[manchesterfan]

Hello,

I've started experimenting with this feature:

Links to Input Documents via:
http://wiki.processmaker.com/index.php/ ... _DynaForms

Specifically, identifying a url like this that points to an uploaded resource:
http://<IP-ADDRESS>/sys<WORKSPACE>/<LANG>/<SKIN>/cases/cases_ShowDocument?a=<CASE-DOCUMENT-UID>


I've noticed that when I'm logged out of processmaker, that when I copy and paste a link to a document into a new browser window (for example, if it's a link that is in my email) I can access and download the file without any login credentials being asked.

While someone blindly pinging for a file on a processmaker server via a hash is really improbable, are there are plans to secure these documents? Maybe requiring username/password when attempting to access a file?

I would have thought these files are secured by default. Am i missing something? Perhaps there is some setting/configuration that I or someone else earlier configured that I am not aware of in my processmaker installation?

[amosbatto]

Yes, you are right. This is a major security hole. I have filed a bug report about it, so hopefully it will get fixed soon.

[Apoclada]

I have just tested it in 2.5.1 and 2.5.2, the problem is still there. It is not asking any ID\Pwd to let user download input files from an URL link. Did I missed out any configuration?