[jira] [Commented] (OFBIZ-6207) Anyone can view any Request or Quote

Sat, 11 Apr 2015 03:26:16 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490903#comment-14490903
 ] 

Deepak Dixit commented on OFBIZ-6207:
-------------------------------------

Hi [~adri...@hlmksw.com],

I think this is different case, In this case if any request or quote does not 
belongs to logged in user then also he can view request/quote by changing the 
id from url. 
If we add VIEW permission check then also use can able to view others 
request/quote as well.

It can't be handle by if-service-permission. 
For order view (ecommerce) logged in party id comparison has been checked in 
orderstatus.groovy. If logged in party exist in any order role then only user 
can view the order.

We can create common service to perform check if order/request/quote belongs to 
logged in part then only user can view else error message will be displayed.


> Anyone can view any Request or Quote
> ------------------------------------
>
>                 Key: OFBIZ-6207
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6207
>             Project: OFBiz
>          Issue Type: Bug
>          Components: specialpurpose/ecommerce
>    Affects Versions: Trunk, 13.07.01
>            Reporter: Forrest Rae
>            Assignee: Deepak Dixit
>            Priority: Critical
>              Labels: security
>         Attachments: OFBIZ-6207-fourth-attempt.patch
>
>
> This is a security bug in the ecommerce application.  Anyone can view any 
> quote or request in the system regardless of the associated partyId.  They 
> can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
>  to view your own request.
> 3) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
>  to view DemoCustAgent's request.
> 4) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
>  to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data.  The 
> attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to