Should the getOrderStatus Service be exported?
Locked
Should the getOrderStatus Service be exported?
 
|
Re: Should the getOrderStatus Service be exported?
|
|
+1
I would say it was fine if the service required auth and it then checked if the user had permission to view details about the order but it doesn't seem to do any authorization checks at all. Regards Scott On 15/09/2011, at 2:40 AM, Dimitri Unruh wrote: > Hi everybody, > > at the moment the getOrderStatusservice is defined with export="true". Is > this really necessary? > I would like to close it? > What do you think? > > Viele Grüße > Best Regards > > > Dimitri Unruh > Consultant AEW > Lynx-Consulting GmbH > Johanniskirchplatz 6 > 33615 Bielefeld > Deutschland > Fon: +49 521 5247-0 > Fax: +49 521 5247-250 > Mobil: +49 160 90 57 55 13 > > > Wir laden Sie herzlich ein: > DSAG-Jahreskongress > Datum: 11. - 13. Oktover 2011, Congress Center Leipzig, Halle 2 Stand B01 > > Besuchen Sie uns an unserem Stand und freuen Sie sich auf einen intensiven Informations- und Erfahrungsaustausch rund um das Thema Mobility! > > > Company and Management Headquarters: > Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland > Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de > > Court Registration: Amtsgericht Bielefeld HRB 35946 > Chief Executive Officers: Karsten Noss, Dirk Osterkamp > > > http://www.lynx.de/haftungsausschluss |
smime.p7s (3K)
Re: Should the getOrderStatus Service be exported?
|
|
Re: Should the getOrderStatus Service be exported?
|
|
I would say setting it to false would be the easiest route to closing this hole. If somebody wants the service exported OOTB then they'd need to improve it with authentication and authorization.
Regards Scott On 15/09/2011, at 5:30 PM, Sascha Rodekamp wrote: > +1 > is it better to set the export to false or enable the authorization? > > Am 14.09.2011 um 17:10 schrieb Scott Gray <[hidden email]>: > >> +1 >> >> I would say it was fine if the service required auth and it then checked if the user had permission to view details about the order but it doesn't seem to do any authorization checks at all. >> >> Regards >> Scott >> >> On 15/09/2011, at 2:40 AM, Dimitri Unruh wrote: >> >>> Hi everybody, >>> >>> at the moment the getOrderStatusservice is defined with export="true". Is >>> this really necessary? >>> I would like to close it? >>> What do you think? >>> >>> Viele Grüße >>> Best Regards >>> >>> >>> Dimitri Unruh >>> Consultant AEW >>> Lynx-Consulting GmbH >>> Johanniskirchplatz 6 >>> 33615 Bielefeld >>> Deutschland >>> Fon: +49 521 5247-0 >>> Fax: +49 521 5247-250 >>> Mobil: +49 160 90 57 55 13 >>> >>> >>> Wir laden Sie herzlich ein: >>> DSAG-Jahreskongress >>> Datum: 11. - 13. Oktover 2011, Congress Center Leipzig, Halle 2 Stand B01 >>> >>> Besuchen Sie uns an unserem Stand und freuen Sie sich auf einen intensiven Informations- und Erfahrungsaustausch rund um das Thema Mobility! >>> >>> >>> Company and Management Headquarters: >>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland >>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de >>> >>> Court Registration: Amtsgericht Bielefeld HRB 35946 >>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp >>> >>> >>> http://www.lynx.de/haftungsausschluss >> |
Re: Should the getOrderStatus Service be exported?
|
|
| Free forum by Nabble | Edit this page |