Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Read-only password protection bypassed by simply overriding file

  Asked By: Krista    Date: Feb 01    Category: Sharepoint    Views: 2854

In a document library in a Portal Server implementation I uploaded an
Excel document that had a password protection, in that only those who
had it could modified the file, the rest could only view it (standard
excel funcionality). The problem was that if the user opened the
document using its link and, after changing the file, chose to save it
to the doc lib, Sharepoint permited the replacing of the original
file, letting the user efectively bypass the password protection.
Only if the user opened the file with the "Edit in Microsoft Office
Excel" (option of the doc lib item menu), Sharepoint, when saving,
would give the message ("Cannot save as that name. Document was opened
as read only").
All users have edit permissions on the document library but not delete

Steps to reproduce (having a document library and a user with add and
edit item permissons):
1. Create an excel document with read-only password protection.
2. Upload it to the doc lib.
3. Open the file using the link in the item's name column.
4. Notice the document opens without the normal password dialog box,
nevertheless opens in read-only since "Read-Only" apears next to the
document´s name.

5. Change any of the document's content
6. Press Save – the Save as dialog box opens (since the document is
7. Save it using the same name.
8. Press ok in the Web File Properties to maintain the same metadata.
9. Voilá, you just bypassed the password protection by overriding the
original file. Now the file lost its protection, from now on it's no
longer read-only.
10. Go back to the doc lib again and open the file again, the changes
you've made in 5) were saved.

If you open with the "Edit in Microsoft Office Excel" option, Excel
doesn't allow to save it, in step 7) the following message appears:

"Cannot save as that name. Document was opened as read only"

My question is that is this a bug or a feature? Any ideas on how a
workaround, the only idea I have is to put that document in another
area with a diferent set of permissions but that doesn't seem to be an



No Answers Found. Be the First, To Post Answer.