Are we confident that documentation and/or logging/audit capabilities are
up to (potential) expectations?

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)

*Apache Trafodion <https://trafodion.apache.org>, Vice President*
*Apache Directory <https://directory.apache.org>, PMC Member*
Apache Incubator <https://incubator.apache.org>, committer
Apache Steve <https://steve.apache.org>, committer


On Fri, Feb 28, 2020 at 9:15 AM Gil Portenseigne <
gil.portensei...@nereide.fr> wrote:

> You understand correctly, and moreover a specific permission must be
> granted to allow the user to impersonate another one. And we even added
> another security to not allow impersonating a user with more permission
> than ourselves.
>
> When we contributed the feature, it was discussed, and improved
> regarding the concern that were expressed. And i'm glad that was done
> this way (improvement through discussion).
>
> Gil
>
> On Fri, Feb 28, 2020 at 09:01:30AM +0100, Michael Brohl wrote:
> > *creating a new thread to leave the vote thread untouched*
> >
> >
> > In my understanding from the previous threads about the impersonation
> > features, it is disabled by default and must be enabled explicitly.
> >
> > Using this feature and dealing with the consequences is up to the user
> then.
> > So I see no valid concern to have this feature in the codebase.
> >
> > Am I missing something?
> >
> > Michael Brohl
> >
> > ecomify GmbH - www.ecomify.de
> >
> > Am 28.02.20 um 08:49 schrieb Gil Portenseigne:
> > > Hello Pierre,
> > >
> > > If you are talking about impersonation feature, that is not in the
> 17.12
> > > branch.
> > >
> > > In either way, administrative tools, if we got access to it, allow what
> > > your are saying. But there is no security issue that grant these
> > > privilege we are aware of. If you do, please share to the security
> list.
> > >
> > > I'm open to discuss about the "criminal" aspect of the impersonation
> > > feature, but not on this thread.
> > >
> > > Gil
> > >
> > > On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote:
> > > > -1
> > > >
> > > > As this release contains software elements that will enable criminal
> > > > parties to gain access to the implemented OFBiz system of a user (a
> > > > business organisation) and impersonate valid users with the intent
> to bring
> > > > harm to the aforementioned business organisation through transactions
> > > > registered by the impersonated valid user..
> > > >
> > > > Met vriendelijke groet,
> > > >
> > > > Pierre Smits
> >
>
>
>

Reply via email to