Content
View differences
Updated by Oliver Günther about 2 years ago
**As** an administrator of OpenProject
**I want to** be able to have my users' uploaded files scanned for viruses
**so that** I am compliant with security protocols
# Acceptance criteria
## Administration
* A new attachment menu item is created
* The previous system settings > Attachments item is being moved to that new item
* A subitem "Quarantined attachments" is being added below this new menu node
* Attachments setting are extended with Antivirus settings
* A mode to operate the virus scanning
* Disabled
* ClamAV (local socket)
* ClamAV (remote host)
* When any option other than Disabled is shown, these additional fields are shown
* Host name or Socket for the ClamAV connection
* Action to perform for attachments on which viruses have been found
* **Quarantine:** Show the file once uploaded, but disallow access to it.
* **Delete:** Delete the file as soon as the virus was found
* Quarantined attachments shows a flat table of all currently quarantined files, restricted to administrators
* Newly quarantined files are showing up there
* Administrators can delete the file or override the virus scanning decision by the system
* Accessing the virus scanning settings page in the community shows an informational banner for upgrading to the Enterprise Edition
## Enabling virus scaning
* When the user first enables virus scanning, a success message is being shown
* Users they might already have uploaded attachments that are not yet scanned
* Previously uploaded attachments are scanned in a background job, while they remain accessible as before.
* IF viruses are found for these attachments, they are placed into quarantine or deleted according to the setting.
## Disabling virus scaning
* When the user disables virus scanning, some files might still be in quarantine or in queue for scanning
* An informational text is shown when disabling virus scanning with remaining quarantined files. The "Quarantined attachments" remain available even when disabled to perform actions on it.
* Attachment scanning will be skipped as soon as the functionality is disabled.
## Scanning of attachments
* After uploading of an attachment, or after a direct upload (e.g. S3) is finished, a scanning background job is triggered
* If the background job finds a virus, it will perform these actions depending on the selected action setting
* **Quarantine:** Keep the file, but prevent users from downloading it. Show the quarantined file under the attachment administration. A journal entry will be added informing users about the quarantining.
* **Delete:** Delete the file as soon as the virus was found. A journal entry will be added informing users about the removal
* The uploaded file is only accessible to the original author until the scan has completed, allowing them to seamlessly use it in e.g., WYSIWYG
* The uploaded files are shown, but are not yet accessible to other users. An error/warning message is returned when the file is not yet downloadable.
* Quarantined files are shown, but not accessible for download. A journal entry/comment is shown when the file has been quarantined or deleted.
## Out of scope
* ###52905
* ###52907
* ###52908
**I want to** be able to have my users' uploaded files scanned for viruses
**so that** I am compliant with security protocols
# Acceptance criteria
## Administration
* A new attachment menu item is created
* The previous system settings > Attachments item is being moved to that new item
* A subitem "Quarantined attachments" is being added below this new menu node
* Attachments setting are extended with Antivirus settings
* A mode to operate the virus scanning
* Disabled
* ClamAV (local socket)
* ClamAV (remote host)
* When any option other than Disabled is shown, these additional fields are shown
* Host name or Socket for the ClamAV connection
* Action to perform for attachments on which viruses have been found
* **Quarantine:** Show the file once uploaded, but disallow access to it.
* **Delete:** Delete the file as soon as the virus was found
* Quarantined attachments shows a flat table of all currently quarantined files, restricted to administrators
* Newly quarantined files are showing up there
* Administrators can delete the file or override the virus scanning decision by the system
* Accessing the virus scanning settings page in the community shows an informational banner for upgrading to the Enterprise Edition
## Enabling virus scaning
* When the user first enables virus scanning, a success message is being shown
* Users
* IF viruses are found for these attachments, they are placed into quarantine or deleted according to the setting.
## Disabling virus scaning
* When the user disables virus scanning, some files might still be in quarantine or in queue for scanning
* An informational text is shown when disabling virus scanning with remaining quarantined files. The "Quarantined attachments" remain available even when disabled to perform actions on it.
* Attachment scanning will be skipped as soon as the functionality is disabled.
## Scanning of attachments
* After uploading of an attachment, or after a direct upload (e.g. S3) is finished, a scanning background job is triggered
* If the background job finds a virus, it will perform these actions depending on the selected action setting
* **Quarantine:** Keep the file, but prevent users from downloading it. Show the quarantined file under the attachment administration. A journal entry will be added informing users about the quarantining.
* **Delete:** Delete the file as soon as the virus was found. A journal entry will be added informing users about the removal
* The uploaded file is only accessible to the original author until the scan has completed, allowing them to seamlessly use it in e.g., WYSIWYG
* The uploaded files are shown, but are not yet accessible to other users. An error/warning message is returned when the file is not yet downloadable.
* Quarantined files are shown, but not accessible for download. A journal entry/comment is shown when the file has been quarantined or deleted.
## Out of scope
* ###52905
* ###52907
* ###52908