OFBiz › OFBiz - User

Users - Guidance on Security

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

Vinay Agarwal

Users - Guidance on Security

David, Si, Adrian, and everyone else,

I am still looking for guidance on security implementation.

1. As you have suggested, we can do local fixes to check data integrity. My
only concern is that there may be a number of places that require this fix.

2. Could we modify or expand security check to include the data that will be
used for the operation? It seems to me that may solve some of these issues
from arising in the first place.

Regards,
Vinay Agarwal

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

David E. Jones

Re: Users - Guidance on Security

I didn't think anything in addition to my last message on this was
needed.

The _only_ was you can solve this sort of problem is by checking data
in the database to make sure that the current user is really allowed
to preform the given operation. There is no way around that and so no
way to do any sort of general security blanket, nor any value in
obscuring IDs. In cases where data is not being adequately checked to
filter out bad operations, it simply needs to be fixed.

Yes, there may very well be various things like this in the ecommerce
application (the main area that is written to not require permissions
as it is accessed by customers with generic accounts). Any of these
that are found should be posted to Jira and then fixed and tracked.

-David

On Feb 13, 2006, at 8:34 AM, Vinay Agarwal wrote:

> David, Si, Adrian, and everyone else,
>
> I am still looking for guidance on security implementation.
>
> 1. As you have suggested, we can do local fixes to check data
> integrity. My
> only concern is that there may be a number of places that require
> this fix.
>
> 2. Could we modify or expand security check to include the data
> that will be
> used for the operation? It seems to me that may solve some of these
> issues
> from arising in the first place.
>
> Regards,
> Vinay Agarwal
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

smime.p7s (3K) Download Attachment

Si Chen-2

Re: Users - Guidance on Security

In reply to this post by Vinay Agarwal

Vinay,

Can you see if the patch from
http://jira.undersunconsulting.com/browse/OFBIZ-738 fixes the problem
you found? Also, that it doesn't break other functionality (like a user
updating his own credit card)? If so, I'll commit it.

As for "modify or expand security check to include the data that will be
used for the operation", can you envision a generalized way to fix the
problem? It seems that the problem you've pointed is pretty specific
for one particular operation, and I don't see a generalized form of it
yet--but maybe you do?

Thanks,

Si

Vinay Agarwal wrote:

>David, Si, Adrian, and everyone else,
>
>I am still looking for guidance on security implementation.
>
>1. As you have suggested, we can do local fixes to check data integrity. My
>only concern is that there may be a number of places that require this fix.
>
>2. Could we modify or expand security check to include the data that will be
>used for the operation? It seems to me that may solve some of these issues
>from arising in the first place.
>
>Regards,
>Vinay Agarwal
>
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>
>
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users