Unauthorized Static File Select Issue

We have a CTD in which we have one attribute on which "Content Select CCE" is configured to select StaticFiles only.

For one user (say 'A'), we have authorized it to only access one particular folder (say 'banner').

Now while creating CI of above CTD, if user 'A' selects any Static File which is present in some other folder and NOT in 'banner' folder

then we get message which says "You are not authorized to perform the requested action.", which is what we also expected.

But after this message, we are still able to save the CI with Unauthorized static file selected in that CI.

And moreover our CDA application is able to fetch the details of that static file (unauthorized) from the CI. This becomes a content security issue.

We are on V8.0

Has anyone deal with such situation?

If there are any direction to resolve this , this it would be very helpful to us.

I have tried to elaborate my situation as much as I can, if there is more information needed then also let me know I can elaborate more in this situation.

Regards,

Deven

Find more posts tagged with

Comments

Bertrand_de_Coatpont

Hi Deven, do you have a support ticket opened on this issue?

Thanks

Bertrand

From: eLink Entry: Discussion Group - Web Experience Management [mailto:v7webcontentmanagement@elinkkc.opentext.com]
Sent: Tuesday, April 02, 2013 8:06 AM
To: eLink Recipient
Subject: Unauthorized Static File Select Issue

Unauthorized Static File Select Issue

Posted bydeven.goratela@tcs.com (Goratela, Deven) On 04-02-2013 08:56

We have a CTD in which we have one attribute on which "Content Select CCE" is configured to select StaticFiles only.

For one user (say 'A'), we have authorized it to only access one particular folder (say 'banner').

Now while creating CI of above CTD, if user 'A' selects any Static File which is present in some other folder and NOT in 'banner' folder

then we get message which says "You are not authorized to perform the requested action.", which is what we also expected.

But after this message, we are still able to save the CI with Unauthorized static file selected in that CI.

And moreover our CDA application is able to fetch the details of that static file (unauthorized) from the CI. This becomes a content security issue.

We are on V8.0

Has anyone deal with such situation?

If there are any direct! ion to r esolve this , this it would be very helpful to us.

I have tried to elaborate my situation as much as I can, if there is more information needed then also let me know I can elaborate more in this situation.

Regards,

Deven

[To post a comment, use the normal reply function]
Forum:	Discussion Group - Web Experience Management
Content Server:	Knowledge Center

Deven_Goratela

No Bertrand, havent created a support ticket for this yet. Thought of checking with community if there is any obvious reason of such behaviour.

Regards,
Deven

Qutubuddin

The first part looks like a product defect or configuration issue, not sure which one.

The second part is how product works, authorization setting only are for managing the content(StaticFile in your case) in VCM, so contents are not read/modified by a user who is not authorized. But once a content is published to a CDA (Content Delivery Application, typically a webapp) it is available to everyone who has access to the CDA. At this point if you need to secure a content you will need to implement the logic to do so in your CDA.

I hope this clarifies the current situation for you.

Best Regards

Qutub

From: eLink Entry: Discussion Group - Web Experience Management [v7webcontentmanagement@elinkkc.opentext.com]
Sent: Tuesday, April 02, 2013 9:06 AM
To: eLink Recipient
Subject: Unauthorized Static File Select Issue

Unauthorized Static File Select Issue

Posted by deven.goratela@tcs.com (Goratela, Deven) On 04-02-2013 08:56

We have a CTD in which we have one attribute on which "Content Select CCE" is configured to select StaticFiles only.

For one user (say 'A'), we have authorized it to only access one particular folder (say 'banner').

Now while creating CI of above CTD, if user 'A' selects any Static File which is present in some other folder and NOT in 'banner' folder

then we get message which says "You are not authorized to perform the requested action.", which is what we also expected.

But after this message, we are still able to save the CI with Unauthorized static file selected in that CI.

And moreover our CDA application is able to fetch the details of that static file (unauthorized) from the CI. This becomes a content security issue.

We are on V8.0

Has anyone deal with such situation?

If there are any direct! ion to r esolve this , this it would be very helpful to us.

I have tried to elaborate my situation as much as I can, if there is more information needed then also let me know I can elaborate more in this situation.

Regards,

Deven

[To post a comment, use the normal reply function]
Forum:	Discussion Group - Web Experience Management
Content Server:	Knowledge Center

Deven_Goratela

Sorry for the delay in reply. Yeah even to me first part looks like some kind of issue. But for me its a content security risk, so I need to put up some work around over it.

I am planning to check the possibility of using Validators in the override JSP for clearing the selected staticfile field if user is not authorized.

Any idea if this approach will work?

Regards,
Deven

Quoted Qutubuddin Saifuddin on 2013-04-05 11:48:

The first part looks like a product defect or configuration issue, not sure which one.

I hope this clarifies the current situation for you.

Best Regards

Qutub

[To post a comment, use the normal reply function]
Forum:	Discussion Group - Web Experience Management
Content Server:	Knowledge Center