[ https://issues.apache.org/jira/browse/OFBIZ-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12845063#action_12845063 ]
Michele Orru commented on OFBIZ-2729: ------------------------------------- Hi Jacques, I'm too much busy on multiple different works, but I will took a look at the latest Ofbiz trunk and come back with a patch. Did I have access to your SVN? :::Michele Orru'::: Network& Security Manager, IntegratingWeb.com http://www.integratingweb.com > special security should be required for setting passwords > ---------------------------------------------------------- > > Key: OFBIZ-2729 > URL: https://issues.apache.org/jira/browse/OFBIZ-2729 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Release Branch 4.0, Release Branch 9.04, SVN trunk > Reporter: Si Chen > > This issue was first brought up here: > https://sourceforge.net/forum/message.php?msg_id=7496877 > Basically, any user with PARTYMGR_CREATE/UPDATE permissions can set the > password of another user. This creates opportunity for Malfeasance. For > example, a customer service rep could set the password of the admin user. > A simple solution would be to create a new security permission > PARTYMGR_PASSWD and require that permission for setting or changing > password of a different user, instead of using PARTYMGR_UPDATE. > PARTYMGR_PASSWD could then be associated with the administrative user. > An alternative is to use the SECURITY_UPDATE permission instead of > PARTYMGR_UPDATE or a new PARTYMGR_PASSWD permission. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.