SECURITY HOLE - Tag list shows titles of articles that are blocked from a reader group
complete
Shannon Greywalker
This is a serious security flaw.
To reproduce:
- Create a first-level category named "Customer Content".
- Create another first-level category named "Internal Content".
- Put one article in each category, and assign the same exact tag to both articles.
- Create a Reader Group named "Customers", setting the scope so that they can see only articles inside the "Customer Content" category.
- Create a reader account and assign them to the "Customers" Reader group, with the Project scope set to "None".
- Log in to the rendered KBsite with that reader account.
- View the one available article in the "Customer Content" category and click the displayed tag.
User expectation: The resulting list of articles with that tag should have only one entry: the article that should be visible to that Reader Group.
Actual outcome: The resulting list of articles with that tag has TWO entries, and is showing the title of the article that you created in the "Internal Content" category.
This is a HUGE security flaw. And it renders the Tagging features of Doc360 one hundred percent unusable for us, because it's a massive security flaw.
This is a serious issue because the tagging capabilties are one of the driving features that made us subscribe to Doc360. It would be great to prioritize a fix patch for this.
Log In
Marshal Ebinezar
complete
Hi Shannon Greywalker, Thank you for your valuable feedback; we have addressed the issue in our most recent release.