[MGNLDAM-510] Attempt to download secured asset give file with zero length instead of Error 403 Created: 05/Sep/14  Updated: 19/May/22  Resolved: 19/May/22

Status: Closed
Project: Magnolia DAM Module
Component/s: None
Affects Version/s: 2.0.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jozef Chocholacek Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Steps to reproduce:

  1. create a secured folder in DAM (e.g. /secured)
  2. upload an asset into the secured folder, e.g. file.pdf
  3. create a page (e.g. /test), add a Download Link pointing to the /secured/file.pdf asset
  4. publish both page and asset
  5. on public instance, specify the ACL on DAM for anonymous role:
    1. DENY on /secured (and subnodes)
    2. READ-ONLY on / (and subnodes)
  6. in a different browser, go to the public instance, open /test page, and click download link - one would expect Error 403, but it opens an empty file;
  7. try the download URL also in wget - it downloads zero length file;


 Comments   
Comment by Roman Kovařík [ 19/May/22 ]

Hello,

This ticket is now marked as closed due to one of the following reasons:

  • A long period of inactivity
  • Uses an old or Beta version of an application, module, or framework that we no longer support
  • The issue is no longer reproducible or has been fixed in later versions

If you are still facing a problem or consider this issue still relevant, please feel free to re-open the ticket and we will reach out to you.

Thank you,
The Magnolia Team

Generated at Mon Feb 12 05:00:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.