-
Type:
Bug
-
Status: Closed
-
Priority:
High
-
Resolution: Bug Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI Refresh
-
Labels:None
-
Environment:Others
-
Bug Type:Functional
-
Bug Severity:Medium
-
Level:Admin
-
Module:Platform
-
Reported by:Harbinger
-
Company:All Clients/Multiple Clients
-
Item State:LB QA - In Testing
-
Issue Importance:Q2
[Security]-[Authorization Failure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.
Environment : Azure
Replication Steps:
1. Login as Company Admin
2. GO to Company Information Page.
3. Copy the URL
4. Login with Employee of same company in another browser.
5. Paste the URL in employee's session.
6. Access the Admin pages and try to update settings.
Observed Same behavior on multiple pages like All tabs in Company Information, Manage Admin Users, Security Page, Site Branding and Themes etc.
It seems that this issue is with all pages and necessary access level entries are missing.
Expected Result:
As soon as any admin level page URL is accessed by Employee Login it should show the Unauthorized Access page and restrict user for further actions.
CC : Rakesh RoySachin HingoleHrishikesh DeshpandeVijay SiddhaVijayendra ShindeRohan J KhandaveBharti SatputeSamir
- relates to
-
NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.
-
- To Do
-
| Field | Original Value | New Value |
|---|---|---|
| Assignee | shyam sharma [ shyam sharma ] | Vijayendra Shinde [ ID10506 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Ashwin Wankhede [ ashwin.wankhede ] |
| Level | Admin,Employee [ 15800, 15801 ] | Admin [ 15800 ] |
| Bug Severity | Critical [ 16701 ] |
| Bug Severity | Critical [ 16701 ] | Medium [ 16702 ] |
i have updated config on azure environment and also checked-in changes in UI Refresh branch as per New LB server.
I will carry out this activity again before Codemap to Azure build.
Can you please check, is issue still exists on Azure?
Thank you.
CC: shyam sharma
| Assignee | Ashwin Wankhede [ ashwin.wankhede ] | Prasad Pise [ prasadp ] |
| Remaining Estimate | 4h [ 14400 ] | |
| Original Estimate | 4h [ 14400 ] |
| Remaining Estimate | 4h [ 14400 ] | 3.75h [ 13500 ] |
| Time Spent | 0.25h [ 900 ] | |
| Worklog Id | 69805 [ 69805 ] |
| Assignee | Prasad Pise [ prasadp ] | Jayshree Nagpure [ jayshree.nagpure ] |
Jayshree Nagpure (Inactive)
made changes -
| Attachment | AdminLogin.jpg [ 57954 ] | |
| Attachment | EmployeeLoign.jpg [ 57955 ] |
Hi Prasad Pise,
I have verified the issue by following above mentioned steps.
Issue is still re-producible.
Employee is able to access admin level home page, company information page,and all other pages and have an access to update the data.
Thanks,
Jayshree
cc : Rakesh Roy
Jayshree Nagpure (Inactive)
added a comment - Hi Prasad Pise ,
I have verified the issue by following above mentioned steps.
Issue is still re-producible.
Employee is able to access admin level home page, company information page,and all other pages and have an access to update the data.
Thanks,
Jayshree
cc : Rakesh Roy Jayshree Nagpure (Inactive)
made changes -
| Remaining Estimate | 3.75h [ 13500 ] | 2.75h [ 9900 ] |
| Time Spent | 0.25h [ 900 ] | 1.25h [ 4500 ] |
| Worklog Id | 70122 [ 70122 ] |
Jayshree Nagpure (Inactive)
made changes -
| Assignee | Jayshree Nagpure [ jayshree.nagpure ] | Prasad Pise [ prasadp ] |
Hi Nidhi Kaul / Vijayendra Shinde
This issue is reproducible. Please take it ahead.
| Assignee | Prasad Pise [ prasadp ] | Nidhi Kaul [ nidhi.kaul ] |
Prasad Pise Vijayendra Shinde Nidhi Kaul
I have verified this issue on 'UI Refresh Automation' company. The issue still persists.
Repro Steps:
- Login with partner credentials
- Navigate to 'UI Refresh Automation' company.
- Change any employee password
- Login with this employee in other browser
- Copy the link ‘Change employee class/Status’ from partner login to the browser where same employee is logged in
- Employee is able to change the class/status.
Nidhi Kaul (Inactive)
made changes -
| Assignee | Nidhi Kaul [ nidhi.kaul ] | Vijayendra Shinde [ ID10506 ] |
| Attachment | PageLevelAccess.png [ 68229 ] |
Hi Ashwin Wankhede,
This is second time same issue getting reported due to same reason. Again, pageleveacecss key is set to false and qa are doing security testing. Please refer attached snapshot 
which will show azure flag is set to false.
Nidhi Kaul,
I feel we really need to figure out how we can stop such issues getting reported multiple times with same reason.
Thanks,
Vijayendra
CC:Bharti Satpute,Samir
| Assignee | Vijayendra Shinde [ ID10506 ] | Ashwin Wankhede [ ashwin.wankhede ] |
As discussed, This is set to "False" as all PagelevelAccess entries are not present. Hence we can athorization errors. Please let me know once all required entries are present. I will set back checkPageLevelAccess flag to true.
| Assignee | Ashwin Wankhede [ ashwin.wankhede ] | Prasad Pise [ prasadp ] |
Can you please let me know once the PagelevelAccess flag is set to 'True' so that we can check if the same error occurs.
Regards,
Anirudha Joshi
Can you please set "CheckPageLevelAccess" flag to true on azure.
Khandu Kshirsagar (Inactive)
added a comment - Hi Ashwin Wankhede ,
Done.
Ashwin Wankhede Hi Ashwin Wankhede Vijayendra Shinde
I verified this issue with PagelevelAccess flag set to True. The issue still persists
Below are the steps executed and the observations.
Repro Steps:
- Login with partner credentials
- Navigate to 'UI Refresh Automation' company.
- Change any employee password
- Login with this employee in other browser
- Copy the link ‘Change employee Status’ from partner login to the browser where same employee is logged in
- Employee is able to change the class/status.
Observations:
Eemployee is able to access the 'Change Status' page from partner login.
Employee is able to access 'BenAdmin -> Pending Queue' page from partner login.
I verified different pages from BenAdmin, Onboard, Core HR tabs of partner login. Above 2 pages were accessible to the employee even after the 'PageLevelAccess' was set to 'True'.
Regards,
Anirudha Joshi
| Assignee | Prasad Pise [ prasadp ] | Vijayendra Shinde [ ID10506 ] |
-
- Time Spent:
- 5h
-
Verified the defect on Azure. The issue still persists.
Verified if the employee is able to access different links from partner login.
| Assignee | Vijayendra Shinde [ ID10506 ] | Vishal Yadav [ vishal.yadav ] |
| Status | Open [ 1 ] | In Development [ 10007 ] |
-
- Time Spent:
- 2h
-
analysis
code debugging
verification on local and codemap
Discussion with Ashwin for web.config file updation
Hi Ashwin Wankhede,
I have checked this issue and found that it is working on local (development) environment. But not working on codemap.
Need to check web.config on codemap machine.
Thanks,
Vishal Y
CC : Vijayendra Shinde
| Remaining Estimate | 2.75h [ 9900 ] | 0h [ 0 ] |
| Time Spent | 1.25h [ 4500 ] | 6.25h [ 22500 ] |
| Worklog Id | 93626 [ 93626 ] |
| Company | All Clients/Multiple Clients [ 18434 ] | |
| Environment | Others [ 18445 ] | |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) |
affected files :
/branches/UiRefresh/Config Files WT Stage/Web Server/Web.config
| Assignee | Vishal Yadav [ vishal.yadav ] | Prasad Pise [ prasadp ] |
| Time Spent | 6.25h [ 22500 ] | 8.25h [ 29700 ] |
| Worklog Id | 94020 [ 94020 ] |
-
- Time Spent:
- 1h
-
Discussed with Khandu
Checked web config on codemap.
Web.config changes on Uirefresh-LB
Testing
| Time Spent | 8.25h [ 29700 ] | 9.25h [ 33300 ] |
| Worklog Id | 94024 [ 94024 ] |
Sachin Hingole (Inactive)
made changes -
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: LB QA(10201)Level 1 values: In Testing(10210) |
| Status | Local Testing [ 10200 ] | Stage Testing [ 10201 ] |
| Status | Stage Testing [ 10201 ] | Production Testing [ 10202 ] |
| Time Spent | 9.25h [ 33300 ] | 9.5h [ 34200 ] |
| Worklog Id | 109427 [ 109427 ] |
| Resolution | Bug Fixed [ 10402 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
-
- Time Spent:
- 0.25h
-
Verified on Production. Issue fixed
| Link | This issue relates to DEV-13718 [ DEV-13718 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
160d 20h 10m | 1 |
Sachin Hingole (Inactive)
made transition
-
|
27d 22h 33m | 1 |
|
85d 20h 13m | 1 |
|
2s | 1 |
|
1m 24s | 1 |
|
4s | 1 |
Hi Ashwin Wankhede,
CheckPageLevelAccess key is set to false on Azure. Due to this authorization is not getting verified on Azure.
I feel all keys should match to Stage and not from local. It will be really good if we do these changes at the earliest, well before build.
Please do the needful.
Thanks,
Vijayendra
CC: shyam sharma