In a quick check, I found already 2 big security bugs where users can see documents of the other one both cases use the api
image page preview: /api/documents/documents/616/versions/822/pages/1187/image/ : BUG security chinese wall : BUG: user2 can see metadata doc user1 document metadata : /api/metadata/documents/616/metadata/ : need ROle permissions: view metadata of document : BUG: user2 can see metadata doc user1 whereas eg. document download api checks security ok: /api/documents/documents/616/versions/822/download/ => no permission for user2 -- --- You received this message because you are subscribed to the Google Groups "Mayan EDMS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
