The situation that there is a library that a user does not have the right to access it, but he can download that a file from that library
by constructing the url if he knows the file path.
For example, there is a library folder "/user-home/libraries/testing_lib_XXX" which someone does not have access right to cd into.
But he knows the file name of a file inside that folder, e.g. "/user-home/libraries/testing_lib_XXX/datasets/aaaaaa.csv".
He can download that file by constructing the URL, e.g.:
The system only checks that the users is a Watson Studio user, but does not check that he has access right to the library.
This is a security vulnerability.
|Who would benefit from this IDEA?||All users|
How should it work?
The system should check whether the user has access right to the library when he tries to download a file, not just check that he is a Watson Studio user.
|Priority Justification||This is a security vulnerability.|
|IBM's success depends on gathering feedback from customers like yourself. Aha Ideas Portal is the third party tool through which IBM Offering Managers gather feedback from customers such as yourself.|
|IBM is a global organization with business processes, management structures, technical systems and service provider networks that cross borders. As such, the information collected through Aha Ideas Portal (Customer Name, Customer Email Address) will be stored by them in the United States, and handled only as per IBM's instructions and policies. Your data (Name and Email Address) will NOT be shared with other IBM customers.|
|In order to safeguard your information in Aha, do not leave your workstation unattended while using this application, log off after using it, and print only if necessary. If you need to make a hardcopy, remember to pick up the print-out immediately, keep it under lock, and destroy it immediately when no longer needed.|
|NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "firstname.lastname@example.org" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions|