Are we confident that documentation and/or logging/audit capabilities are up to (potential) expectations?
Met vriendelijke groet, Pierre Smits *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since 2008 (without privileges) *Apache Trafodion <https://trafodion.apache.org>, Vice President* *Apache Directory <https://directory.apache.org>, PMC Member* Apache Incubator <https://incubator.apache.org>, committer Apache Steve <https://steve.apache.org>, committer On Fri, Feb 28, 2020 at 9:15 AM Gil Portenseigne < gil.portensei...@nereide.fr> wrote: > You understand correctly, and moreover a specific permission must be > granted to allow the user to impersonate another one. And we even added > another security to not allow impersonating a user with more permission > than ourselves. > > When we contributed the feature, it was discussed, and improved > regarding the concern that were expressed. And i'm glad that was done > this way (improvement through discussion). > > Gil > > On Fri, Feb 28, 2020 at 09:01:30AM +0100, Michael Brohl wrote: > > *creating a new thread to leave the vote thread untouched* > > > > > > In my understanding from the previous threads about the impersonation > > features, it is disabled by default and must be enabled explicitly. > > > > Using this feature and dealing with the consequences is up to the user > then. > > So I see no valid concern to have this feature in the codebase. > > > > Am I missing something? > > > > Michael Brohl > > > > ecomify GmbH - www.ecomify.de > > > > Am 28.02.20 um 08:49 schrieb Gil Portenseigne: > > > Hello Pierre, > > > > > > If you are talking about impersonation feature, that is not in the > 17.12 > > > branch. > > > > > > In either way, administrative tools, if we got access to it, allow what > > > your are saying. But there is no security issue that grant these > > > privilege we are aware of. If you do, please share to the security > list. > > > > > > I'm open to discuss about the "criminal" aspect of the impersonation > > > feature, but not on this thread. > > > > > > Gil > > > > > > On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote: > > > > -1 > > > > > > > > As this release contains software elements that will enable criminal > > > > parties to gain access to the implemented OFBiz system of a user (a > > > > business organisation) and impersonate valid users with the intent > to bring > > > > harm to the aforementioned business organisation through transactions > > > > registered by the impersonated valid user.. > > > > > > > > Met vriendelijke groet, > > > > > > > > Pierre Smits > > > > >