Affects Version/s: Release Branch 4.0, Release Branch 09.04, SVN trunk
Fix Version/s: None
This issue was first brought up here: https://sourceforge.net/forum/message.php?msg_id=7496877
Basically, any user with PARTYMGR_CREATE/UPDATE permissions can set the password of another user. This creates opportunity for Malfeasance. For example, a customer service rep could set the password of the admin user.
A simple solution would be to create a new security permission PARTYMGR_PASSWD and require that permission for setting or changing password of a different user, instead of using PARTYMGR_UPDATE. PARTYMGR_PASSWD could then be associated with the administrative user.
An alternative is to use the SECURITY_UPDATE permission instead of PARTYMGR_UPDATE or a new PARTYMGR_PASSWD permission.
|Workflow||jira [ 12470528 ]||OFbiz Workflow [ 12506417 ]|