Access to Documents not controlled by Roles?

**Azarov** · 2008-05-14, 12:57 PM

Hello!
Looks like "Documents" section have some problems with ACL
If an user have access rights "All" to "List" of Documents and have not "View" rights, than in documents list there are links to download documents. User can download any file in spite of the fact that he have not rights to view it.
Furthermore there is nothing about access rights in code of "/download.php". There is only check if user logged in. If an user knows id of some file, then he can freely download it regardless of his access rights.
Is it bug or I miss something?

Checked in Sugar Community Edition Version 5.0.0d (Build 3235)

**franklin_sugar** · 2008-05-19, 05:46 PM

Hi Azarov,

What value did you choose for "View", "Not Set" or "None"? I guess you used "Not Set". Please change it to "None" and try again. It should work.

Thanks,
Franklin

**Azarov** · 2008-05-20, 08:21 AM

Thanks for reply

I used "None" and it doesn't work :-(
Here some screenshots:
rights setup:

documents list:

I found a workaround: just edit layout for documents list in studio and remove file_url from default layout.
But if an skilful user somehow(don't know how) gets id of file, he can download it by composing url like /download.php?type=documents&id=[fileid] regardless of any access rights

**franklin_sugar** · 2008-05-20, 07:01 PM

Hi Azarov,

Thanks for providing the images. I can reproduce the problem now. Bug 22280 was filed to track this issue. It will be fixed in the upcoming release.

Thanks for reporting this issue and sorry for the inconvenience.

Franklin