Deepesh Khandelwal created ZEPPELIN-2167:
--------------------------------------------
Summary: User with insufficient privileges can still restore files
by renaming files in/out of Trash
Key: ZEPPELIN-2167
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2167
Project: Zeppelin
Issue Type: Bug
Components: security
Reporter: Deepesh Khandelwal
Priority: Critical
Steps to reproduce:
# Create a notebook "test_nb" as bob.
# Delete the notebook
# Login as mary and try restoring "test_nb" from Trash folder. The system
correctly complains of insufficient privileges.
# Open the "test_nb" notebook from Trash folder. The notebook opens with title
"~Trash/test_nb".
# Edit the title and remove the prefix "~Trash".
If you now look at the list of notebooks there is no file "test_nb" in Trash.
Interestingly when you try and delete the recently moved file from Trash it
complains that mary does not have privileges to delete it. Edit the title of
that notebook to "~Trash/test_nb" and it goes back to Trash folder.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
