Issue 72379 - Autosum reveals protected cell value
Summary: Autosum reveals protected cell value
Alias: None
Product: Calc
Classification: Application
Component: ui (show other issues)
Version: OOo 2.0.4
Hardware: All All
: P3 Trivial (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
Keywords: oooqa, security
Depends on:
Reported: 2006-12-08 06:06 UTC by pmike
Modified: 2013-02-07 22:40 UTC (History)
2 users (show)

See Also:
Latest Confirmation in: ---
Developer Difficulty: ---

sample sheet (7.42 KB, application/vnd.oasis.opendocument.spreadsheet)
2006-12-08 06:06 UTC, pmike
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description pmike 2006-12-08 06:06:26 UTC
In sample document value of cell B3 is protected and hidden
Password is 123
However, if you select B3 and C3, autosum shows value of B3 plus zero - thus
reveals hidden value.
Comment 1 pmike 2006-12-08 06:06:48 UTC
Created attachment 41226 [details]
sample sheet
Comment 2 ace_dent 2006-12-08 23:34:52 UTC
Tested with OOo2.0.4, WinXP PC.
1. Enter '42' into cell A3. Set cell protection to 'Hide All'
2. Select cell C3. Set cell protection to none (default is protected).
3. Set sheet protection on, password 'X'
4. Select cell C3. Press Autosum (or even enter "=A3", any operator will function)
5. Value of 42 revealed.

While this may be seen as a security flaw, it requires the original creator to
disable protection for parts of the sheet (Step 2). This might occur in sheets
with mixed protected content and user editable content. However, the purpose of
this level of security (as I understand it), is only to hide content for
aesthetics and protect content against accidental editing.

What would the desired behavior be? I might hide a number to keep my sheet
looking tidy, but want to present some calculated result that uses that number
to the end-user. It is my feeling that this Protection feature functions as is

Comment 3 oc 2008-07-15 10:43:14 UTC
reassigning features and enhancements to user which
will be the default owner for those tasks (was introduced some time ago)