Visual Stuido IDE Vault Security Flaw?

[Brendon]

I noticed a possible security flaw with vault when testing using the integrated IDE with Visual Studio.
a) I setup a repository with several folders in it and enabled folder level security
b) I then assigned a user to a group
c) I gave that group full access to all folders
d) The user then opens visual studio and opens a project from vault
e) I then change access to all folders for that group to “none”
f) If that user then attempts to get another project from vault (from the same open visual studio) they still can see and access all the folders that should be disabled (note: if trying the same action from the vault client they are denied access and the display refreshes and hides the folders that no longer have permissions)

[Beth]

I ran a few tests and see what you are saying. In my tests, the user couldn't open the other projects though. Also, when I removed access to the original that my user had already open, the user was unable to check out or check in and the errors says the user doesn't have permissions. I can see though where the user seeing the tree can be problematic. I found if I closed down all clients and VS, and then reopened, I would see only what I was supposed to see.

I will log a bug on this. In the meantime, have your users restart their clients to get the security changes.

F: 15168

[Brendon]

Hi

Im glad you were able to replicate some of the issue. You are correct, if the user closes and re-opens visual stuido the new security settings work. Also the user is not able to checkin or out files of the original already open project.

I did some more tests and I was again able to replicate the issue, I could get all the code from vault of a project that the user nolonger had permissions for and which did not exist locally.
This is probably a fairly serious problem.

I think your work around will be ok for now, just have to make sure that permissions are setup prior to having a client connect to vault.
Thanks.

[Beth]

if the user closes and re-opens visual stuido the new security settings work

That's normal for many of the admin level settings. You should have seen a warning at some point in the admin web page after you performed a save that read, "The settings have been saved. Clients may need to be restarted before the Repository option changes are reflected on the client side."

I did some more tests and I was again able to replicate the issue, I could get all the code from vault of a project that the user nolonger had permissions for and which did not exist locally.

Was this in the GUI client or in VS? I can't seem to make that happen in the GUI client. If the files aren't on disk, then in VS you have to perform an Open from Vault. If I change security, but don't reopen VS, if I try an Open from Vault I can't access the materials I took rights away from. I see them in the list until I reopen VS, but if I actually try an open it fails. I need more details about how you are getting files that you don't already have on disk and have no permissions to.