External user are able to access ViewAllNotesPage to see the files uploaded in records that they don't have access.
Last updated 2020-01-04 ·Reference W-6464337 ·Reported By 2 users
External community user is able to access ViewAllNotesPage to see the files uploaded in records that they don't have access.
1) Make sure this setting under Salesforce Files Settings is checked "Files uploaded to the Attachments related list on records are uploaded as Salesforce Files, not as attachments"
2) Create one custom object and add 'Notes & Attachments' into the page layout.
3) Create two customer community users and give read/create/edit access to the custom object created in step1.
4) Create a VF+tab community and expose the custom object created in Step1, and add community users created in step2 as members.
5) In the org sharing setting, set 'private' for the custom object under Default External Access.
6) Login to the community as community user A, create a custom object record and upload some files under 'Notes & Attachments' related list.
7) Click 'View All" button on the 'Notes & Attachments' related list to go to ViewAllNotesPage, the url should looks something like 'http:<communityURL>/ui/content/ViewAllNotesPage?id=a00xx0000004Gw5'
8) Log out as community user A and log in as community user B.
9) Access the record created in Step6 by community user A and observer it will get Insufficient Privileges error.
10) Access the ViewAllNotesPage by entering the url directly from Step7 and observe that ViewAllNotesPage is showing the list of files uploaded to the record.
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.