Hidden folders are viewable in web client

[Niklas]

Hi,

We are trying to achieve a scenario where documents could be reached in vault from a guest account. We want the guest user to login via the web interface. The guest should only have read access to some folders. This works fine, with one disadvantage. The guest account can browse all the folders where read access is denied. We'd like this improved, we really need to be able to create a read permission on directory level not only on file level. By the way, the folders are hidden when using the client application, they are only viewable via the web client.
We are using V2.0.6


Thanks,

Niklas

[jeremy_sg]

Niklas,

When you set a user to have no permissions to a folder, that folder should not be browsable. If I understand your desired setup correctly, you would need to set the guest account to have default permissions of 0 (no read, no checkin, no delete) and then set the user to have read access just to the folders that you want them to see. Does that setup not work? Can you give me more specifics about how you have permissions set for the account? Does the security get applied correctly if you log in through the GUI client?


-Jeremy

[Niklas]

Niklas,

When you set a user to have no permissions to a folder, that folder should not be browsable. If I understand your desired setup correctly, you would need to set the guest account to have default permissions of 0 (no read, no checkin, no delete) and then set the user to have read access just to the folders that you want them to see. Does that setup not work? Can you give me more specifics about how you have permissions set for the account? Does the security get applied correctly if you log in through the GUI client?


-Jeremy

Hi Jeremy,
The guest account is setup with access right to the repository,
Permissions are all default disabled,
A specific folder access is added
R $/Specifications Reposit
If I logon with the GUI client this works fine. I can only see the folder Specifications (other directories in root level aren't shown).
When I use the web client I can see all directories on root level and enter them and see the filenames. If i click on the version (on a file) link I get this message:

Code: Select all

Server Error in '/VaultService' Application.
--------------------------------------------------------------------------------

Runtime Error 
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine. 

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>
 

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>
 

If i click a file link in the non accessible folder i get this message:

Code: Select all

Unable to display history items. 

Error: FailPermissionDenied 

 

[jeremy_sg]

Sounds like a bug. I'll investigate and get back to you.

[Niklas]

Thanks for the quick response,

When you've investigated this I'd like to know if we can expect a fix and if so when.

/Niklas

[lbauer]

This has been fixed for Vault 3.0, due out soon.