Have authority checks disappeared from WAPIs?

[Mike Gambier]

Mike,
 
Did you check that a call to CL_SWF_RUN_WIM_LOCAL->IF_SWF_RUN_WIM_UTL_INTERNAL~CHECK_AUTHORITY is NOT being executed?
 
I thought it would always be invoked, regardless of whether a WAPI is invoking the Workflow stuff.
 
Normally the ABAP OO Exception CX_SWF_RUN_WIM_AUTH_FAILED will be thrown I think.
 
Mike GT
 

> Date: Tue, 26 Jul 2011 11:46:14 +0100
> Subject: Have authority checks disappeared from WAPIs?
> From: wug at workflowconnections.com
> To: sap-wug at mit.edu
> 
> G'Day,
> 
> I'm not sure if I've just noticed this or if it's been this way for a
> while, or if my memory is deceiving me:
> 
> One upon a time the WAPIs used to be a formal wrapper for the equivalent
> SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
> checks via these FM calls, however since the FMs can be overriden (e.g. FM
> SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
> sure and have no 4.6 system handy to check.
> 
> Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as
> I have been able to establish there are no auth checks carried out - if a
> user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
> can cancel a work item. Unfortunately I haven't been able to conclusively
> test this with a user that has SE37 but no workitem admin access, but
> debugging shows no auth check.
> 
> Could someone verify I've got this right? Has this changed? Am I just
> confused?
> 
> I'm going to implement my own auth checks anyway, but I am very curious as
> it *may* mean that custom code written pre-ECC could have turned into a
> security hole post-upgrade.
> 
> Regards,
> Mike
> 
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/sap-wug/attachments/20110726/7a67b639/attachment.htm