Have authority checks disappeared from WAPIs?

Tue Jul 26 11:09:02 EDT 2011

Mike,

That seems to ring a bell from when we upgraded to ECC 6 now that you mention it.

Maybe somebody intended to enhance Method CL_SWF_UTL_WAPI_FRAMEWORK->IS_REQUEST_ALLOWED or amend the values in the S_RESTRICTED_METHODS in the Private Attribute on the Class to be mindful of authorisation but never got around to it?

Mike GT

> Date: Tue, 26 Jul 2011 15:37:56 +0100
> Subject: RE: Have authority checks disappeared from WAPIs?
> From: wug at workflowconnections.com
> To: sap-wug at mit.edu
> 
> Thanks all for your responses, I'll just reply to all in one post.
> 
> Mike: Yes, I looked at that very method - nada. At least not for
> SAP_WAPI_ADM_WORKFLOW_CANCEL that I've testing with.
> 
> Claude: Spotted that, I assumed it was just a result of SE37 testing. Good
> point though, so I doublechecked by putting the FM call into a test report
> - no auth checks apart from a couple of arbitrary org validations.
> 
> Alon: I tested a bit further and am now convinced you're spot on.
> 
> The only question that remains is whether this has changed... My vague
> recollections is that WAPIs used to check auths - which would make sense
> as the SWW FMs do auth checks by default.
> 
> Hmmmmm....
> 
> Thanks again.
> Mike
> 
> 
> On Tue, July 26, 2011 3:22 pm, Alon Raskin wrote:
> > Mike,
> >
> > I can confirm your suspicion. We recently had a security issue with one of
> > our clients because the user was able to execute SAP_WAPI_CREATE_WORKLIST
> > for another user. They changed a value on the screen and they could view
> > someone else's inbox). We had to put a fix in our code to ensure that did
> > not happen.
> >
> > I have been meaning to log this with SAP...
> >
> > Regards,
> >
> > Alon Raskin
> > e: araskin at go3i.com
> > p: +1 713 513 4820
> > c: +1 207 409 4983
> > f:  +1 806 403-4983
> > The only SAP mobility solution built in native SAP.
> > http://www.themobileworkplace.com
> >
> > -----Original Message-----
> > From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf
> > Of Mike Pokraka
> > Sent: Tuesday, July 26, 2011 5:46 AM
> > To: sap-wug at mit.edu
> > Subject: Have authority checks disappeared from WAPIs?
> >
> > G'Day,
> >
> > I'm not sure if I've just noticed this or if it's been this way for a
> > while, or if my memory is deceiving me:
> >
> > One upon a time the WAPIs used to be a formal wrapper for the equivalent
> > SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
> > checks via these FM calls, however since the FMs can be overriden (e.g. FM
> > SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
> > sure and have no 4.6 system handy to check.
> >
> > Nowadays (ECC6) however, the WAPIs use OO methods internally and as far as
> > I have been able to establish there are no auth checks carried out - if a
> > user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
> > can cancel a work item. Unfortunately I haven't been able to conclusively
> > test this with a user that has SE37 but no workitem admin access, but
> > debugging shows no auth check.
> >
> > Could someone verify I've got this right? Has this changed? Am I just
> > confused?
> >
> > I'm going to implement my own auth checks anyway, but I am very curious as
> > it *may* mean that custom code written pre-ECC could have turned into a
> > security hole post-upgrade.
> >
> > Regards,
> > Mike
> >
> > _______________________________________________
> > SAP-WUG mailing list
> > SAP-WUG at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/sap-wug
> >
> > _______________________________________________
> > SAP-WUG mailing list
> > SAP-WUG at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/sap-wug
> >
> 
> 
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/sap-wug/attachments/20110726/c44b0e1f/attachment.htm