Hello,
For sure it must be something know but it must be fixed to avoid some problems.
If you have the permission “Run Imports” in a workspace:
- you can modify the items contained in the workspace even if, in the workflow you are not able to do it manually (“EDIT” button not available and no transition available) but you have the permission “Edit” for this worksapace.
- you can modify the items contained in the workspace even if you do not have the “Edit” permission on the workspace.
- you can bypass the lock state on the workflow (update an item locked).
- you can update an item that you cannot see. I don’t want to imagine this situation but if someone who have the permission “Run Imports” and can see only one item in a workspace. He can deduce by himself the “Match On” field (unique ID for the workspace used to run the import) and prepare an excel file with lot of items numbers (just increment the unique Identifier) and add lot of column to update the other fields with wrong values. The full database can be corrupted. OK, we need to be careful when we assign this permission, but a security check will be appreciated to avoid problems, intentional or not.
Could you please add 3 checks during the import to not bypass some securities?
- Check on the permissions (edit/view item)
- Check on the access/edit rights (script to see if you are one of the persons allowed to edit the item at the state where the item is)
- Check on the workflow restrictions (lock state)
Of course, I did the tests without the permissions “Admin Override Workflow Locks” and “Override revision control locks”.
For information, the problem is also on the Classic User Interface.
Thanks,
