Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 382760 - [sites] Site can expose other users' files
Summary: [sites] Site can expose other users' files
Status: RESOLVED FIXED
Alias: None
Product: Orion
Classification: ECD
Component: Server (show other bugs)
Version: 0.5   Edit
Hardware: PC Windows 7
: P3 normal (vote)
Target Milestone: 2.0 M1   Edit
Assignee: Mark Macdonald CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-15 13:05 EDT by Mark Macdonald CLA
Modified: 2012-10-29 15:07 EDT (History)
1 user (show)

See Also:
john.arthorne: review-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Macdonald CLA 2012-06-15 13:05:12 EDT 
Using a local orion server

0. In your server config file, ensure that the "orion.file.anonymous.read=true" server option is NOT set.
1. Launch the Orion server. 
2. As user A, create a project and put some files in it. Copy its internal project id (for example, 'kS').
3. As user B, log in and create a new site.
4. Set up the site like this, using the other user's project id from step 2:

Path                        Mounted at:

/kS/                        /

5. Start the site, and view it in your browser.

We expect that, because user B launched the site and does not have the right to access 'kS', there should be an error. However, the site loads and can be used to view the user A's files, this is bad.
Comment 2 John Arthorne CLA 2012-06-15 14:14:23 EDT 
Let's defer this to 1.0. Because we allow global anonymous read on our hosted servers this isn't a blocking problem for us.