Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-6605

createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions

    Details

      Description

      The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.

      createQuoteRole
      createContentRole
      createRequirementRole

      Repo:
      1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
      2) Login as DemoRepStore
      3) Create a Quote
      4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
      5) View DemoRepStore roles.

      This is a security problem for anyone building component that leverages Role based security.

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thanks Forrest,

        I committed a very simple fix in
        trunk r1702704
        R14.12 r1702705
        R13.07 r1702706
        R12.04 r1702707

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thanks Forrest, I committed a very simple fix in trunk r1702704 R14.12 r1702705 R13.07 r1702706 R12.04 r1702707

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            fbr@14x.net Forrest Rae
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development