[OFBIZ-6605] createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Release Branch 11.04, Release Branch 13.07, Release Branch 14.12, Trunk
Fix Version/s: 14.12.01, 12.04.06, 13.07.03, 16.11.01
Component/s: content, order
Labels:
- security

Description

The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.

createQuoteRole
createContentRole
createRequirementRole

Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.

This is a security problem for anyone building component that leverages Role based security.

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Forrest Rae

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Sep/15 22:55

Updated:: 13/Sep/15 08:33

Resolved:: 13/Sep/15 08:33