[jira] [Commented] (OFBIZ-4130) Tenant super user (tenant admin) can view all database details of all tenants

Mon, 30 Jan 2012 23:52:53 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13196766#comment-13196766
 ] 

Pierre Smits commented on OFBIZ-4130:
-------------------------------------

First of all: ofbizsaas.com is not endorsed by the Apache OFBiz project, but 
(probably) a customized instance of a version of OFBiz and owned by Ant 
Websystems Co. Ltd.

Second:
If users execute following procedure when installing OFBiz trunk (in this case 
on either MAC or LINUX):
- ./ant run-install-extseed
- ./ant create-admin-user-login
- ./ant run-create-tenant (for tenant #1)
- ./ant run-create-tenant (for tenant #2)
- set 'multitenant'=Y in 'framework/common/config/general.properties'
- and subsequently start OFBiz with ./startofbiz.sh
- and login with either the admin account for tenant #1 or the admin account 
for tenant #2
- and access table 'tenant' or table 'TenantDataSource' in entity data 
management via 'Framework Web Tools'

the user will see all registered tenants and associated tenantdata sources. So 
does any ohter party created in a tenant who has 'SECURITYADMIN' permissions.

I think that such a situation is unwanted and poses great risks.
                
> Tenant super user (tenant admin) can view all database details of all tenants
> -----------------------------------------------------------------------------
>
>                 Key: OFBIZ-4130
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4130
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 10.04, SVN trunk
>            Reporter: Pierre Smits
>            Priority: Critical
>             Fix For: Release Branch 10.04, SVN trunk
>
>
> When a new tenant is created and the super user of the tenant (the 
> tenant-admin) logs in to WebTools and views the tables Tenant and 
> TenantDataSource he/she can see all details of the tenant databases, incl 
> TenantName, userID and password of the tenant databases.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to