Have authority checks disappeared from WAPIs?
Alon Raskin
araskin at go3i.com
Tue Jul 26 11:15:06 EDT 2011
I concur Mike. I think they USED to do auth check too.
Regards,
Alon Raskin
On 7/26/11 9:37 AM, "Mike Pokraka" <wug at workflowconnections.com> wrote:
>Thanks all for your responses, I'll just reply to all in one post.
>
>Mike: Yes, I looked at that very method - nada. At least not for
>SAP_WAPI_ADM_WORKFLOW_CANCEL that I've testing with.
>
>Claude: Spotted that, I assumed it was just a result of SE37 testing. Good
>point though, so I doublechecked by putting the FM call into a test report
>- no auth checks apart from a couple of arbitrary org validations.
>
>Alon: I tested a bit further and am now convinced you're spot on.
>
>The only question that remains is whether this has changed... My vague
>recollections is that WAPIs used to check auths - which would make sense
>as the SWW FMs do auth checks by default.
>
>Hmmmmm....
>
>Thanks again.
>Mike
>
>
>On Tue, July 26, 2011 3:22 pm, Alon Raskin wrote:
>> Mike,
>>
>> I can confirm your suspicion. We recently had a security issue with one
>>of
>> our clients because the user was able to execute
>>SAP_WAPI_CREATE_WORKLIST
>> for another user. They changed a value on the screen and they could view
>> someone else's inbox). We had to put a fix in our code to ensure that
>>did
>> not happen.
>>
>> I have been meaning to log this with SAP...
>>
>> Regards,
>>
>> Alon Raskin
>> e: araskin at go3i.com
>> p: +1 713 513 4820
>> c: +1 207 409 4983
>> f: +1 806 403-4983
>> The only SAP mobility solution built in native SAP.
>> http://www.themobileworkplace.com
>>
>> -----Original Message-----
>> From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf
>> Of Mike Pokraka
>> Sent: Tuesday, July 26, 2011 5:46 AM
>> To: sap-wug at mit.edu
>> Subject: Have authority checks disappeared from WAPIs?
>>
>> G'Day,
>>
>> I'm not sure if I've just noticed this or if it's been this way for a
>> while, or if my memory is deceiving me:
>>
>> One upon a time the WAPIs used to be a formal wrapper for the equivalent
>> SWF*/SWW* function modules. I think the WAPIs used to do indirect auth
>> checks via these FM calls, however since the FMs can be overriden (e.g.
>>FM
>> SWW_WI_ADMIN_CANCEL has a parameter AUTHORIZATION_CHECKED) I am not too
>> sure and have no 4.6 system handy to check.
>>
>> Nowadays (ECC6) however, the WAPIs use OO methods internally and as far
>>as
>> I have been able to establish there are no auth checks carried out - if
>>a
>> user can execute FM SAP_WAPI_ADM_WORKFLOW_CANCEL by any means then they
>> can cancel a work item. Unfortunately I haven't been able to
>>conclusively
>> test this with a user that has SE37 but no workitem admin access, but
>> debugging shows no auth check.
>>
>> Could someone verify I've got this right? Has this changed? Am I just
>> confused?
>>
>> I'm going to implement my own auth checks anyway, but I am very curious
>>as
>> it *may* mean that custom code written pre-ECC could have turned into a
>> security hole post-upgrade.
>>
>> Regards,
>> Mike
>>
>> _______________________________________________
>> SAP-WUG mailing list
>> SAP-WUG at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/sap-wug
>>
>> _______________________________________________
>> SAP-WUG mailing list
>> SAP-WUG at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/sap-wug
>>
>
>
>_______________________________________________
>SAP-WUG mailing list
>SAP-WUG at mit.edu
>http://mailman.mit.edu/mailman/listinfo/sap-wug
More information about the SAP-WUG
mailing list