###Steps to reproduce
- create a group folder named TEST and share with “admin group” and “test group”, marking the advanced permission flag
- create two folders inside the main share: visible and invisible
- inside “invisible” folder create a test file (let’s say something like “test.txt”)
- set the advanced folder permission to deny everything to “test group” for the “invisible” folder (deny read, deny write, deny share, deny create, deny delete…)
- log in with test user (member of test group). The invisible folder is not shown, you can only see the visible one. That’s great.
- if you try to create a folder named “invisible” you get an error (that’s good too) sync the new external share to your pc (in my case win7 with 2.5.2 client). Only the “visible” folder is synced.
- create a folder named “temp” and create inside this new folder a new file (lets say “test2.txt”). This folder will be synced online
- rename temp to invisible
- the folder gets synced online overwriting the originale “invisible” folder
###Expected behaviour
The sync client should keep denying the syncronization of “invisible” folder to the unauthorized users
###Actual behaviour
The folder is synced, the original one and all its content (that should be inaccessible to test user) are overwritten and lost
Impact
An “attacker” - that could simply be an user with low privileges - can delete sensitive data that were on purpose hidden to its group.