[#BAM-1996] Anonymous user is able to download artifacts even if Anonymous mode is disabled both at global level and plan level

Bamboo

Anonymous user is able to download artifacts even if Anonymous mode is disabled both at global level and plan level

Created: 05/Dec/07 12:19 PM Updated: 20/May/08 06:51 PM

Component/s:

Security

Affects Version/s:

1.2.4

Fix Version/s:

2.0 beta 4, 2.0

Time Tracking:

Original Estimate:

4 hours

Remaining Estimate:

0 minutes

Time Spent:

4 hours

Issue Links:

Duplicate

This issue is duplicated by:

~~BAM-2548~~ Artifacts are not restricted by removing global anonymous access

Reference

This issue relates to:

~~BAM-1944~~ Users should not be able to view plans if Global Anonymous access is disabled.

Participants:	Ajay Sridhar [Atlassian], Eugene Gavrilov and Mark Chaimungkalanont [Atlassian]
Since last comment:	43 weeks, 6 days ago
Number of comments:	1
Internal Priority:	1. Highest
Internal Work Bucket:	Confirmed
Labels:

Description

« Hide

1. Disable Anonymous in Global permissions
2. Create a plan with anonymous access disabled
3. Make a build with artifacts
4. Copy artifact URL to clipboard
5. Log out or open another browser window
6. Paste the URL into browser
Expected: login screen or Access Denied message
Actual: artifact is vieable and downloadable

Note: it seems that download servlet isn't secured anyway.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Ajay Sridhar [Atlassian] added a comment - 09/Dec/07 05:51 PM

Hi Eugene,

Sorry for the inconvenience.

I suspect, this issue is related to BAM-1974, the anonymous user access needs to be revised.

We will get this resolved soon.

Regards,
Ajay.