After copying file upload form, copied files inherit access rights from destination

Found in

EPiServer.Forms 4.27.0

Fixed in

EPiServer.Forms 4.27.1

Created

Jan 14, 2020

Updated

Feb 25, 2020

State

Closed, Fixed and tested


Description

Steps to Reproduce

1) Create a form container with a file upload element.
2) Upload a file using the form. Verify that the file is found under "File upload element block -> Media -> For this block -> Uploaded Files".
3) Verify that the "Uploaded Files" folder has default access rights: Non-inherited, (Administrators: Full access, WebAdmins: Full access).
4) Verify that the file has the default access rights: Inherited (Administrators: Full access, WebAdmins: Full access).
5) Copy the file upload element.
6) Paste the file upload element in the same container.
7) Verify that the "Uploaded Files" folder in the newly pasted file upload element block now has the following access rights: Inherted (Administrators: Full access, WebAdmins: Full access, Everyone: read).
8) Go to the file in the pasted file upload element block: "File upload element block(2) -> Media -> For this block -> Uploaded Files".
9) Verify that the copied file now has the following access rights: Inherted (Administrators: Full access, WebAdmins: Full access, Everyone: read).

Expected
The access right of the copied file is not modified when the file upload element or the form container is copied and pasted.

Actual
The access right is modified.

Please see the attachment for more infomation.

Issue Description

Files, potentially containing sensitive information, have their access rights modified when the file upload element or the form container is copied and pasted. These files are then indexed and available for everyone to find.