Hey,

Attack Scenario:

Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having permissions.

Steps To reproduce:

From Admin's account make a new user with least privileges and give him access to root directory "/" Change the Root directory to blank and revoke the access to root directory. Go to User's account, if you will try to access browse it will give you 403 but if you directly access it via For example "backups/MyWindowsLaptop/C" : https://rdiffweb-demo.ikus-soft.com/browse/{user-account}/backups/MyWindowsLaptop/C it will give you 403 but if we try to access it via https://rdiffweb-demo.ikus-soft.com/settings/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/logs/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/history/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/graphs/activities/{user-account}/backups/MyWindowsLaptop/C

even if attacker can't view it directly but he can perform all the functionalities which were supposed to be revoked like downliad, history , edit settings , graphs , logs , etc.

If the Attacker's account had Manager privileges he can also delete the repo. Same scenario with Manager account too.

POC: https://docs.google.com/document/d/1b9uMYyL6n6Js0Aw55ehsh9skQdJ1Q3D52Ve3bqTI9_A/

Impact

Unauthorized actions can be done by attacker's account, even after removing the permissions. Attacker can read , access , edit and in manager's case he can delete that too.