| Title | TSServer::UpdateRecord doesn't let you specify a user |
| Status | closed |
| Priority | essential |
| Assigned user | Gareth Rees |
| Organization | TeamShare |
| Description | This is a loophole that provides a means for a user to circumvent access control in TeamTrack. The user makes a change in Perforce that they wouldn't be allowed to do in TeamTrack. When the replicator replicates that change, TeamTrack check's the permissions for the replicator user, not the user who made the change. So the illegal action is not detected. |
| Analysis | When you transition a case in the TeamShare API (using TSServer::Transition) you can specify the user on whose behalf you are making the transition. But when you update a case (using TSServer::UpdateRecord) you can't specify a user. However, there's a secret feature in the API. You can specify 0 as the transition when you call the Transition method. This acts like an update, but all the privileges are checked. Using this means that the problem with UpdateRecord goes away. |
| How found | inspection |
| Evidence | <http://info.ravenbrook.com/mail/2000/11/13/22-02-43/0.txt> |
| Created by | Gareth Rees |
| Created on | 2000-10-23 21:50:52 |
| Last modified by | Gareth Rees |
| Last modified on | 2001-12-10 19:00:30 |
| History | 2000-10-23 GDR Created during TeamShare alpha test. 2000-12-01 RB Set priority to essential. I believe this is closed, but GDR needs to "fix" it. 2000-12-04 GDR More analysis. Closed. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 4893 | closed | 2000-11-24 16:32:02 | Gareth Rees | Merged re-architected replicator back into master sources. |