Hyland Connect

harshad · ‎09-17-2007

I am using Alfresco 2.1 community edition with WCM.

I am using the web site submission workflow - serial option - ……. to create content. In the workflow I am selecting a user who is Content publisher to review and publish it. This user can see the task and approve it.

But it looks like there is a security hole. Any user who has minimal permission of Content Creator logs in and enables "All Active Task" in My Alfresco not only sees this task but also can approve the task.

How can one prevent this form happening in the default web site submission workflow.

-thanks,

davidc · ‎09-18-2007

Remove that dashlet via configuration, so it's not available for selection.

sacco · ‎09-18-2007

I don't really see how this closes the potential security hole, which is server-side, surely?

If it's a hole, then it remains so even if we don't provide a convenient one-click exploit (although it's obviously better no to do this).

davidc · ‎09-19-2007

Correct - the workflow service has yet to declare its permission requirements.

paulossilva · ‎10-15-2007

What about to extend permissions to web forms themselves?

I mean, we have some security breaches in web forms in the way that a content contributor, i.e., from HR department could submit a product release web form since she can see all web project forms from her sandbox!

I know that an workflow could prevent that form to be published by some reviewer, however, you would agree that is not the desirable way to deal with it.

Hyland Connect

Web site workflow - bug?