Currently, all submission data packages are uploaded into a single common directory (/CFDE/data) on the GCS guest collection. After it has been uploaded, the CFDE action provider moves the data package to a DCC-specific subdirectory of /CFDE/public where the DCC personnel have only read access (not read/write).
The problem with the existing situation is that before a data packages is moved from the incoming area, all DCCs have read/write access to it. This is only for a very brief time (while the data package is uploading and maybe for an instant afterward), so it isn't likely to be exploited, but it's unnecessary.
We should reorganize the directory structure to avoid the shared incoming directory. To do this, we should create subdirectories underneath each DCC-specific directory, and use those subdirectories for incoming uploads only for that DCC. The DCC-specific directory should (still) give only read permissions to the DCC, and the incoming subdirectory should give read and write permissions to the DCC.
This will require changes both to cfde-submit (so it knows which directory to upload to, determined by the DCC the upload is for) and to the GCS endpoint directory structure itself.
Currently, all submission data packages are uploaded into a single common directory (/CFDE/data) on the GCS guest collection. After it has been uploaded, the CFDE action provider moves the data package to a DCC-specific subdirectory of /CFDE/public where the DCC personnel have only read access (not read/write).
The problem with the existing situation is that before a data packages is moved from the incoming area, all DCCs have read/write access to it. This is only for a very brief time (while the data package is uploading and maybe for an instant afterward), so it isn't likely to be exploited, but it's unnecessary.
We should reorganize the directory structure to avoid the shared incoming directory. To do this, we should create subdirectories underneath each DCC-specific directory, and use those subdirectories for incoming uploads only for that DCC. The DCC-specific directory should (still) give only read permissions to the DCC, and the incoming subdirectory should give read and write permissions to the DCC.
This will require changes both to
cfde-submit(so it knows which directory to upload to, determined by the DCC the upload is for) and to the GCS endpoint directory structure itself.