to evaluation queue" wrt public access - sagebionetworks.jira.com"/>
We're updating the issue view to help you get more done. 

"Submit <entity> to evaluation queue" wrt public access

Description

A user reported that they'd like to turn off "Submit File to Challenge" under File Tools.

I will ask about user motivation and add to this ticket, but it occurs to me that this is a general security loophole in the system. If I create an evaluation queue that all authenticated users can submit files to, then I might accidentally gain access to sensitive file data (if a user submits a private file to my evaluation queue).

A couple of possible solutions (brainstorming):
1. Get rid of Submit <Entity> to Challenge from the web UI altogether. (Would need a standard way to submit to an evaluation queue somewhere else, rather than wiki widget based).
2. Remove ability to set the ACL to grant submit access to all authenticated users (or public). This would mitigate the problem, but not completely fix it (since one of your teams might grant you access to evaluation queues).

Environment

None

Status

Assignee

Ljubomir Bradic

Reporter

Jay Hodgson

Labels

None

Validator

Jay Hodgson

Release Version History

None

Priority

Major