Ravenbrook / Projects / Perforce Defect Tracking Integration / Issues
Perforce Defect Tracking Integration
| Title: | TSServer::UpdateRecord doesn't let you specify a user |
| Status: | closed |
| Priority: | essential |
| Assigned user: | gdr |
| Product: | p4dti |
| Organization: | TeamShare |
| Description: | This is a loophole that provides a means for a user to circumvent access control in TeamTrack. The user makes a change in Perforce that they wouldn't be allowed to do in TeamTrack. When the replicator replicates that change, TeamTrack check's the permissions for the replicator user, not the user who made the change. So the illegal action is not detected. |
| Analysis: | When you transition a case in the TeamShare API (using TSServer::Transition) you can specify the user on whose behalf you are making the transition. But when you update a case (using TSServer::UpdateRecord) you can't specify a user. However, there's a secret feature in the API. You can specify 0 as the transition when you call the Transition method. This acts like an update, but all the privileges are checked. Using this means that the problem with UpdateRecord goes away. |
| How found: | inspection |
| Evidence: | <http://info.ravenbrook.com/mail/2000/11/13/22-02-43/0.txt> |
| Introduced in: | 0.0.0 |
| Test procedure: | none |
| Created by: | gdr |
| Created on: | 2000-10-23 21:50:52 |
| Last modified by: | gdr |
| Last modified on: | 2001-12-10 19:00:30 |
| History: | 2000-10-23 GDR Created during TeamShare alpha test. 2000-12-01 RB Set priority to essential. I believe this is closed, but GDR needs to "fix" it. 2000-12-04 GDR More analysis. Closed. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 4893 | closed | 2000-11-24 16:32:02 | gdr | Merged re-architected replicator back into master sources. |
Generated at 2008-12-02 05:48:02 by $Id: //info.ravenbrook.com/infosys/cgi/issue.cgi#430 $
Copyright © Ravenbrook Limited. This document is provided "as is", without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this document. You may make and distribute verbatim copies of this document provided that you do not charge a fee for this document or for its distribution.