Protected assets are accessible anonymously

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [x] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

Protected assets are visible from an anonymous session appending “?version=0” to the url.

For example:
/api/assets/myapp/125d39ee-2a44-4981-8888-ce21e75dd9f8/
returns 403

/api/assets/myapp/125d39ee-2a44-4981-8888-ce21e75dd9f8/?version=0
display the asset

/api/assets/myapp/125d39ee-2a44-4981-8888-ce21e75dd9f8/anystring?version=0
display the asset

Expected behavior

There should no way to view protected assets for not authenticated clients.

Minimal reproduction of the problem

Upload an asset, set it as “protected”, then try to visualize from a private browser session with the trailing “?version=0”.

Environment

  • [x] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x] Cloud version

Version: 5.4.0.0

Browser:

  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [x] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [x] Edge (chromium)

I can reproduce it, thank you for your bug report.

I have solved this.

The problem was that version 0 is not protected, therefore you always have to query the specific version and the latest version.

This topic was automatically closed after 2 days. New replies are no longer allowed.