2017-SV3 Delete Script

affects OMERO versions 5.2.7 and earlier

back to Advisories


Users even without permission could still delete official scripts even though they got an error when they tried.


The ordering of statements in the script service was such that the underlying file on the filesystem could be removed before model object permissions on the original file were checked. The fix was to move some code forward from the light admin work that adds extra permissions checking to the script service so that a "have I permission to delete this OriginalFile?" check is made before launching into anything that touches the filesystem.

Affected Packages

OMERO.server up to and including 5.2.7.


All scripts could be removed.




All OMERO.servers should be upgraded to at least 5.2.8.

back to top