to evaluation queue" wrt public access - sagebionetworks.jira.com"/>
A user reported that they'd like to turn off "Submit File to Challenge" under File Tools.
I will ask about user motivation and add to this ticket, but it occurs to me that this is a general security loophole in the system. If I create an evaluation queue that all authenticated users can submit files to, then I might accidentally gain access to sensitive file data (if a user submits a private file to my evaluation queue).
A couple of possible solutions (brainstorming):
1. Get rid of Submit <Entity> to Challenge from the web UI altogether. (Would need a standard way to submit to an evaluation queue somewhere else, rather than wiki widget based).
2. Remove ability to set the ACL to grant submit access to all authenticated users (or public). This would mitigate the problem, but not completely fix it (since one of your teams might grant you access to evaluation queues).