Share items to EVERYONE without SHARE_TO_EVERYONE permission
|Reported by:||Nicklas Nordborg||Owned by:||Nicklas Nordborg|
This is somewhat related to ticket #929. It seems like there is another way to bypass the SHARE_TO_EVERYONE permission check. To exploit this custom made client or plug-in code is needed. It is not possible to bypass the security check in the web client. The problem is that the SHARE_TO_EVERYONE permission check is only checked in the ItemKey.getNewOrExisting() method. It is simple to write code that instead finds another item, which is already shared to EVERYONE and then copy that ItemKey to the target item. Then, the web client can be used to assign other permissions. Because of ticket #929 the user is no longer forced to remove the share to the EVERYONE group.
To fix this a check is needed in the SharedItem.setItemKey() method.