<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Mike,<BR>
<BR>
Did you check that a call to CL_SWF_RUN_WIM_LOCAL->IF_SWF_RUN_WIM_UTL_INTERNAL~CHECK_AUTHORITY is NOT being executed?<BR>
<BR>
I thought it would always be invoked, regardless of whether a WAPI is invoking the Workflow stuff.<BR>
<BR>
Normally the ABAP OO Exception CX_SWF_RUN_WIM_AUTH_FAILED will be thrown I think.<BR>
<BR>
Mike GT<BR> <BR>
<DIV>
> Date: Tue, 26 Jul 2011 11:46:14 +0100<BR>> Subject: Have authority checks disappeared from WAPIs?<BR>> From: wug@workflowconnections.com<BR>> To: sap-wug@mit.edu<BR>> <BR>> G'Day,<BR>> <BR>> I'm not sure if I've just noticed this or if it's been this way for a<BR>> while, or if my memory is deceiving me:<BR>> <BR>> One upon a time the WAPIs used to be a formal wrapper for the equivalent<BR>> SWF*/SWW* function modules. I think the WAPIs used to do indirect auth<BR>> checks via these FM calls, however since the FMs can be overriden (e.g. FM<BR>> SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too<BR>> sure and have no 4.6 system handy to check.<BR>> <BR>> Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as<BR>> I have been able to establish there are no auth checks carried out - if a<BR>> user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they<BR>> can cancel a work item. Unfortunately I haven't been able to conclusively<BR>> test this with a user that has SE37 but no workitem admin access, but<BR>> debugging shows no auth check.<BR>> <BR>> Could someone verify I've got this right? Has this changed? Am I just<BR>> confused?<BR>> <BR>> I'm going to implement my own auth checks anyway, but I am very curious as<BR>> it *may* mean that custom code written pre-ECC could have turned into a<BR>> security hole post-upgrade.<BR>> <BR>> Regards,<BR>> Mike<BR>> <BR>> _______________________________________________<BR>> SAP-WUG mailing list<BR>> SAP-WUG@mit.edu<BR>> http://mailman.mit.edu/mailman/listinfo/sap-wug<BR></DIV> </div></body>
</html>