We found a bug that gives users more rights than allowed. If a user has only read-only access to a folder (and the assets inside), it is nevertheless possible to manipulate the asset informations with a trick.
To do this, it is sufficient to drop an asset into the users favorites area. After this, the user can click on the asset (or one of his favorites) to open the informations window an see all tabs (and the SAVE action button!).
In the folder view, the user has the correct access rights, so he see only the informations, but he has no possible ways to manipulate something.
We found this phenomenon in the version 1.5.x upto the latest version 1.7.0. In the users basket area this security vulnerability does not occur.
- Create a new user, and create a new group. Adding the user to this new group.
- Adding the new group to an asset folder (read-only access).
- Log in with the new user account.
- Drop an asset to the users favorite area.
- Opening the information window (in the favorite area) with a click.
- Now you can manipulate the informations and save them (SAVE action is allowed!)
- In the folder view you find the changed informations!