P4DTI issue job000038

TitleTSServer::UpdateRecord doesn't let you specify a user
Assigned userGareth Rees
DescriptionThis is a loophole that provides a means for a user to circumvent access control in TeamTrack. The user makes a change in Perforce that they wouldn't be allowed to do in TeamTrack. When the replicator replicates that change, TeamTrack check's the permissions for the replicator user, not the user who made the change. So the illegal action is not detected.
AnalysisWhen you transition a case in the TeamShare API (using TSServer::Transition) you can specify the user on whose behalf you are making the transition. But when you update a case (using TSServer::UpdateRecord) you can't specify a user.
However, there's a secret feature in the API. You can specify 0 as the transition when you call the Transition method. This acts like an update, but all the privileges are checked. Using this means that the problem with UpdateRecord goes away.
How foundinspection
Created byGareth Rees
Created on2000-10-23 21:50:52
Last modified byGareth Rees
Last modified on2001-12-10 19:00:30
History2000-10-23 GDR Created during TeamShare alpha test.
2000-12-01 RB Set priority to essential. I believe this is closed, but GDR needs to "fix" it.
2000-12-04 GDR More analysis. Closed.


Change Effect Date User Description
4893 closed 2000-11-24 16:32:02 Gareth Rees Merged re-architected replicator back into master sources.