Read-only password protection bypassed by simply overriding file, bug or feature?
Hello,
In a document library in a Portal Server implementation I uploaded an Excel document that had a password protection, in that only those who had it could modified the file, the rest could only view it (standard excel funcionality). The problem was that if the user opened the document using its link and, after changing the file, chose to save it to the doc lib, Sharepoint permited the replacing of the original file, letting the user efectively bypass the password protection.
Only if the user opened the file with the “Edit in Microsoft Office Excel” (option of the doc lib item menu), Sharepoint, when saving, would give the message (“Cannot save as that name. Document was opened as read only”).
All users have edit permissions on the document library but not delete permission.
Steps to reproduce (having a document library and a user with add and edit item permissons):
1. Create an excel document with read-only password protection.
2. Upload it to the doc lib.
3. Open the file using the link in the item’s name column.
4. Notice the document opens without the normal password dialog box, nevertheless opens in read-only since “Read-Only” apears next to the document´s name.
5. Change any of the document’s content
6. Press Save – the Save as dialog box opens (since the document is read-only)
7. Save it using the same name.
8. Press ok in the Web File Properties to maintain the same metadata.
9. Voilá, you just bypassed the password protection by overriding the original file. Now the file lost its protection, from now on it’s no longer read-only.
10. Go back to the doc lib again and open the file again, the changes you’ve made in 5) were saved.
If you open with the “Edit in Microsoft Office Excel” option, Excel doesn’t allow to save it, in step 7) the following message appears:
"Cannot save as that name. Document was opened as read only"
My question is that is this a bug or a feature? Any ideas on how a workaround, the only idea I have is to put that document in another area with a diferent set of permissions but that doesn’t seem to be an option…
Environment:
Windows Server SP1
Sharepoint Portal Server 2003 SP1
Office 2003 SP2 (11.8117.8107)
Hope anyone can help! ?
Regards
Hello,
In a document library in a Portal Server implementation I uploaded an Excel document that had a password protection, in that only those who had it could modified the file, the rest could only view it (standard excel funcionality). The problem was that if the user opened the document using its link and, after changing the file, chose to save it to the doc lib, Sharepoint permited the replacing of the original file, letting the user efectively bypass the password protection.
Only if the user opened the file with the “Edit in Microsoft Office Excel” (option of the doc lib item menu), Sharepoint, when saving, would give the message (“Cannot save as that name. Document was opened as read only”).
All users have edit permissions on the document library but not delete permission.
Steps to reproduce (having a document library and a user with add and edit item permissons):
1. Create an excel document with read-only password protection.
2. Upload it to the doc lib.
3. Open the file using the link in the item’s name column.
4. Notice the document opens without the normal password dialog box, nevertheless opens in read-only since “Read-Only” apears next to the document´s name.
5. Change any of the document’s content
6. Press Save – the Save as dialog box opens (since the document is read-only)
7. Save it using the same name.
8. Press ok in the Web File Properties to maintain the same metadata.
9. Voilá, you just bypassed the password protection by overriding the original file. Now the file lost its protection, from now on it’s no longer read-only.
10. Go back to the doc lib again and open the file again, the changes you’ve made in 5) were saved.
If you open with the “Edit in Microsoft Office Excel” option, Excel doesn’t allow to save it, in step 7) the following message appears:
"Cannot save as that name. Document was opened as read only"
My question is that is this a bug or a feature? Any ideas on how a workaround, the only idea I have is to put that document in another area with a diferent set of permissions but that doesn’t seem to be an option…
Environment:
Windows Server SP1
Sharepoint Portal Server 2003 SP1
Office 2003 SP2 (11.8117.8107)
Hope anyone can help! ?
Regards