Have authority checks disappeared from WAPIs?

Mike Pokraka wug at workflowconnections.com
Tue Jul 26 10:37:56 EDT 2011 

Thanks all for your responses, I'll just reply to all in one post.

Mike: Yes, I looked at that very method - nada. At least not for
SAP_WAPI_ADM_WORKFLOW_CANCEL that I've testing with.

Claude: Spotted that, I assumed it was just a result of SE37 testing. Good
point though, so I doublechecked by putting the FM call into a test report
- no auth checks apart from a couple of arbitrary org validations.

Alon: I tested a bit further and am now convinced you're spot on.

The only question that remains is whether this has changed... My vague
recollections is that WAPIs used to check auths - which would make sense
as the SWW FMs do auth checks by default.

Hmmmmm....

Thanks again.
Mike


On Tue, July 26, 2011 3:22 pm, Alon Raskin wrote:
> Mike,
>
> I can confirm your suspicion. We recently had a security issue with one of
> our clients because the user was able to execute SAP_WAPI_CREATE_WORKLIST
> for another user. They changed a value on the screen and they could view
> someone else's inbox). We had to put a fix in our code to ensure that did
> not happen.
>
> I have been meaning to log this with SAP...
>
> Regards,
>
> Alon Raskin
> e: araskin at go3i.com
> p: +1 713 513 4820
> c: +1 207 409 4983
> f:  +1 806 403-4983
> The only SAP mobility solution built in native SAP.
> http://www.themobileworkplace.com
>
> -----Original Message-----
> From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf
> Of Mike Pokraka
> Sent: Tuesday, July 26, 2011 5:46 AM
> To: sap-wug at mit.edu
> Subject: Have authority checks disappeared from WAPIs?
>
> G'Day,
>
> I'm not sure if I've just noticed this or if it's been this way for a
> while, or if my memory is deceiving me:
>
> One upon a time the WAPIs used to be a formal wrapper for the equivalent
> SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
> checks via these FM calls, however since the FMs can be overriden (e.g. FM
> SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
> sure and have no 4.6 system handy to check.
>
> Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as
> I have been able to establish there are no auth checks carried out - if a
> user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
> can cancel a work item. Unfortunately I haven't been able to conclusively
> test this with a user that has SE37 but no workitem admin access, but
> debugging shows no auth check.
>
> Could someone verify I've got this right? Has this changed? Am I just
> confused?
>
> I'm going to implement my own auth checks anyway, but I am very curious as
> it *may* mean that custom code written pre-ECC could have turned into a
> security hole post-upgrade.
>
> Regards,
> Mike
>
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
>
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
>

More information about the SAP-WUG mailing list