On Jul 1, 2010, at 7:48 PM, Scott Gray wrote: > On 2/07/2010, at 1:19 PM, Muhammad Aamir wrote: > >> Many records have a related userLogin record. For example createdBy field >> can return the userLogin who created the record which might not be the same >> as the logged in user. (I know you cannot execute getRelated etc. method >> remotely but one can create facade etc as a work around). > > This isn't a security issue unless a service exposes another user's UserLogin > record, userLoginId is not enough. This doesn't happen OOTB as far as I can > tell, so for this to be a security issue someone would have to write a custom > service to expose it.
Keep in mind that such a service would (or should...) be an obvious security hole. The UserLogin entity includes both the username and password, and even though the password is encrypted that is still a vulnerability. -David
