You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Deepesh Khandelwal (JIRA)" <ji...@apache.org> on 2017/02/24 07:40:44 UTC

[jira] [Created] (ZEPPELIN-2167) User with insufficient privileges can still restore files by renaming files in/out of Trash

Deepesh Khandelwal created ZEPPELIN-2167:
--------------------------------------------

             Summary: User with insufficient privileges can still restore files by renaming files in/out of Trash
                 Key: ZEPPELIN-2167
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2167
             Project: Zeppelin
          Issue Type: Bug
          Components: security
            Reporter: Deepesh Khandelwal
            Priority: Critical


Steps to reproduce:
# Create a notebook "test_nb" as bob.
# Delete the notebook
# Login as mary and try restoring "test_nb" from Trash folder. The system correctly complains of insufficient privileges.
# Open the "test_nb" notebook from Trash folder. The notebook opens with title "~Trash/test_nb".
# Edit the title and remove the prefix "~Trash".
If you now look at the list of notebooks there is no file "test_nb" in Trash.
Interestingly when you try and delete the recently moved file from Trash it complains that mary does not have privileges to delete it. Edit the title of that notebook to "~Trash/test_nb" and it goes back to Trash folder.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)