[ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490903#comment-14490903 ]
Deepak Dixit commented on OFBIZ-6207: ------------------------------------- Hi [~adri...@hlmksw.com], I think this is different case, In this case if any request or quote does not belongs to logged in user then also he can view request/quote by changing the id from url. If we add VIEW permission check then also use can able to view others request/quote as well. It can't be handle by if-service-permission. For order view (ecommerce) logged in party id comparison has been checked in orderstatus.groovy. If logged in party exist in any order role then only user can view the order. We can create common service to perform check if order/request/quote belongs to logged in part then only user can view else error message will be displayed. > Anyone can view any Request or Quote > ------------------------------------ > > Key: OFBIZ-6207 > URL: https://issues.apache.org/jira/browse/OFBIZ-6207 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: Trunk, 13.07.01 > Reporter: Forrest Rae > Assignee: Deepak Dixit > Priority: Critical > Labels: security > Attachments: OFBIZ-6207-fourth-attempt.patch > > > This is a security bug in the ecommerce application. Anyone can view any > quote or request in the system regardless of the associated partyId. They > can do this via URL parameter manipulation. > Reproduction: > 1) Login to the ecommerce application as DemoCustomer. > 2) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 > to view your own request. > 3) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 > to view DemoCustAgent's request. > 4) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 > to view DemoCustomer2's request. > Same goes for Quotes, although there are no quotes in the Demo data. The > attach patch fixes this issue. > Would like this issue back ported to release 13.07 please. -- This message was sent by Atlassian JIRA (v6.3.4#6332)