Users - Guidance on Security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Users - Guidance on Security

Vinay Agarwal
David, Si, Adrian, and everyone else,

I am still looking for guidance on security implementation.

1. As you have suggested, we can do local fixes to check data integrity. My
only concern is that there may be a number of places that require this fix.

2. Could we modify or expand security check to include the data that will be
used for the operation? It seems to me that may solve some of these issues
from arising in the first place.

Regards,
Vinay Agarwal

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Guidance on Security

David E. Jones

I didn't think anything in addition to my last message on this was  
needed.

The _only_ was you can solve this sort of problem is by checking data  
in the database to make sure that the current user is really allowed  
to preform the given operation. There is no way around that and so no  
way to do any sort of general security blanket, nor any value in  
obscuring IDs. In cases where data is not being adequately checked to  
filter out bad operations, it simply needs to be fixed.

Yes, there may very well be various things like this in the ecommerce  
application (the main area that is written to not require permissions  
as it is accessed by customers with generic accounts). Any of these  
that are found should be posted to Jira and then fixed and tracked.

-David


On Feb 13, 2006, at 8:34 AM, Vinay Agarwal wrote:

> David, Si, Adrian, and everyone else,
>
> I am still looking for guidance on security implementation.
>
> 1. As you have suggested, we can do local fixes to check data  
> integrity. My
> only concern is that there may be a number of places that require  
> this fix.
>
> 2. Could we modify or expand security check to include the data  
> that will be
> used for the operation? It seems to me that may solve some of these  
> issues
> from arising in the first place.
>
> Regards,
> Vinay Agarwal
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Users - Guidance on Security

Si Chen-2
In reply to this post by Vinay Agarwal
Vinay,

Can you see if the patch from
http://jira.undersunconsulting.com/browse/OFBIZ-738 fixes the problem
you found?  Also, that it doesn't break other functionality (like a user
updating his own credit card)?  If so, I'll commit it.

As for "modify or expand security check to include the data that will be
used for the operation", can you envision a generalized way to fix the
problem?  It seems that the problem you've pointed is pretty specific
for one particular operation, and I don't see a generalized form of it
yet--but maybe you do?

Thanks,

Si

Vinay Agarwal wrote:

>David, Si, Adrian, and everyone else,
>
>I am still looking for guidance on security implementation.
>
>1. As you have suggested, we can do local fixes to check data integrity. My
>only concern is that there may be a number of places that require this fix.
>
>2. Could we modify or expand security check to include the data that will be
>used for the operation? It seems to me that may solve some of these issues
>from arising in the first place.
>
>Regards,
>Vinay Agarwal
>
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>
>  
>
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users