Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-6605

createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions

    Details

      Description

      The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.

      createQuoteRole
      createContentRole
      createRequirementRole

      Repo:
      1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
      2) Login as DemoRepStore
      3) Create a Quote
      4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
      5) View DemoRepStore roles.

      This is a security problem for anyone building component that leverages Role based security.

        Attachments

          Activity

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              fbr@14x.net Forrest Rae
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: