Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrRanjit-gitF909555A-6179-4AC9-ADD9-F3021BE0459B
HistoryJul 01, 2022 - 6:26 p.m.

user can get document content even after removed

2022-07-0118:26:48
ranjit-git
www.huntr.dev
4
JSON

Description

Admin can add a member to his personal collection .But if admin removed that user from this collection then that user still can see realtime document update content.

Proof of Concept

1. From admin account invite user-B as member role .

2. From admin account create a private collection called collect-1.
3. From admin account change above collection permission like bellow

Default Access --> No access
Additional access  --> add user-B here  with "view and edit" permission

so, user-B is member of this collection and can see document of this collection.
4. From admin account add a document doc-1 to this newly created collection collect-1 .
5. Now user-B can edit this document because he is member of this collection.
So , user-B open this document url https://myacc.getoutline.com/doc/dco2-LphFaOA1Ls in his browser window and can edit .
All the realtime collaboration data for this document will be available via websocket connection https://collaboration.getoutline.com/collaboration/document.1ad60950-9e50-4316-8cd9-6f4ff49d7f31
And thats why Keep this browser window open .

6. Now goto admin account and remove user-B from this collection .
So, now user-B should not access any document of this collection because user-B is not a member of this collection anymore and default access is β€œNo access”.

7. Now admin edit the content of above document doc-1 .
Now this realtime updated content will be visible to user-B .
Remember user-B already keep opened his document url window in step-5 .
Now if admin made any changes to this document content, will be visible to user-B’s window in step-5 .\

As user-B keep opened his browser window so realtime collaboration websocket connection will be still available .
Any changes made by admin to the document will be available to user-B via https://collaboration.getoutline.com/collaboration/document.1ad60950-9e50-4316-8cd9-6f4ff49d7f31 websocket connection .

So, user-B removed from this collection but user-B keep that browser window opened and thats why collaboration websocket connection still alive and user-B get realtime updated data .
I have checked after 30 minutes of removing user-B from collection and user-B still receiving data via this websocket .
So, user-B can get realtime collaboration data for long time after removed if he can makes the above websocket connection alive for long time .

JSON