You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2009/08/14 22:55:15 UTC

[jira] Updated: (OFBIZ-2729) special security should be required for setting passwords

     [ https://issues.apache.org/jira/browse/OFBIZ-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-2729:
-----------------------------------

    Issue Type: Sub-task  (was: Bug)
        Parent: OFBIZ-1525

>  special security should be required for setting passwords
> ----------------------------------------------------------
>
>                 Key: OFBIZ-2729
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2729
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 4.0, Release Branch 9.04, SVN trunk
>            Reporter: Si Chen
>
>  This issue was first brought up here: https://sourceforge.net/forum/message.php?msg_id=7496877
>  Basically, any user with PARTYMGR_CREATE/UPDATE  permissions can set the password of another user. This creates opportunity for  Malfeasance. For example, a customer service rep  could set the password of the admin user.
> A simple solution would be to create a new security permission PARTYMGR_PASSWD  and require that permission  for setting or changing password of a different user, instead of using PARTYMGR_UPDATE.  PARTYMGR_PASSWD  could then be associated with  the administrative user.
>  An alternative is to use the SECURITY_UPDATE  permission instead of PARTYMGR_UPDATE  or  a new PARTYMGR_PASSWD  permission.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.