Undelete security problem

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
Busboy
Posts: 55
Joined: Wed Mar 31, 2004 6:25 am

Undelete security problem

Post by Busboy » Wed Sep 05, 2007 1:41 am

Hi. There is a problem with Vault 4.0.4 security and undelete functionality. I will try to explain:

Folder description:
$/Baseline (RCA Rights)
$/Baseline/Folder1 (Inherit RCA Rights)
$/Baseline/Folder2 (None Rights)

Folder2 is deleted by administrator. If user right-click on Baseline folder, selecting "properties" and "deleted items", he is able to undelete Folder2 even when he should not have seen this folder. Luckily he is unable to access this folder, but it is undeleted.

Can this be fixed?

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Wed Sep 05, 2007 1:55 pm

This is actually working as designed, since the user has RCA rights on the parent folder. But I can see where the user has unexpected ability to undelete the folder he has no access to. If you give the user only RC rights on the parent folder, he won't be able to undelete the subfolder. But with only RC rights, he can't add, label, move or rename, either.

I'll log a feature request to review this behavior.
Linda Bauer
SourceGear
Technical Support Manager

Locked