OFBiz OFBiz - Dev

[jira] [Commented] (OFBIZ-6207) Anyone can view any Request or Quote

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-6207) Anyone can view any Request or Quote

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490903#comment-14490903 ]

Deepak Dixit commented on OFBIZ-6207:
-------------------------------------

Hi [~[hidden email]],

I think this is different case, In this case if any request or quote does not belongs to logged in user then also he can view request/quote by changing the id from url.
If we add VIEW permission check then also use can able to view others request/quote as well.

It can't be handle by if-service-permission.
For order view (ecommerce) logged in party id comparison has been checked in orderstatus.groovy. If logged in party exist in any order role then only user can view the order.

We can create common service to perform check if order/request/quote belongs to logged in part then only user can view else error message will be displayed.


> Anyone can view any Request or Quote
> ------------------------------------
>
>                 Key: OFBIZ-6207
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6207
>             Project: OFBiz
>          Issue Type: Bug
>          Components: specialpurpose/ecommerce
>    Affects Versions: Trunk, 13.07.01
>            Reporter: Forrest Rae
>            Assignee: Deepak Dixit
>            Priority: Critical
>              Labels: security
>         Attachments: OFBIZ-6207-fourth-attempt.patch
>
>
> This is a security bug in the ecommerce application.  Anyone can view any quote or request in the system regardless of the associated partyId.  They can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
> 3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
> 4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data.  The attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page