Details
Description
The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.
createQuoteRole
createContentRole
createRequirementRole
Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.
This is a security problem for anyone building component that leverages Role based security.