Improper Privilege Management in Dolibarr/dolibarr

Valid
Reported on May 22nd 2021

💥 BUG

unprivileged user can download file of a agenda

💥 IMPACT

user dont have access to specific agenda but still can download file uploaded to this agenda .

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Agenda module .
-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to).
So, user B can see events that he is assigned to or owner and he cant modify any .

2. Now from admin account goto Agenda module and create a agenda .
Now upload a file to this agenda and file link look like http://localhost/dolibarr-develop/htdocs/document.php?modulepart=actions&entity=1&file=2%2FSECURITbYs.md.
So, here user B should not see this agenda or this uploaded file .

3. Finally goto user B account and visit above uploaded file url http://localhost/dolibarr-develop/htdocs/document.php?modulepart=actions&entity=1&file=2%2FSECURITbYs.md and he can download this file .