.org/forum/#!topic/anwender/qj94Xqr2Luw, and seeing that other places of the Opencast code base fall back to **another** default), if not a security risk. You can test this for yourself for example using the ingest scripts found here: https://github.com/opencast/helper-scripts/tree/master/ingest . Note that the "New Event Wizard" in the admin UI **always** attaches an ACL.

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              JulianKniephoff Julian Kniephoff
              Reporter:
              JulianKniephoff Julian Kniephoff
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases