-
Type:
Bug
-
Status: Closed
-
Priority:
High
-
Resolution: Bug Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI Refresh
-
Labels:None
-
Environment:Others
-
Bug Type:Functional
-
Bug Severity:Medium
-
Level:Admin
-
Module:Platform
-
Reported by:Harbinger
-
Company:All Clients/Multiple Clients
-
Item State:LB QA - In Testing
-
Issue Importance:Q2
[Security]-[Authorization Failure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.
Environment : Azure
Replication Steps:
1. Login as Company Admin
2. GO to Company Information Page.
3. Copy the URL
4. Login with Employee of same company in another browser.
5. Paste the URL in employee's session.
6. Access the Admin pages and try to update settings.
Observed Same behavior on multiple pages like All tabs in Company Information, Manage Admin Users, Security Page, Site Branding and Themes etc.
It seems that this issue is with all pages and necessary access level entries are missing.
Expected Result:
As soon as any admin level page URL is accessed by Employee Login it should show the Unauthorized Access page and restrict user for further actions.
CC : Rakesh RoySachin HingoleHrishikesh DeshpandeVijay SiddhaVijayendra ShindeRohan J KhandaveBharti SatputeSamir
- relates to
-
NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.
-
- To Do
-
Field | Original Value | New Value |
---|---|---|
Assignee | shyam sharma [ shyam sharma ] | Vijayendra Shinde [ ID10506 ] |
Assignee | Vijayendra Shinde [ ID10506 ] | Ashwin Wankhede [ ashwin.wankhede ] |
Level | Admin,Employee [ 15800, 15801 ] | Admin [ 15800 ] |
Bug Severity | Critical [ 16701 ] |
Bug Severity | Critical [ 16701 ] | Medium [ 16702 ] |
Assignee | Ashwin Wankhede [ ashwin.wankhede ] | Prasad Pise [ prasadp ] |
Remaining Estimate | 4h [ 14400 ] | |
Original Estimate | 4h [ 14400 ] |
Remaining Estimate | 4h [ 14400 ] | 3.75h [ 13500 ] |
Time Spent | 0.25h [ 900 ] | |
Worklog Id | 69805 [ 69805 ] |
Assignee | Prasad Pise [ prasadp ] | Jayshree Nagpure [ jayshree.nagpure ] |
Attachment | AdminLogin.jpg [ 57954 ] | |
Attachment | EmployeeLoign.jpg [ 57955 ] |
Remaining Estimate | 3.75h [ 13500 ] | 2.75h [ 9900 ] |
Time Spent | 0.25h [ 900 ] | 1.25h [ 4500 ] |
Worklog Id | 70122 [ 70122 ] |
Assignee | Jayshree Nagpure [ jayshree.nagpure ] | Prasad Pise [ prasadp ] |
Assignee | Prasad Pise [ prasadp ] | Nidhi Kaul [ nidhi.kaul ] |
Assignee | Nidhi Kaul [ nidhi.kaul ] | Vijayendra Shinde [ ID10506 ] |
Attachment | PageLevelAccess.png [ 68229 ] |
Assignee | Vijayendra Shinde [ ID10506 ] | Ashwin Wankhede [ ashwin.wankhede ] |
Assignee | Ashwin Wankhede [ ashwin.wankhede ] | Prasad Pise [ prasadp ] |
Assignee | Prasad Pise [ prasadp ] | Vijayendra Shinde [ ID10506 ] |
Assignee | Vijayendra Shinde [ ID10506 ] | Vishal Yadav [ vishal.yadav ] |
Status | Open [ 1 ] | In Development [ 10007 ] |
Remaining Estimate | 2.75h [ 9900 ] | 0h [ 0 ] |
Time Spent | 1.25h [ 4500 ] | 6.25h [ 22500 ] |
Worklog Id | 93626 [ 93626 ] |
Company | All Clients/Multiple Clients [ 18434 ] | |
Environment | Others [ 18445 ] | |
Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) |
Assignee | Vishal Yadav [ vishal.yadav ] | Prasad Pise [ prasadp ] |
Time Spent | 6.25h [ 22500 ] | 8.25h [ 29700 ] |
Worklog Id | 94020 [ 94020 ] |
Time Spent | 8.25h [ 29700 ] | 9.25h [ 33300 ] |
Worklog Id | 94024 [ 94024 ] |
Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: LB QA(10201)Level 1 values: In Testing(10210) |
Status | Local Testing [ 10200 ] | Stage Testing [ 10201 ] |
Status | Stage Testing [ 10201 ] | Production Testing [ 10202 ] |
Time Spent | 9.25h [ 33300 ] | 9.5h [ 34200 ] |
Worklog Id | 109427 [ 109427 ] |
Resolution | Bug Fixed [ 10402 ] | |
Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
Status | Production Complete [ 10028 ] | Closed [ 6 ] |
Link | This issue relates to DEV-13718 [ DEV-13718 ] |