Have authority checks disappeared from WAPIs?
Alon Raskin
araskin at go3i.com
Tue Jul 26 10:22:32 EDT 2011
Mike,
I can confirm your suspicion. We recently had a security issue with one of our clients because the user was able to execute SAP_WAPI_CREATE_WORKLIST for another user. They changed a value on the screen and they could view someone else's inbox). We had to put a fix in our code to ensure that did not happen.
I have been meaning to log this with SAP...
Regards,
Alon Raskin
e: araskin at go3i.com
p: +1 713 513 4820
c: +1 207 409 4983
f: +1 806 403-4983
The only SAP mobility solution built in native SAP.
http://www.themobileworkplace.com
-----Original Message-----
From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf Of Mike Pokraka
Sent: Tuesday, July 26, 2011 5:46 AM
To: sap-wug at mit.edu
Subject: Have authority checks disappeared from WAPIs?
G'Day,
I'm not sure if I've just noticed this or if it's been this way for a
while, or if my memory is deceiving me:
One upon a time the WAPIs used to be a formal wrapper for the equivalent
SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
checks via these FM calls, however since the FMs can be overriden (e.g. FM
SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
sure and have no 4.6 system handy to check.
Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as
I have been able to establish there are no auth checks carried out - if a
user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
can cancel a work item. Unfortunately I haven't been able to conclusively
test this with a user that has SE37 but no workitem admin access, but
debugging shows no auth check.
Could someone verify I've got this right? Has this changed? Am I just
confused?
I'm going to implement my own auth checks anyway, but I am very curious as
it *may* mean that custom code written pre-ECC could have turned into a
security hole post-upgrade.
Regards,
Mike
_______________________________________________
SAP-WUG mailing list
SAP-WUG at mit.edu
http://mailman.mit.edu/mailman/listinfo/sap-wug
More information about the SAP-WUG
mailing list