<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Mike,<BR>
<BR>
That seems to ring a bell from when we upgraded to ECC 6 now that you mention it.<BR>
<BR>
Maybe somebody intended to enhance Method CL_SWF_UTL_WAPI_FRAMEWORK->IS_REQUEST_ALLOWED or amend the values in the S_RESTRICTED_METHODS in the Private Attribute on the Class to be mindful of authorisation but never got around to it?<BR>
<BR>
Mike GT<BR> <BR>
<DIV>
> Date: Tue, 26 Jul 2011 15:37:56 +0100<BR>> Subject: RE: Have authority checks disappeared from WAPIs?<BR>> From: wug@workflowconnections.com<BR>> To: sap-wug@mit.edu<BR>> <BR>> Thanks all for your responses, I'll just reply to all in one post.<BR>> <BR>> Mike: Yes, I looked at that very method - nada. At least not for<BR>> SAP_WAPI_ADM_WORKFLOW_CANCEL that I've testing with.<BR>> <BR>> Claude: Spotted that, I assumed it was just a result of SE37 testing. Good<BR>> point though, so I doublechecked by putting the FM call into a test report<BR>> - no auth checks apart from a couple of arbitrary org validations.<BR>> <BR>> Alon: I tested a bit further and am now convinced you're spot on.<BR>> <BR>> The only question that remains is whether this has changed... My vague<BR>> recollections is that WAPIs used to check auths - which would make sense<BR>> as the SWW FMs do auth checks by default.<BR>> <BR>> Hmmmmm....<BR>> <BR>> Thanks again.<BR>> Mike<BR>> <BR>> <BR>> On Tue, July 26, 2011 3:22 pm, Alon Raskin wrote:<BR>> > Mike,<BR>> ><BR>> > I can confirm your suspicion. We recently had a security issue with one of<BR>> > our clients because the user was able to execute SAP_WAPI_CREATE_WORKLIST<BR>> > for another user. They changed a value on the screen and they could view<BR>> > someone else's inbox). We had to put a fix in our code to ensure that did<BR>> > not happen.<BR>> ><BR>> > I have been meaning to log this with SAP...<BR>> ><BR>> > Regards,<BR>> ><BR>> > Alon Raskin<BR>> > e: araskin@go3i.com<BR>> > p: +1 713 513 4820<BR>> > c: +1 207 409 4983<BR>> > f: +1 806 403-4983<BR>> > The only SAP mobility solution built in native SAP.<BR>> > http://www.themobileworkplace.com<BR>> ><BR>> > -----Original Message-----<BR>> > From: sap-wug-bounces@mit.edu [mailto:sap-wug-bounces@mit.edu] On Behalf<BR>> > Of Mike Pokraka<BR>> > Sent: Tuesday, July 26, 2011 5:46 AM<BR>> > To: sap-wug@mit.edu<BR>> > Subject: Have authority checks disappeared from WAPIs?<BR>> ><BR>> > G'Day,<BR>> ><BR>> > I'm not sure if I've just noticed this or if it's been this way for a<BR>> > while, or if my memory is deceiving me:<BR>> ><BR>> > One upon a time the WAPIs used to be a formal wrapper for the equivalent<BR>> > SWF*/SWW* function modules. I think the WAPIs used to do indirect auth<BR>> > checks via these FM calls, however since the FMs can be overriden (e.g. FM<BR>> > SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too<BR>> > sure and have no 4.6 system handy to check.<BR>> ><BR>> > Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as<BR>> > I have been able to establish there are no auth checks carried out - if a<BR>> > user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they<BR>> > can cancel a work item. Unfortunately I haven't been able to conclusively<BR>> > test this with a user that has SE37 but no workitem admin access, but<BR>> > debugging shows no auth check.<BR>> ><BR>> > Could someone verify I've got this right? Has this changed? Am I just<BR>> > confused?<BR>> ><BR>> > I'm going to implement my own auth checks anyway, but I am very curious as<BR>> > it *may* mean that custom code written pre-ECC could have turned into a<BR>> > security hole post-upgrade.<BR>> ><BR>> > Regards,<BR>> > Mike<BR>> ><BR>> > _______________________________________________<BR>> > SAP-WUG mailing list<BR>> > SAP-WUG@mit.edu<BR>> > http://mailman.mit.edu/mailman/listinfo/sap-wug<BR>> ><BR>> > _______________________________________________<BR>> > SAP-WUG mailing list<BR>> > SAP-WUG@mit.edu<BR>> > http://mailman.mit.edu/mailman/listinfo/sap-wug<BR>> ><BR>> <BR>> <BR>> _______________________________________________<BR>> SAP-WUG mailing list<BR>> SAP-WUG@mit.edu<BR>> http://mailman.mit.edu/mailman/listinfo/sap-wug<BR></DIV>                                            </div></body>
</html>