[opencms-dev] Security problem with resources in Workplace between different Organizational Units

[Polo Castaño, Manoel Xose]

Hello! 

I have one microsite with multiple folders inside:

     /sites/default/

          MyMicrosite/

               folder1/

               folder1/

               ...

               folderN/


I have one Organizational Unit per each folder:

     mymicrosite_folder1_OU
     
     mymicrosite_folder2_OU
     
     ...
     
     mymicrosite_folderN_OU


Each Organizational Unit allows access only to its corresponding folder, that is:
	
     mymicrosite_folder1_OU -> Only access to "/sites/default/MyMicrosite/folder1/"
     
     mymicrosite_folder2_OU -> Only access to "/sites/default/MyMicrosite/folder2/"
     
     ...
     
     mymicrosite_folderN_OU -> Only access to "/sites/default/MyMicrosite/folderN/"


There is one user per Organizational Unit:

     mymicrosite_folder1_OU -> User "mymicrosite_folder1"
     
     mymicrosite_folder2_OU -> User "mymicrosite_folder2"
     
     ...
     
     mymicrosite_folderN_OU -> User "mymicrosite_folderN"


If I log in to the OpenCms Workplace with the user "mymicrosite_folder1", all folders, except "/sites/default/MyMicrosite/folder1/" and its contents, will have gray color, which means that I cannot create or edit any resource within than folders (it is exactly what I want). For example, if I move to the folder "/sites/default/MyMicrosite/folder2/", buttons "New" and "Upload" are disabled. If I put the mouse over a resourse contained in that folder and I press the right button, the Edit option does not appear.


The problem is the following: If I move to the folder "/sites/default/MyMicrosite/folder1/" (which I have access to), put the mouse over a resource, press the right button, select the option "Copy" and select folder "/sites/default/MyMicrosite/folder2/" (which I do not have access to) as the destination folder, the system will copy my resource to that folder.


Something similar occurs with Image and Download Galleries. Imagine that I have one Image Gallery per each folder:

     /sites/default/MyMicrosite/folder1/imagegallery/
     
     /sites/default/MyMicrosite/folder2/imagegallery/

     ...

     /sites/default/MyMicrosite/folderN/imagegallery/


If I create an Structured Content of type "News article" (or any other with image attributes) in "/sites/default/MyMicrosite/folder1/" (which I have access to) and try to add and image to it, the Image Gallery dialog will appear. It will show me the list of all Image Galleries of the system, including those which I do not have access to. If I select the gallery "/sites/default/MyMicrosite/folder2/imagegallery/", which I do not have access to, and upload a new Image using that dialog, the system will create a image file in that Image Gallery.

Thanks for reading!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20081020/77671818/attachment.htm>