Bug 94697 - Password protected section editable from content.xml; potential missing documentation pointing out that this is not a security feature
Summary: Password protected section editable from content.xml; potential missing docum...
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.6.7.2 release
Hardware: x86-64 (AMD64) All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Password-Protected Help-Link
  Show dependency treegraph
 
Reported: 2015-10-02 13:07 UTC by michele
Modified: 2021-06-08 11:25 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:
Regression By:


Attachments
File with password protected section (9.88 KB, application/vnd.oasis.opendocument.text)
2015-10-02 13:07 UTC, michele
Details

Note You need to log in before you can comment on or make changes to this bug.
Description michele 2015-10-02 13:07:00 UTC
Created attachment 119200 [details]
File with password protected section

Problem description:
When a password protected section is created this is manually editable from the content.xml file.

Steps to reproduce the issue:

-Create a password protected section in Writer.
-Save the file.
-Rename the file .zip
-Open the archive and edit the file content.xml
-insert or modify the "password protected text" between the tags: <text:p text:style-name="P2"> password protected text </text:p>

Note: Is also possible to deactivate the protection changing the value text:protected="true" to text:protected="false" 

Current behaviour:
You can visualise and modify the password protected section from  content.xml file.    

Expected behaviour:
Text editor visualise password protected section hash.

Verified on:
Version: 4.2.8.2
Build ID: 420m0(Build:2)
OS: Ubuntu 14.04.3 LTS 
Arch:X86_64

Version: 5.0.1.2
Build ID: 81898c9f5c0d43f3473ba111d7b351050be20261
OS: Ubuntu 14.04.3 LTS 
Arch:X86_64
Comment 1 Marina Latini (SUSE) 2015-10-02 13:29:06 UTC
Confirmed on:

* Version: 3.6.7.2
* Build ID: e183d5b
* OS: Ubuntu 14.04.3 LTS
* Arch: x86_64


* Version: 5.1.0.0.alpha1+
* Build ID: 6e8e898acb9f6825104f01d090f447e8dfc7e4a2
* TinderBox: Linux-rpm_deb-x86_64@70-TDF, Branch:master, Time: 2015-10-01_05:44:30
* Locale: it-IT (it_IT.UTF-8)
* OS: Ubuntu 14.04.3 LTS
* Arch: x86_64

-----------------------
Set version to: 3.6.7.2
-----------------------
Comment 2 Regina Henschel 2015-10-02 14:00:51 UTC
The help says, "This protection is not intended to be a secure protection. It is just a switch to protect the section against accidental changes."

Therefore I think, it is not a bug, but the intended behavior.
Comment 3 Marina Latini (SUSE) 2015-10-02 14:52:52 UTC
(In reply to Regina Henschel from comment #2)
> The help says, "This protection is not intended to be a secure protection.
> It is just a switch to protect the section against accidental changes."

The online help of the 5.1 version says:
"Protected
Prevents the selected section from being edited.

With password
Protects the selected section with a password. The password must have a minimum of 5 characters."

see: https://help.libreoffice.org/index.php?title=Writer/Section&Language=en-US&System=UNIX&Version=5.1#bm_id8467970

There's a similar description on the user guide (Chapter 4 - Formatting Pages).
Comment 4 Regina Henschel 2015-10-02 15:00:00 UTC
https://help.libreoffice.org/Writer/Protecting_Content_in_Writer

With a large exclamation mark
Comment 5 Marina Latini (SUSE) 2015-10-02 15:30:59 UTC
(In reply to Regina Henschel from comment #4)
> https://help.libreoffice.org/Writer/Protecting_Content_in_Writer
> 
> With a large exclamation mark

Ok, thank you. 
We should update the help page and the user guide too. 
In that page there's these clear description but in the help page of the dialog the information is missing.

Best,
Marina
Comment 6 Cor Nouws 2015-10-02 18:59:38 UTC
What to think of .. Options > Writer > Formatting aids > Protected areas ... "Ignore protection" :)

 NB - Only works if "Enable cursor" is checked too.
 NB2 - No notes in release notes 4.4 and 5.0, so  ??
Hmm Miklos ;) https://bugs.documentfoundation.org/show_bug.cgi?id=90362
Comment 7 QA Administrators 2016-11-08 10:30:35 UTC Comment hidden (obsolete)
Comment 8 Thomas Lendo 2018-04-09 21:50:46 UTC
Is there any work to do in help pages?

In https://help.libreoffice.org/latest/en-US/text/swriter/guide/protection.html?&DbPAR=WRITER&System=WIN it's clear with "Protection is not intended to be an information security protection, it is a switch to prevent accidental changes." and in the "Insert Section" dialog window it's correctly named "Write protection".

Only at https://help.libreoffice.org/latest/en-US/text/swriter/01/04020100.html?&DbPAR=WRITER&System=WIN there is room for improvement (maybe with the identical note as in the other help page).

An issue I found is that clicking at the Help button in the "Insert Section" dialog isn't loading the correct help page but the start help page.
Comment 9 QA Administrators 2019-09-30 02:51:39 UTC
Dear michele,

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the information from Help - About LibreOffice.
 
If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice.

Please DO NOT

Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not 
appropriate in this case)


If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from http://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to 'inherited from OOo';
4b. If the bug was not present in 3.3 - add 'regression' to keyword


Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-UntouchedBug