I have a web on my site that is restricted to a group. Any user outside of this group can modify a page where they do have access with a ACTIONSEARCH command and retrieve action search results from the web where they do not have permission.
Given:
- Web A with restricted access to group A.
- User B that is not a member of group A and thus does not have access to Web A but does have access to Web B
Action:
- User A enters action items on web A
- User B modifies a page on web B and includes an ACTIONSEARCH command on the given page. The newly updated page shows results it obtained from both Webs A&B where User B should not have had access to Web A. They can then see the details of the Web A Action Items.
ActionTrackerPlugin
Please clarify exactly what you mean by "restricted access". Provide the exact settings that you think are not being honoured, but should be. If you can do this in the form of a test-case, so much the better. Thanks.
CC
I am not sure if I am experienced enough to answer this more than what is stated above. The issue is that I have a
SampleWeb with the web's preference 'Set ALLOWWEBVIEW =
SomeGroup'. I have a
TestUser that is not part of
SomeGroup. Therefore the
TestUser should not be able to access data from
SampleWeb. Now
TestUser can go to the
SandBox web and create a
SampleWebPage and include the following text
%ACTIONSEARCH{web="*"}%
TestUser will then be able to see all the action items from all webs including those from
SampleWeb therefore bypassing the
SampleWeb's ALLOWWEBVIEW setting.
It's kinda questionable what the correct behaviour is here. My attitude is that if someone sets an action for me, that I need to be able to see it, wherever it is, even if I can't view topics in that web. Otherwise, I might be held to task for failing to meet an action I didn't know existed. In an environment where "me" means a group or even an email address, it's hard to isolate exactly what actions I can and can't see.
However it is clear that the case you describe above is not correct.
This requires some careful thought.
CC
OK, I decided that the action search needs to be restricted to webs where you can see the topics. If you have an action in a hidden web, c'est la vie.
CC
Thanks, I agree that if someone sets an action for me that I would like to see it wherever it is, even if I can't view topics in that web. The issue we are having is more that I can see action items for other people in webs that I am restricted from. In our environment this is allowing a security leak where people can get some limited information about that restricted web even when the action item had nothing to do about them.
I guess that an Ideal logic could be something like this??
- actionsearch is evaluating a page for a user
- page is restricted from user and action item is not for user
- user does not see action item
- page is restricted from user and action item is for user
- user can see action item but not page
- page is not restricted from user
- user can see action items and page
ScottWBlack
I think CC is right here. If someone assigns an action to me on a secret topic that I cannot see then to hell with him. He can do the action himself. If I am given an action in a meeting minute and I cannot see the minutes - that is a silly way to conduct business in the first place and I see no reason why the Action Tracker should support such silly behavior at the risk of compromising security.
--
KennethLavrsen - 02 Feb 2007