[NF-2965] [Security]-[Authorization Failure]-[Azure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages. - Workterra Jira

Details

Type: Bug
Status: Closed
Priority: High
Resolution: Bug Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: UI Refresh
Labels:
None

Environment:

Others
Bug Type:
Functional
Bug Severity:
Medium
Level:

Admin
Module:
Platform
Reported by:
Harbinger
Company:
All Clients/Multiple Clients
Item State:
LB QA - In Testing
Issue Importance:
Q2

Description

[Security]-[Authorization Failure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.

Environment : Azure
Replication Steps:
1. Login as Company Admin
2. GO to Company Information Page.
3. Copy the URL
4. Login with Employee of same company in another browser.
5. Paste the URL in employee's session.
6. Access the Admin pages and try to update settings.

Observed Same behavior on multiple pages like All tabs in Company Information, Manage Admin Users, Security Page, Site Branding and Themes etc.
It seems that this issue is with all pages and necessary access level entries are missing.

Expected Result:

As soon as any admin level page URL is accessed by Employee Login it should show the Unauthorized Access page and restrict user for further actions.

CC : Rakesh Roy Sachin Hingole Hrishikesh Deshpande Vijay Siddha Vijayendra Shinde Rohan J Khandave Bharti Satpute Samir

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

AdminLogin.jpg
162 kB
08/Aug/17 12:54 PM
Empl__CAPagesAdminUsers.jpg
124 kB
21/Jun/17 12:05 PM
Empl_Access_CAPagesCompInfo.jpg
135 kB
21/Jun/17 12:05 PM
EmployeeLoign.jpg
148 kB
08/Aug/17 12:54 PM
PageLevelAccess.png
139 kB
21/Nov/17 11:28 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

9 older comments

Hide

Permalink

Khandu Kshirsagar (Inactive) added a comment - 28/Nov/17 06:15 AM

Hi Ashwin Wankhede,

Done.

Ashwin Wankhede

Show

Khandu Kshirsagar (Inactive) added a comment - 28/Nov/17 06:15 AM Hi Ashwin Wankhede , Done. Ashwin Wankhede

Hide

Permalink

anirudha joshi (Inactive) added a comment - 28/Nov/17 08:22 AM - edited

Hi Ashwin Wankhede Vijayendra Shinde

I verified this issue with PagelevelAccess flag set to True. The issue still persists
Below are the steps executed and the observations.

Repro Steps:

Login with partner credentials
Navigate to 'UI Refresh Automation' company.
Change any employee password
Login with this employee in other browser
Copy the link ‘Change employee Status’ from partner login to the browser where same employee is logged in
Employee is able to change the class/status.

Observations:
Eemployee is able to access the 'Change Status' page from partner login.
Employee is able to access 'BenAdmin -> Pending Queue' page from partner login.

I verified different pages from BenAdmin, Onboard, Core HR tabs of partner login. Above 2 pages were accessible to the employee even after the 'PageLevelAccess' was set to 'True'.

Regards,
Anirudha Joshi

CC: Prasad Pise Nidhi Kaul Bharti Satpute Samir Rakesh Roy

Show

anirudha joshi (Inactive) added a comment - 28/Nov/17 08:22 AM - edited Hi Ashwin Wankhede Vijayendra Shinde I verified this issue with PagelevelAccess flag set to True. The issue still persists Below are the steps executed and the observations. Repro Steps: Login with partner credentials Navigate to 'UI Refresh Automation' company. Change any employee password Login with this employee in other browser Copy the link ‘Change employee Status’ from partner login to the browser where same employee is logged in Employee is able to change the class/status. Observations: Eemployee is able to access the 'Change Status' page from partner login. Employee is able to access 'BenAdmin -> Pending Queue' page from partner login. I verified different pages from BenAdmin, Onboard, Core HR tabs of partner login. Above 2 pages were accessible to the employee even after the 'PageLevelAccess' was set to 'True'. Regards, Anirudha Joshi CC: Prasad Pise Nidhi Kaul Bharti Satpute Samir Rakesh Roy

Hide

Permalink

Vishal Yadav (Inactive) added a comment - 29/Nov/17 11:15 AM - edited

Hi Ashwin Wankhede,

I have checked this issue and found that it is working on local (development) environment. But not working on codemap.
Need to check web.config on codemap machine.

Thanks,
Vishal Y

CC : Vijayendra Shinde

Show

Vishal Yadav (Inactive) added a comment - 29/Nov/17 11:15 AM - edited Hi Ashwin Wankhede , I have checked this issue and found that it is working on local (development) environment. But not working on codemap. Need to check web.config on codemap machine. Thanks, Vishal Y CC : Vijayendra Shinde

Hide

Permalink

Vishal Yadav (Inactive) added a comment - 30/Nov/17 06:15 AM

affected files :

/branches/UiRefresh/Config Files WT Stage/Web Server/Web.config

Show

Vishal Yadav (Inactive) added a comment - 30/Nov/17 06:15 AM affected files : /branches/UiRefresh/Config Files WT Stage/Web Server/Web.config

Hide

Permalink

Vishal Yadav (Inactive) added a comment - 30/Nov/17 06:15 AM

Hi Prasad Pise,

Please check this issue after next azure build.

Thanks,
Vishal Y

Show

Vishal Yadav (Inactive) added a comment - 30/Nov/17 06:15 AM Hi Prasad Pise , Please check this issue after next azure build. Thanks, Vishal Y

People

Assignee:: Prasad Pise (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 21/Jun/17 12:06 PM

Updated:: 15/Dec/20 02:53 AM

Resolved:: 23/Mar/18 03:05 AM

Time Tracking

Estimated:

Remaining:

Logged:

9.5h