Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When using Files & Folders widget to add a document the default value for parent section is incorrect. As the group menu option is correct the problem is difficult to detect. It is unclear to me how the parent section is chosen (I have different value by default then other users).
I am posting this as a major bug because in my case it was a security issue. Documents and files attached to restricted folder were publicly accessible.
The bug is also difficult to detect so I am not sure how many more files in my website have unintended access settings.
I think a "consistency" check should also be added to prevent unintended differences in parent section of a document according to local menu and the oa_section_ref field.
I can also imagine a situation when a user moves documents in the folder structure wrongly expecting it to inherit the correct access rights.
Attached screen-shots of how to reproduce the bug.
| Comment | File | Size | Author |
|---|---|---|---|
| Incorect parent section.png | 40.36 KB | pgancarski | |
| Add document.png | 22.92 KB | pgancarski |
Comments
Comment #2
mpotter CreditAttribution: mpotter commentedI think maybe there is confusion in understanding a "Section" vs a "Menu" parent.
In your "Add document" screen shot you show your Files menu tree, and you are clicking Add Document within the "Management" folder. Then in the "Incorrect parent section" screenshot, you are showing the Menu Parent, which is *properly* set to "Management". The menu structure is what is being used for folders and it is creating your document within the correct folder.
If the document was actually created in the wrong *Section* then you need to scroll down in the New Document form and expand the "Access" fieldset and show what Space and Section the document is being created in.
I could not reproduce this on my site. But one thing I have seen in the past is if you have multiple tabs open in your browser in two different spaces. Atrium takes the "current space and section" from the browser cookie session, so if you have multiple tabs open it might think your "current space and section" are for the most recently open tab rather than the tab you are creating a document in.
Comment #3
pgancarski CreditAttribution: pgancarski commentedYou are right it is not a bug, but I would like to change it to feature request.
When I add files using plus button it passes oa_section_ref. When I use Files & Folders widget he passes menu_parent. The resulting inconsistency between two buttons is confusing as one would expect them to do the same thing.
The way that users see it is that they upload a file/doc to a folder. If they upload a file to folder "restricted" they expect the file to be restricted, especially when the file is visible in the "restricted" folder.
In my case, files or docs uploaded to restricted end up being in news. It is clear to me what is happening but I shouldn't have to provide training to every user who is allowed to add documents. At the moment I am getting complains for "security bugs" as this is the way the users see it. I will most likely have to write a script that fixes it for all documents.
In my opinion using local menu or taxonomy for representing the folder structure of documents is an implementation. Specification would be a "simple file system" as this is how end users see it.
Comment #4
mpotter CreditAttribution: mpotter commentedNo, it's not the same at all.
Folders are not Sections.
Atrium applies access control to entire Sections. Folders are just parent documents in a menu, or taxonomy terms (remember that folders can be either, so there are people using this in different ways). Access never applies to specific documents (like folders), it ONLY applies to a section.
Each section has it's own menu tree (it's own folder structure).
If you use taxonomy based folders you can have the same taxonomy folders across multiple sections and it's the section that controls the access, not the folder.
So you just need to re-think your information architecture and also train your users. You can't create a private "folder", you can only create a private section. This is how the access control in Atrium is designed from the ground up. Changing it to allow privacy on a per-node (menu folder) or per-entity (taxonomy folder) would be a huge effort. Don't call your folder "Restricted"...create a Section called "Restricted files".