Security issue with document search and view

There is a problem with document search in eDocman 1.1.0.

I create a category (category4usergroup1) with an access level limited to one user group (usergroup1).

I upload a document in "category4usergroup1" but I don't change the default access level set in the form.

If I do a search with a user that is not a member of "usergroup1", I can find the document in the search results. That's a wrong answer.

The search don't check the parent category of the document to calculate the access rights.

The document consultation reproduces the same problem. The access level of parent category is not verified.

Hi

At the moment, the extension doesn't checking category access when perform searching documents via search function. I can add code to check categories access level as well but it will causes the performance problem.

So the solution is that you set access level for individual document when add/edit document. Could you please do that ?

Tuan

If you don't want to change access property for each document, you can get the file below, unzip it and upload to components/com_edocman/models folder. After that, when users search for documents, they can only see the documents belong to categories which they have access permission .

Regards,

Tuan